Solved

Need https request to go through a pix 501 to a netgear ssl device, while using dynamic DSL.

Posted on 2008-10-02
64
490 Views
Last Modified: 2013-12-14
I need a https request to go through a pix 501 to a netgear ssl device, while using dynamic DSL.

I put this command in and it kills my internet connection.

static (inside,outside) interface 10.10.10.100 netmask 255.255.255.255 0 0



Also on a side not I have a bank of 8 public ips that could be used but I do not understand how they are used and the config.
0
Comment
Question by:Brandon_Reed66
  • 29
  • 28
  • 6
64 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628721
Are you using Dynamic DNS or Dynamic DSL?

Do you have a static public  IP address programmed into any of your devices?
0
 

Author Comment

by:Brandon_Reed66
ID: 22628765
Dynamic DSL, the IP changes every week or two, I would like a temp solution that they can do a whatismyip and use that ip to get through.

I am going to eventually use the static IP for a permanent solution.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628892
You should just switch to the static IPs now. It's very easy. Just call your ISP and tell them you want to switch.
All it involves is them activating the static ones on your line and you programming it into the PIX.
If you can provide the current config of the PIX and the addresses you want to use (IPs, SN mask, default gateway) and also the device's IP address on the inside you want to use I'll come up with a config for you.
Save yourself a lot of time and trouble by just switching to static IPs now.
Cheers!
0
 

Author Comment

by:Brandon_Reed66
ID: 22628972
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mbtGifHXKI5HNCtX encrypted
passwd GA9ERwYmYQL78rTV encrypted
hostname Pix
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 200 permit tcp any interface outside eq www
access-list 200 permit icmp any interface outside
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.0.1-172.16.0.10 mask 255.255.255.0
pdm location 172.16.0.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set stong-des esp-des esp-md5-hmac
crypto dynamic-map cisco 20 set transform-set stong-des
crypto map remote 20 ipsec-isakmp dynamic cisco
crypto map remote interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup banc-remote-VPN address-pool vpnpool
vpngroup banc-remote-VPN dns-server 10.10.10.2 205.152.37.23
vpngroup banc-remote-VPN wins-server 10.10.10.2
vpngroup banc-remote-VPN default-domain
vpngroup banc-remote-VPN split-tunnel 100
vpngroup banc-remote-VPN idle-time 1800
vpngroup banc-remote-VPN user-idle-timeout 1800
vpngroup banc-remote-VPN password
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname **********@bellsouth.net
vpdn group pppoe_group ppp authentication pap
vpdn username
terminal width 80
Cryptochecksum:c2d18b5e6ce30623fb6ada7c68b68f9f
: end



I have these IPs:  
67.xxx.xxx.80
67.xxx.xxx.81
67.xxx.xxx.82
67.xxx.xxx.83
67.xxx.xxx.84
67.xxx.xxx.85
67.xxx.xxx.86
67.xxx.xxx.87
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22629666
You need to figure out what your ISP default gateway and subnet mask will be 1st. Please do that and then post the info.
0
 
LVL 11

Expert Comment

by:billwharton
ID: 22629848
Brandon

I may be able to impart some knowledge over here and help you with a speedy resolution. You don't need to have a static IP to do this and a dynamic IP would work just fine

Here are the commands you need:
static (inside,outside) tcp interface 443 10.10.10.100 443
You were previously NATTING all traffic causing a loss of your Internet connection. This command NAT's only a single port (SSL PORT 443)

Apart from the above, you would also need to specify an ACL since the PIX doesn't allow any inbound traffic by default

access-list 150 permit tcp any interface outside eq 443
access-group 150 in interface outside


After this, just do a 'show ip' to find out what your outside IP address is and try this out. You could later add on a no-ip.com host name too

May I also alert you that the newer version of the PIX firewalls (ASA series) allow you to terminate SSL VPN connections and you may want to upgrade to these in the future. The ASA 5505 is the home-office box and costs about $1000 with the security plus license

I hope I have been able to provide some help here. Please let me know if you have any additional questions

