• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 376
  • Last Modified:

Samba server outside of firewall -- cannot access.

I have a Red Hat Enterprise Linux file server running Samba located in a data center with its own public IP.  In addition, I have two locations (New York and Tennessee) that need to be able to access the Samba server.

Before I go on (and before I get posts about security), I have the server firewalled and restricted so that the individual IPs of New York and Tennessee can access it.  In addition, I have only one share, with strong password authenication, and the files themselves are encrypted, which can only be decrypted by the program which requires this setup.  I've checked the access lists and firewalls within the server, and all is configured fine.

The New York location can access it just fine, as it's behind a recently installed Sonicwall TZ-170 wireless router.  The Tennessee location, on the other hand, cannot access it.  That location has a Cisco Pix 515 running Version 6.3 of the OS.  

While the simplest solution would be to get another Sonicwall to replace the PIX, purchasing another Sonicwall is out of the question.  What I need to do is be able to get them access to that server?  They need this right now, and the backup situation.. through FTP, isn't working because files either get downloaded/deleted, or never marked as viewed by the program.

Below is the Sonicwall config...
: Saved
: Written by enable_15 at 07:17:04.086 UTC Mon Aug 6 2007
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vhWV3SNwgZrVmRfn encrypted
passwd vhWV3SNwgZrVmRfn encrypted
hostname nash501a
domain-name sukinlaw.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside <inside pix firewall address>
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp interface www <inside server> www netmask 0 0
static (inside,outside) tcp interface 9022 <inside server> ssh netmask 0 0
static (inside,outside) tcp interface https <inside server> https netmask 0 0
conduit permit icmp any any
conduit permit udp any host <server in question>
conduit permit tcp any host <server in question>
outbound  13 permit <inside network> 1-65535 tcp
outbound  13 permit <inside network> 1-65535 udp
outbound  13 permit <inside network> 1-65535 icmp
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http <inside network> inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt ipsec pl-compatible
crypto ipsec transform-set lawvpn esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 set transform-set lawvpn
! Incomplete
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet <inside network> inside
telnet timeout 5
ssh outside
ssh <inside network> inside
ssh timeout 5
console timeout 0
vpdn group pppoe0 request dialout pppoe
vpdn group pppoe0 localname <dsl user>
vpdn group pppoe0 ppp authentication pap
vpdn username <dsl user> password ********
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
  • 2
1 Solution
>PIX Version 6.3(3)
With 6.x all conduits and outbound commands have been deprecated and replace by access-lists

clear conduit all
no conduit permit icmp any any
no conduit permit udp any host <server in question>
no conduit permit tcp any host <server in question>
no outbound  13 permit <inside network> 1-65535 tcp
no outbound  13 permit <inside network> 1-65535 udp
no outbound  13 permit <inside network> 1-65535 icmp

Replace with:
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any interface outside eq 9022
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-group outside_access_in in interface outside

Also highly suggest updating PIX OS to at least 6.3(5) - most stable with some bug fixes. Given that it is a 515, you could upgrade it to 7.2 or possibly even 8.0
>ip address outside pppoe setroute
Also, given that you are getting a dynamic IP address assignment, do you have the Samaba server's acls set properly to allow this IP address?
heichersAuthor Commented:
After exploring this further (including taking the old PIX from the NY location and setting it up in a different location with similar settings), I found that it has to do with the DSL router itself, which we'll look at getting replaced through AT&T.  

While it is PPPoE, we do have a static IP assigned to the account (as AT&T/Bellsouth typically does), and that configuration is correct (I've verified that to death).

I do thank you for the input, and at the very least, it'll get the router doing the job it should

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now