Solved

Cisco PIX 515 firewall and Cisco 3550 subnet routing problem from outside

Posted on 2009-07-09
8
464 Views
Last Modified: 2012-05-07
I have a Cisco 515 PIX firewall setup and running fine with one of my subnets that is setup on my Cisco 3550.  The problem I am having is routing traffic to my second subnet which is locked down on the inside.

My primary subnet is 10.1.19.x and my second subnet is 10.11.19.x

My 3550 is setup to route limited traffic between the these two subnets. I have opened up telnet to work on 10.11.19.39 both in and out on the 3550 and it works fine in the building. I have tried routing outside traffic via my PIX to 10.11.19.39 but cannot get it to connect. In the past I tried and failed to get my VPN to allow acces to the 10.11.19.x subnet as well.

I am sure this is something basic but I have opened up all of the appropriate ports on the PIX and it works on all internal IPs through my config on my 3550. I think I am missing a command on the PIX referencing how to handle the 10.11.19.x traffic. Any help would be greatly appreciated. Hopefully the solution would allow me to control traffic using Statics and ACLs along with allow access to 10.11.19.x once I am in the VPN pool.

Configs are posted below,

Thanks in advance.

-------------------------------------------------------------------------------------------------------------------

Cisco 3550

version 12.1
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname contoso-3550-mdf1
!
logging buffered 16384 debugging
enable secret 5 $1$fml5$H4/gt/vwUG1VR1B8Ncl4Z1
!
clock timezone Arizona -7
ip subnet-zero
no ip source-route
ip routing
!
no ip domain-lookup
ip domain-name contoso.local
ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh version 1
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
spanning-tree vlan 1 priority 24576
spanning-tree vlan 11 priority 24576
!
!
!
!
!
interface FastEthernet0/1
 switchport mode access
 no cdp enable
!
interface FastEthernet0/2
 description contoso-515-MDF1
 switchport mode access
 speed 10
 duplex half
 no cdp enable
!
interface FastEthernet0/3
 description contoso-2950-MDF2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 100
 duplex full
!

!
interface FastEthernet0/23
 switchport mode access
!
interface FastEthernet0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/1
 description contoso-2950-mdf1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
 description contoso-3560-mdf1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 description Business/Admin Vlan1
 ip address 10.1.19.1 255.255.255.0
 no ip redirects
 no ip mroute-cache
!
interface Vlan11
 description Engineering Vlan11
 ip address 10.11.19.1 255.255.255.0
 ip access-group intvlan11_out out
 no ip redirects
 no ip mroute-cache
!
interface Vlan21
 description VOIP VLAN21
 ip address 10.21.19.1 255.255.255.0
 ip helper-address 10.1.19.2
 no ip redirects
 no ip mroute-cache
!
interface Vlan31
 description Technical VLAN 31
 ip address 10.31.19.1 255.255.255.0
 no ip redirects
 no ip mroute-cache
!
interface Vlan55
 description Internet VLAN
 ip address 10.1.254.1 255.255.255.0
 no ip redirects
 no ip mroute-cache
!
router eigrp 2000
 network 10.0.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.19.76
ip http server
!
ip access-list extended interfacevlan11_in
ip access-list extended intvlan11_in
 permit tcp any host 10.11.19.7 eq 10983
 permit tcp any host 10.11.19.39 eq telnet
ip access-list extended intvlan11_out
 permit tcp 10.1.19.16 0.0.0.7 10.11.19.0 0.0.0.255
 permit icmp 10.1.19.16 0.0.0.7 10.11.19.0 0.0.0.255 echo-reply
 permit icmp 10.1.19.16 0.0.0.7 10.11.19.0 0.0.0.255 time-exceeded
 permit udp 10.1.19.16 0.0.0.7 10.11.19.0 0.0.0.255
 permit tcp host 10.1.19.2 host 10.11.19.2 eq domain
 permit udp host 10.1.19.2 host 10.11.19.2 eq domain
 permit tcp host 10.11.19.7 host 64.71.153.51 eq www
 permit tcp host 10.11.19.7 host 204.155.175.117 eq www
 permit tcp any 10.11.19.0 0.0.0.255 established
 permit tcp 10.1.19.0 0.0.0.7 10.11.19.0 0.0.0.255
 permit icmp 10.1.19.0 0.0.0.7 10.11.19.0 0.0.0.255 echo-reply
 permit icmp 10.1.19.0 0.0.0.7 10.11.19.0 0.0.0.255 time-exceeded
 permit udp 10.1.19.0 0.0.0.7 10.11.19.0 0.0.0.255
 permit tcp any 10.1.19.0 0.0.0.7 established
 permit udp host 10.1.19.2 host 10.11.19.2 eq 389
 permit udp host 10.1.19.2 host 10.11.19.2 eq 88
 permit icmp any any
 permit tcp host 10.11.19.3 host 10.1.19.46 eq 5401
 permit udp host 10.11.19.3 host 10.1.19.46 eq 5401
 permit tcp any host 10.11.19.7 eq 10983
 permit tcp 172.16.20.0 0.0.0.255 host 10.11.19.21 eq 5800
 permit tcp 172.16.20.0 0.0.0.255 host 10.11.19.21 eq 5900
 permit tcp any host 10.11.19.39 eq telnet
 deny   ip any any
ip access-list extended intvlan21_in
 permit ip any any
ip access-list extended intvlan21_out
 permit ip any any
ip access-list extended intvlan55_in
 permit ip any any
ip access-list extended intvlan55_out
 permit ip any any
!
no logging trap
banner motd ^C
 ___________________________________________
|                                           |
| !!! If you are not an authorized user !!! |
|              Leave Immediately            |
|___________________________________________|
^C
!
line con 0
 exec-timeout 20 0
 password 7 1344071A041E052E6A
 login
line vty 0 4
 exec-timeout 20 0
 password 7 090D5E01161716164A
 login
line vty 5 15
 exec-timeout 20 0
 password 7 041A1B0E00334D4A48
 login
!
ntp clock-period 17180516
ntp server 10.1.19.2
!
end