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22630339
In the spirit of full disclosure though, I think that it's only fair that we also tell him that this is not a reliable setup when hosting any type of public services, email, website, etc.
Almost ALL servers on the internet have static addresses (I'd say over 99.9% easy). Using dynamic addresses (even with something like DynDNS) isn't a good idea. If it were it would be a much more common practice.
When your dynamic IP changes nobody will be able to access your stuff, not even you. That's why I said we might as well convert to static now and prevent the certain headache that will come from this in the future.
I don't believe in engineering unreliable solutions (not picking you you bill - just saying) and that's why I recommended switching to static immediately.
Cheers! :)
0
 

Author Comment

by:Brandon_Reed66
ID: 22630377
I am going to work on make it Static, but so far with 2 phone conversations with Bell South they are resistant in sending a Static IP down the pipe.  So I was hoping I could get it to work, you would think that if I could ping and ssh into it remotely then I would be able to connect HTTPS through it.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22630405
I thought you said you had a block of 8 static public IPs to use in your original question?
And you have no problem with SSHing into it remotely?
0
 

Author Comment

by:Brandon_Reed66
ID: 22630559
I do, but I can not ping them, and I asked Bell South to make the 3rd IP the dsl/pix IP, with the first IP being the subnet, 2nd being the gateway/bellsouth. and have 4 extra IPs for use, but they said no, and I said that this company wanted a Static IP, not have some static IPs.
0
 
LVL 11

Expert Comment

by:billwharton
ID: 22630571
Brandon, yes if you can ping and ssh into it, it would work fine. No-ip.com refresh times are about 1-3 minutes hence whenever your dynamic IP would change, there would be a brief few minutes when clients would not be able to connect. Clients already connected would stay connected...

puggle

I have been in the industry for 18 years having worked everything from commercial to enterprise to service providers. I currently work for the largest global network provider today. If this customer is using a netgear to terminate SSL VPN's, i would say they probably fall in the commercial segment. This solution would just fine for them and many commercial customers do this for lack of large budgets. Enterprise, it would be a no-no and for service providers, you would get fired for terminating any kind of connection over a dynamic IP address

Don't want to pick on you or your comments but the above opinion is shared by many other industry veterans

Cheers ;)
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22630655
Bill, you're not the only one that's been doing this a while. :)
Since you have such a background in the industry, you know that a small block of public IPs is not out of the reach of any budget, coming at at something like $15 extra/mo. for a block of 5 or so. Also, where did Brandon say he was terminating SSL VPN? ... because I didn't see.
For all we know he's setting up an SSL web server. Either way, that doesn't affect the configuration of the pix... it'll be the same no matter what he's passing over SSL.
Again, I know you're just offering an answer, but to add this kind of uncertainty to even a small business' network operations at the savings of only $15/month wouldn't generally be regarded as the wisest decision a business could make. It's better to invest a little and have 100% sureity that your services will always function as intended, at least on the internet connectivity side.
Just my opinion as well.
And cheers back! :)
 
0
 

Author Comment

by:Brandon_Reed66
ID: 22630879
Thanks for all of the help guys, I'll give these a try in the morning.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22631032
Kk! Let me know!
0
 

Author Comment

by:Brandon_Reed66
ID: 22635833
OK,  I have it working with a static IP, I can ping the Static, it is in my group of 8 Static IPs, but I still can not reach my netgear vpn device from a remote computer.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22635886
Okay - what's the public IP you want to use and what's the private IP of the netgear device?
0
 

Author Comment

by:Brandon_Reed66
ID: 22635968
67.xxx.xxx.81 is the dsl
67.xxx.xxx.82 is the pix
67.xxx.xxx.83 - 86 are my IP add
10.10.10.100 is the netgear
0
 

Author Comment

by:Brandon_Reed66
ID: 22635983
Right now just the 81 and 82 are pingable
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22636015
Oh, and yes, can you please post your current config so I can make sure I give you the right stuff?
0
 

