Solved

Setting up Cisco Pix....does it route?

Posted on 2008-10-17
8
496 Views
Last Modified: 2010-04-21
Hey everyone. i'm used to the cisco routers so i don't really get how the pix works. never had a hardware firewall before. i'll give you a little backround on what i have at home (it's a lab for practicing)

modem --> cisco 2621 (nat) --> cisco 2950 switch >> pix firewall --> Servers
                                                                     l                            l
                                                                    l                               i  
                                                                  l                           Secure AP
                                                     other computers                
                                                                                   
I don't know if that helps you at all. i'll post my config to  

outside interface is 192.168.1.33 255.255.255.0
Inside interface is 192.168.15.1 255.255.255.248

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Z/1yW.N1lrURqjLo encrypted
passwd Z/1yW.N1lrURqjLo encrypted
hostname pixbackend
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.33 255.255.255.0
ip address inside 192.168.15.100 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:148d45a0e2ee6bed5ec713d122553d66
: end

HERE IS THE ROUTE
sh route
        outside 192.168.1.0 255.255.255.0 192.168.1.33 1 CONNECT static
        inside 192.168.15.96 255.255.255.224 192.168.15.100 1 CONNECT static

it looks fine to me. maybe i'm missing something retarded. Thanks alot. Bear with me this is really new to me. I plugged one of my computers into #2 and it didn't work.
0
Comment
Question by:hstern03
  • 4
  • 4
8 Comments
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 22746904
route outside 0.0.0.0 0.0.0.0 1.1.1.254 1 Specifies a default route out the outside interface to a router at 1.1.1.254 which is 1 hop away.

From cisco site.. you need to add the route outside 0.0.0.0 0.0.0.0 <ip of router> 1
0
 

Author Comment

by:hstern03
ID: 22747017
ok did that.... here is the new config   the connection works when my computers behind the firewall are 192.168.1.whatever  but don't work when its 192.168.15.whatever    ???

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Z/1yW.N1lrURqjLo encrypted
passwd Z/1yW.N1lrURqjLo encrypted
hostname pixbackend
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.33 255.255.255.0
ip address inside 192.168.15.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.41
dhcpd lease 1000000
dhcpd domain henry.local
terminal width 80
Cryptochecksum:066d758ba02bc81aa40d2d6a32531d88
0
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 22747026
Shouldnt there be another ip address outside 192.168.1.x address on the router that acts as the gateway?  You are send 1.x to 20.x... it should go to another 1.x GW.
0
 

Author Comment

by:hstern03
ID: 22747096
what do you mean 1x gw?  192.168.1.20 is the router going to the cable modem
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 22747104
Sorry read it wrong.. prob on that router.. doesn't know how to get back.. what happens on a trace route? Prob need to add a route on the .20 router back to the .15
0
 

Author Comment

by:hstern03
ID: 22748556
i'm pretty sure it isnt the router.

i added access to the .15 network but it still doesnt work. its weird

heres the config

Current configuration : 2189 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco2621
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$fzOF$Bj2drISO466xsGRteQKvr/
enable password xxxxx
!
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp conflict logging
!        
ip dhcp pool client
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.20
   dns-server 192.168.1.41 4.2.2.2 4.2.2.3
!
!
!
!
!
!
interface FastEthernet0/0
 description WAN
 ip address dhcp
 no ip unreachables
 ip nat outside
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
!
interface Serial0/0
 no ip address
 no ip mroute-cache
 shutdown
!
interface FastEthernet0/1
 description LAN
 ip address 192.168.1.20 255.255.255.0
 ip nat inside
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
!
ip nat service list 10 ftp tcp port 21
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source static 192.168.1.41 interface FastEthernet0/0
ip nat inside source static tcp 192.168.1.41 2021 interface FastEthernet0/0 2021
ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet0/0 3390
ip nat inside source static tcp 192.168.1.41 21 interface FastEthernet0/0 21
ip nat inside source static tcp 192.168.1.41 80 interface FastEthernet0/0 80
ip nat inside source static tcp 192.168.1.98 3389 interface FastEthernet0/0 3392
ip nat inside source static tcp 192.168.1.113 3389 interface FastEthernet0/0 3391
ip nat inside source static tcp 192.168.1.41 3389 interface FastEthernet0/0 3389
no ip http server
ip classless
!
!        
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.15.0 0.0.0.31
access-list 120 permit tcp any host 192.168.1.41 eq 3389
access-list 120 permit tcp any host 192.168.1.113 eq 3391
access-list 120 permit tcp any host 192.168.1.98 eq 3392
access-list 120 permit tcp any host 192.168.1.41 eq www
access-list 120 permit tcp any host 192.168.1.10 eq 3390
access-list 120 permit tcp any host 192.168.1.41 eq ftp
access-list 120 permit tcp any host 192.168.1.41 eq ftp-data
!
line con 0
line aux 0
line vty 0 4
 passwordxxxxx
 login
0
 
LVL 24

Accepted Solution

by:
DMTechGrooup earned 125 total points
ID: 22748624
I don't see a route of last resort on that one (0.0.0.0 0.0.0.0) type thing.. what happens if you take the 2621 out of the picture.. change the pix outside IP and route 0.0.0.0 to the internet gateway?  If it works then it would show the 2621 as the issue.
0
 

Author Closing Comment

by:hstern03
ID: 31507370
thanks for the help.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now