-------------------------------------------------------------------------------------------------------------------

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XCbZD7hp/.NcVa5C encrypted
passwd XCbZD7hp/.NcVa5C encrypted
hostname PIX515E
domain-name contoso.local
clock timezone Arizona -7
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_in permit tcp host 10.1.19.6 any eq smtp
access-list inside_in permit tcp host 10.1.19.6 any eq https
access-list inside_in deny tcp any any eq smtp
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in deny icmp any any
access-list outside_in permit tcp any host x.x.207.87 eq https
access-list outside_in permit tcp any host x.x.207.87 eq www
access-list outside_in permit tcp any host x.x.207.165 eq ftp
access-list outside_in permit tcp any host x.x.207.87 eq pop3
access-list outside_in permit tcp any host x.x.207.168 eq www
access-list outside_in permit tcp 64.18.0.0 255.255.240.0 host x.x.207.87 eq smtp
access-list outside_in permit tcp any host x.x.207.170 eq 3389
access-list outside_in permit udp any host x.x.207.170 eq 3389
access-list outside_in permit tcp any host x.x.207.87 eq imap4
access-list outside_in permit tcp any host x.x.207.87 eq 993
access-list outside_in permit tcp any host x.x.207.87 eq 465
access-list outside_in permit tcp any host x.x.207.167 eq 5800
access-list outside_in permit tcp any host x.x.207.167 eq 5900
access-list outside_in permit tcp any host x.x.207.87 eq smtp
access-list outside_in permit tcp any host x.x.207.166 eq 5800
access-list outside_in permit tcp any host x.x.207.166 eq 5900
access-list outside_in permit tcp any host x.x.207.171
access-list outside_in permit tcp any host x.x.207.172
access-list outside_in permit udp any host x.x.207.171
access-list outside_in permit udp any host x.x.207.172
access-list outside_in permit tcp any host x.x.207.169 eq ftp
access-list 101 permit ip 10.0.0.0 255.0.0.0 172.16.20.0 255.255.255.0
access-list NoNAT permit ip any 10.1.19.0 255.255.255.0
access-list split_tunnel_access permit ip 10.1.19.0 255.255.255.0 172.16.20.0 255.255.255.0
access-list oustide_in permit tcp any host x.x.207.167 eq 5010
access-list oustide_in permit tcp any host x.x.207.169 eq telnet
no pager
logging on
logging timestamp
logging trap informational
logging facility 16
logging device-id hostname
logging host inside 10.1.19.20 17/1514
mtu outside 1500
mtu inside 1500
ip address outside x.x.207.87 255.255.255.0
ip address inside 10.1.19.76 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.16.20.175-172.16.20.200
no pdm history enable
arp outside x.x.207.88 000c.8555.392b
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) udp x.x.207.87 1604 10.1.19.3 1604 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.87 smtp 10.1.19.6 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.87 https 10.1.19.6 https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.87 pop3 10.1.19.6 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.87 www 10.1.19.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.168 www 10.1.19.28 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.170 3389 10.1.19.8 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp x.x.207.170 3389 10.1.19.8 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.87 imap4 10.1.19.6 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.87 993 10.1.19.6 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.167 10983 10.1.19.19 10983 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.87 465 10.1.19.6 465 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.167 5900 10.1.19.18 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.167 5800 10.1.19.18 5800 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.166 5800 10.1.19.19 5800 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.166 5900 10.1.19.19 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.169 ftp 10.1.19.4 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.167 5010 10.1.19.18 5010 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.207.169 telnet 10.11.19.39 telnet netmask 255.255.255.255 0 0
static (inside,outside) x.x.207.165 10.1.19.11 netmask 255.255.255.255 0 0
static (inside,outside) x.x.207.171 10.1.19.47 netmask 255.255.255.255 0 0
static (inside,outside) x.x.207.172 10.1.19.49 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.207.1 1
route inside 10.0.0.0 255.0.0.0 10.1.19.1 1
timeout xlate 4:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 4:00:00 absolute uauth 0:30:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 10.1.19.2 Rbg*paz timeout 5
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 10.0.20.84
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.1.19.2
vpngroup vpn3000 wins-server 10.1.19.2
vpngroup vpn3000 default-domain contoso.local
vpngroup vpn3000 split-tunnel split_tunnel_access
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 15
ssh 10.1.19.20 255.255.255.255 inside
ssh 10.1.19.17 255.255.255.255 inside
ssh timeout 60
console timeout 0
username admin password O68Yn/LPDoD3PiBu encrypted privilege 15
terminal width 80
Cryptochecksum:cf1ad8de318ae0faa57980996465e4e1
: end
[OK]
PIX515E#