Author Comment

by:Brandon_Reed66
ID: 22636047
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mbtGifHXKI5HNCtX encrypted
passwd GA9ERwYmYQL78rTV encrypted
hostname BancPix
domain-name bancography.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 200 permit tcp any interface outside eq www
access-list 200 permit icmp any interface outside
access-list acl_out permit tcp any host 68.xx.xxx.82 eq https
access-list acl_out permit tcp any host 68.xx.xxx.83 eq https
access-list acl_out permit tcp any host 68xx.xxx.84 eq https
access-list acl_out permit tcp any host 68.xx.xxx.85 eq https
access-list 150 permit tcp any interface outside eq https
access-list 150 permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.xx.xxx.82 255.255.255.248
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.0.1-172.16.0.10 mask 255.255.255.0
pdm location 172.16.0.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface https 10.10.10.100 https netmask 255.255.2
55.255 0 0
access-group 150 in interface outside
route outside 0.0.0.0 0.0.0.0 67.xx.xxx.81 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set stong-des esp-des esp-md5-hmac
crypto dynamic-map cisco 20 set transform-set stong-des
crypto map remote 20 ipsec-isakmp dynamic cisco
crypto map remote interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup banc-remote-VPN address-pool vpnpool
vpngroup banc-remote-VPN dns-server 10.10.10.2 205.152.37.23
vpngroup banc-remote-VPN wins-server 10.10.10.2
vpngroup banc-remote-VPN default-domain BANCOGRAPHY
vpngroup banc-remote-VPN split-tunnel 100
vpngroup banc-remote-VPN idle-time 1800
vpngroup banc-remote-VPN user-idle-timeout 1800
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:a1ee9d6dad676b3d7fb736a8b2040494
: end
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22636089
Okay - I'm mapping the netgear to the public IP of 67.x.x.83
You already have an access-list to restrict incoming traffic to port 443 (SSL).
You need these commands:
static (inside,outside) 67.x.x.83 10.10.10.100 netmask 255.255.255.255


 
0
 

Author Comment

by:Brandon_Reed66
ID: 22636123
IT did not work.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22636369
Did it give you an error or did it just not work? Are you trying it from the outside or inside?
Try this too

access-list 150 permit ip any host 67.x.x.83 eq https
no access-list 150 permit tcp any interface outside eq https
no access-list 150 permit tcp any interface outside eq www

0
 
LVL 11

Expert Comment

by:billwharton
ID: 22637902
your http server is enabled meaning the PIX reserves port 80/443 for PIX administration.

Input this:
http server disable or no http server enable (not sure which one works but one of them will)

And now try again
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638462
The http server can be enabled and not interfere with traffic passing through the device. It's only enabled on the inside interface...
BTW the commands to disable http server on port 80 and http secure server on port 443 are:
80 - no http server enable
443 - no http secure-server enable
Either way this is not going to be your issue... try the running ACLs I posted above.
If it still doesn't work please post the error the ASA is throwing (if any). It could also be the configuration of your netgear device.
0
 
LVL 11

Expert Comment

by:billwharton
ID: 22638479
Incorrect - the HTTP/PDM interface can be enabled both on the inside and outside interface. A device (firewall, router, server) - any any any device can only listen on a port and redirect it to a certain process. If the PIX terminates port 443, then it cannot forward it

kindly get your facts right pugglewuggie and stop posting incorrect and inaccurate messages on this board. I am a split hair away from contacting EE admins about this - be careful
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638541
Yes Bill - it CAN be enabled on the inside and outside. But it isn't. Did you take a look at his config?
I suppose that if I were wrong I wouldn't be able to host my SSL websites through my ASA when I have the ASDM enabled would I? But I am. All on port 443. If the PIX terminates the connection on a public IP then yes, it won't work. But if it does not it will work.
Please consider the facts yourself before you tell me to do as such and make empty threats.
Go ahead and contact the admins. I haven't once placed incorrect information on EE and I work only to fix innacuracies such as your own. I won't be a pain and throw threats around, but I suggest you tone it down. I've been busted for being a pain like you are right now and I don't intend on having it happen again, so I'll end nicely - get your information straight before throwing out caustic remarks for no reason.
Cheers
0
 
LVL 11

Expert Comment

by:billwharton
ID: 22638612
another inaccuracy - looks like you don't know the differences between a router and a pix and continue to mix up commands between these devices like you did on a previous post

the command no http secure-server enable has never existed in any version of the PIX

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/gl.html#wp1029823

i'm wasting more time replied to your queries and teaching you on these boards than helping genuine people needing help which is very very counterproductive. You can keep bantering here but i'm not going to respond to any of your queries - it's just below me

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638711
Bill, an ASA is just the new version of the PIX. Might I ask which commands I mixed up?
The correct command for the http server in PIX or ASA is:
<no> http server enable
where no is variable based on whether the user wants the http server to be enabled or not.
Yes, I did type secure server by accident as I was just working on a router 5 minutes ago. However, I did not do so out of ignorance, merely a typo.
As for the http server being enabled not allowing SSL connections to the device - it only interferes when it is enabled on the interface to which the packets are incoming. Merely having the http server enabled does not prevent the PIX from forwarding requests to internal resources. However, having a command like http 0.0.0.0 0.0.0.0 outside would prevent it from forwarding such requests. If you take a look, http access is only configured on the inside interface.
Either way, the http server is not the issue. The problem lies elsewhere.
One other thing  - might I ask what the undue hostility is about? It's just crazy that you jump up like that like a wild man. Why?
As for being genuine - I've only been an active expert for 7 days now and I have nearly as many points in the PIX firewall zone as you've managed to amass since 2003, and I should pass you up within next 2-3 days. Who, then, appears to be more qualified when discussing PIX and ASA products? Not to mention that I've been working almost exclusively with the PIX, ASA, and Cisco security products such as MARS and IPS for the last two years, barring my previous 10 years with the devices.
 Please act like a civilized human being. It is greatly appreciated by everyone here.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638719
Brandon, do you have any feedback on how running those ACL commands worked out?
0
 

Author Comment

by:Brandon_Reed66
ID: 22642527
I tried the acl, still no success.  I am trying to get a netgear login screen by putting the https://67.X.X.83 IP in my browser and it times out.  Do I need to be able to ping the IP I am trying to reach? Do I need to come in on the main interface IP or one of the IPs in my block?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 11

Expert Comment

by:billwharton
ID: 22642532
CAN YOU DO THIS?
try "telnet 67.X.X.83 443" from any internet-connected computer (outside your network) and see if it connects and gives you a blank screen or it just gets stuck at 'connecting'

also paste the output of 'show nat' and show xlate in here
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22642602
Also, after entering static commands, make sure you run a clear xlate command. This will prevent the device from confusing static NAT translations.
Is there any way you can login to the ASDM and watch the syslog messages on the home page as you try to connect? If you see yellow or red messages something is wrong. If you do see them, pause the output with the little stop button at the right side and then post the errors you are recieving here.
Cheers!
0
 

Author Comment

by:Brandon_Reed66
ID: 22642817
BancPix# show xlate
0 in use, 155 most used
BancPix# show nat
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22642912
You should have an xlate in use... When a static is put in it opens an infinite and unterminable xlate to the resource defined in the statement.
Can you please post your current config?
0
 

Author Comment

by:Brandon_Reed66
ID: 22646941

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mbtGifHXKI5HNCtX encrypted
passwd GA9ERwYmYQL78rTV encrypted
hostname Pix
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 200 permit tcp any interface outside eq www
access-list 200 permit icmp any interface outside
access-list acl_out permit tcp any host 68.xxx.xxx.82 eq https
access-list acl_out permit tcp any host 68.xxx.xxx.83 eq https
access-list acl_out permit tcp any host 68.xxx.xxx.84 eq https
access-list acl_out permit tcp any host 68.xxx.xxx.85 eq https
access-list 150 permit ip any host 67.xxx.xxx.83
access-list outside_access_in permit tcp any interface outside eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.xxx.xxx.82 255.255.255.248
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.0.1-172.16.0.10 mask 255.255.255.0
pdm location 172.16.0.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 67xxx.xxx.83 10.10.10.100 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.81 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set stong-des esp-des esp-md5-hmac
crypto dynamic-map cisco 20 set transform-set stong-des
crypto map remote 20 ipsec-isakmp dynamic cisco
crypto map remote interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup banc-remote-VPN address-pool vpnpool
vpngroup banc-remote-VPN dns-server 10.10.10.2 205.xxx.xxx.23
vpngroup banc-remote-VPN wins-server 10.10.10.2
vpngroup banc-remote-VPN default-domain
vpngroup banc-remote-VPN split-tunnel 100
vpngroup banc-remote-VPN idle-time 1800
vpngroup banc-remote-VPN user-idle-timeout 1800
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:c79d621dd305bbd4aec9ae16ff49308c
: end
BancPix(config)#