0
Comment
Question by:ditobot
  • 5
  • 2
8 Comments
 
LVL 15

Expert Comment

by:bignewf
ID: 24819582
access-list nonat  permit ip any 10.11.19.0  255.255.255.0
access-list 101 permit ip any 10.11.19.0 255.255.255.0
access-list 101 permit ip any 172.16.20.0 255.255.255.0 (if this is your vpn client pool)
access-list nonat permit ip any 172.16.20.0 255.255.255.0

Instead of any, you can be more specific and substitute networks or hosts, but try the above for testing

Unless I am mistaken, I don't see nat exempt or acl's allowing traffic in you pix config

let me know how this works
0
 
LVL 5

Expert Comment

by:JanSc
ID: 24821690
Default route on cisco 3560 seems wrong to me.

ip route 0.0.0.0 0.0.0.0 10.1.19.76

Should be the PIX (.39 ?) instead.
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24823403
does the network of the vpn client pool have a path to the 10.1.19.0 in the switch?
0
 

Author Comment

by:ditobot
ID: 24824582
bignewf, I made the changes and I still can't connect to 10.11.19.39 via Telnet from x.x.207.169 from the outside. It says port not available. I haven't fully tried the VPN connection yet. I will have to make rules on my 3550 to allow traffic from 172.16.20.x.

JanSc, 10.11.19.39 is a proprietary piece of hardware that I can control via telnet that I am trying to access from the internet. 10.1.19.76 is my PIX, so the comand
ip route 0.0.0.0 0.0.0.0 10.1.19.76
is sending all undefined traffic to the PIX.

I will play with the VPN connection today a little more but if you have ahy suggestions as to why I can't get to 10.11.19.39 on the telnet port from my PIX that would be extremely helpful.

Here are the commands I have in their for that so far:

PIX:

access-list oustide_in permit tcp any host x.x.207.169 eq telnet

static (inside,outside) tcp x.x.207.169 telnet 10.11.19.39 telnet netmask 255.255.255.255 0 0

Cisco 3550:

ip access-list extended intvlan11_in
  permit tcp any host 10.11.19.39 eq telnet


ip access-list extended intvlan11_out
  permit tcp any host 10.11.19.39 eq telnet


Even though the subnet 10.11.19.x is separated from my business network 10.1.19.x I have been able to communicate with the device 10.11.19.39 from the 10.1.19.x subnet in the building. It just isn't translating properly from the internet for some reason.


0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:ditobot
ID: 24828007
If it helps here is the error message I get in syslog when I try and connect from the outside to the telnet port on 10.11.19.39

07-10-2009      15:23:40      Local4.Warning      10.1.19.76      Jul 10 2009 15:20:55 PIX515E : %PIX-4-106023: Deny tcp src outside:x.x.208.210/1139 dst inside:x.x.207.169/23 by access-group "outside_in"
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24828500
The error states it is your access list outside-in

have you tried this for telnet access from the outside:
telnet [outside ip address you want to telnet from] outside  You are better off using ssh v2 than telnet since it is encrypted, telnet is in plain text  (at least you are restricting the source outside ip address)

get rid of these:  

access-list oustide_in permit tcp any host x.x.207.169 eq telnet (bad security risk, permits any host access to telnet)

static (inside,outside) tcp x.x.207.169 telnet 10.11.19.39 telnet netmask 255.255.255.255 0 0
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24828540
also, do a   clear xlate when removing any static nat statements, it clears the translation slot (but it will reset all translations)  you can be specific via ip or port using this command
0
 
LVL 15

Accepted Solution

by:
bignewf earned 500 total points
ID: 24828558
my apologies for the last post, I didn't read it carefully and thought you wanted to access the pix via telnet from the outside.

do a clear xlate and reapply your above commands is what I meant: (since the error message indicates the port being blocked by your acl)

access-list oustide_in permit tcp any host x.x.207.169 eq telnet
static (inside,outside) tcp x.x.207.169 telnet 10.11.19.39 telnet netmask 255.255.255.255 0 0
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now