0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22653472
Hmm... your config looks good...
There should be an xlate open... can you please run
clear xla
sh xla
 
and post the results again (the whole thing)?

 
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22653495
One other thing... try this:
no access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any host 67.x.x.83 eq https
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22653520
Agghhh-- sorry - run this instead. Doesn't really matter but this will make sure your interface binding doesn't get lost.
access-list outside_access_in permit tcp any host 67.x.x.83 eq https
no access-list outside_access_in permit tcp any interface outside eq https
access-group outside_access_in in interface outside

Cheers!
0
 

Author Comment

by:Brandon_Reed66
ID: 22653730
When I do a clear xlate and then show, there is 0.
0
 

Author Comment

by:Brandon_Reed66
ID: 22653769
Is a static command all I need to attach the .83 to the pix?  Could I just get through on the main interface?  .82?   From inside of the pix I can ping the 10.10.10.100, and I can ping the .82.  But I cannot ping the .83.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22653937
The static command maps the external IP address THROUGH the PIX to the Netgear.
run a wr mem command and then restart the PIX. You should never need to restart unless updating the software, but maybe something weird is going on.
You should have no problems once this command is in there and the PIX has an ACL which allows access... you have both of those.
Also this might sound crazy, but make sure the netgear is connected to the inside interface and assigned an IP of 10.10.10.100 with the same subnet mask as the inside interface AND using the IP address on inside interface of the PIX as the netgear's default gateway.
Cheers!
0
 

Author Comment

by:Brandon_Reed66
ID: 22654142
I can ping the netgear from inside of the PIX, I am not 100% on the netgear having the gateway of the pix, as I did not set that up, but my boss did, but he says it is set up right.  The network is small, and the PIX has been and is the only way to get in or out of the network.  I will restart it tonight, it has been restarted several times, because I do bone head statements: a static that makes everything .82 go to the netgear and it cuts my connection off, so I have them restart it, so I can get back into it remotely.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22654582
can you please verify the netgear has the right gateway? It won't work if it does not.
Cheers!
0
 

Author Comment

by:Brandon_Reed66
ID: 22671879
Yes, the Netgear has the right static/default gateway and dns settings.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22671972
Hmmm.... Can you ping the netgear from the ASA (meaning type ping 10.10.10.100 from the ASA's command line)?
0
 

Author Comment

by:Brandon_Reed66
ID: 22672048
Yes, and of course I can ping the asa's gateway (bellsouth), so I just don't understand why your commands wouldn't work, it seems like it would be simple.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22672073
I don't either... it should pass the SSL through with no issue... sorry I keep asking, but can you please post your running-config again? I just want to tripple check for any problems.
0
 

Author Comment

by:Brandon_Reed66
ID: 22672106
Inside of the netgear, I can do a dns lookup but when I got to ping I get a "ping: write incomplete"    I can ping from a dos promt or from the pix an outside address.
0
 

Author Comment

by:Brandon_Reed66
ID: 22672130
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password mbtGifHXKI5HNCtX encrypted
passwd GA9ERwYmYQL78rTV encrypted
hostname Pix
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.10.10.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 200 permit tcp any interface outside eq www
access-list 200 permit icmp any interface outside
access-list outside_access_in permit tcp any host 67.xxx.xxx.83 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.xxx.xxx.82 255.255.255.248
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.0.1-172.16.0.10 mask 255.255.255.0
pdm location 172.16.0.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface https 10.10.10.100 https netmask 255.255.2
55.255 0 0
static (inside,outside) 67.xxx.xxx.83 10.10.10.100 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.81 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set stong-des esp-des esp-md5-hmac
crypto dynamic-map cisco 20 set transform-set stong-des
crypto map remote 20 ipsec-isakmp dynamic cisco
crypto map remote interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup banc-remote-VPN address-pool vpnpool
vpngroup banc-remote-VPN dns-server 10.10.10.2 205.152.37.23
vpngroup banc-remote-VPN wins-server 10.10.10.2
vpngroup banc-remote-VPN default-domain
vpngroup banc-remote-VPN split-tunnel 100
vpngroup banc-remote-VPN idle-time 1800
vpngroup banc-remote-VPN user-idle-timeout 1800
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:44a576dcd390e43a2b834ffe5973979e
: end
0
 

Author Comment

by:Brandon_Reed66
ID: 22672168
I can ping the inside pix address from the netgear, but not the outside, but I am not sure if I have to  be able to do that, the pix probably takes over from there.
0
 

Author Comment

by:Brandon_Reed66
ID: 22672229
I can  not ping out of the netwrok from a dos box, dns will resolve the name but IP is not leaving.
0
 

Author Comment

by:Brandon_Reed66
ID: 22672231
I can  not ping out of the netwrok from a dos box, dns will resolve the name but IP is not leaving.
0
 

Author Comment

by:Brandon_Reed66
ID: 22672245
I can ping out if I am on the pix, that's it.
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22672250
The PIX actually blocks ping replies by default. To allow these, add the following:
access-list outside_access_in permit tcp any any echo-reply
Try pinging out then.
One other thing - you need to fix this:
static (inside,outside) tcp interface https 10.10.10.100 https netmask 255.255.255.255 0 0
Just run the attached commands below to do this and see if it works.
Are you absolutely certain the netgear requires no other ports to work? One other thing you can to do test if the problem is with the pix or not - connect a web server to the PIX with the IP address of the netgear and setup a little page with that is accessed on port 443. See if you can reach it from outside on port 443. If that works then the PIX is configured fine.
Cheers! Let me know!

no static (inside,outside) tcp interface https 10.10.10.100 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 67.xxx.xxx.83 https 10.10.10.100 https netmask 255.255.255.255 0 0 

Open in new window

0
 

Author Comment

by:Brandon_Reed66
ID: 22672332
I just read that it requires only one port.   Just checking one more time, all I need is the static command for .83 and I'll be able to https://67.x.x.83 and hit the netgear?
0
 

Author Comment

by:Brandon_Reed66
ID: 22672410
I just read this about the netgear configuration, maybe you can explain it to me.

"VERY IMPORTANT: You will also need a static route set up in the firewall/router for the 192.168.250.x network (or the client network range you have configured) that points to the IP address of the SSL312. In my case, I needed a static route set up in such a way that any 192.168.250.x traffic is routed to the SSL312 gateway at 192.168.0.25. Without the static route back to the SSL312 from our firewall/router, packets may become lost and cause the VPN tunnel not to work correctly."
0
 

Author Comment

by:Brandon_Reed66
ID: 22672435
That just means, to set up the static command in the pix, right?  I am used to setting up static routes in routers, wasn't sure if this is the same thing.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22672449
Well, I said to change that earlier but I guess it was missed somehow. When the interface keyword is used, it uses the IP address on the interface (on your case .82) instead of any other.
Just get run those two commands and it should get you running.
If that doesn't work, we'll worry about what the manual says.
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22672460
PS - you do need to get rid of the interface, so make sure you run the one starting with NO as well.
Also, run a
cl xla
after you enter those commands.
Cheers!
0
 

Author Comment

by:Brandon_Reed66
ID: 22672477
static (inside,outside) tcp 67.xx.xx.83 https 10.10.10.100 https netmask 255.25
5.255.255 0 0  

Do you mean use this one?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675323
Yes. Just get rid of the other one first like I said.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22675324
You must run them both. Just copy and paste them. It's very easy. ;-)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now