Pix Firewall Configuration

pkabbas
pkabbas used Ask the Experts™
on
Hi,

Scenario:-

Core Switch--->Firewall----->Router .....INTERNET(VPN).....ROUTER-----FIrewall-(other side) etc

I have setup a site to site vpn between me and a support compnay. VPN tunnel is up, I can ping the LAN IP of support company from Router & Firewall. But my core switch cannot see the LAN of other end. I have multiple vlans. It seems to me something needs to be configured on Firewall. Please need help as below is configuration of the firewall. We have double natting for internal IPs ( static Nat on firewall and then static Nat on router).


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password sdsadadadd encrypted
passwd asdasdasdasdasd encrypted
hostname HQ
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service remacc tcp
  port-object eq 3389
access-list external permit tcp any host 192.168.2.21 eq smtp
access-list external permit tcp any host 192.168.2.21 eq www
access-list external permit tcp any host 192.168.2.21 eq https
access-list external permit tcp any host 192.168.2.19 eq ftp
access-list external permit tcp any host 192.168.2.19 eq ftp-data
access-list external permit tcp any host 192.168.3.21 eq pop3
access-list external permit tcp any host 192.168.2.21 eq pop3
access-list external permit tcp any host 192.168.2.19 eq www
access-list external permit tcp any host 192.168.2.21 eq imap4
access-list external permit tcp any host 192.168.2.21 eq 587
access-list external permit tcp any host 192.168.2.19 eq 8082
access-list external permit tcp any host 192.168.2.19 eq 8081
access-list external permit tcp any host 192.168.2.19 eq 8080
access-list external permit tcp any host 192.168.2.19 eq 888
access-list external permit tcp any host 192.168.2.21 eq 3389
access-list external permit tcp any host 192.168.2.208 eq https
access-list external permit tcp any host 192.168.2.208 eq 3200
access-list external permit tcp any host 192.168.2.208 eq 3300
access-list external permit tcp any host 192.168.2.208 eq 3600
access-list external permit tcp any host 192.168.2.208 eq 3389
access-list external permit tcp any host 192.168.2.208 eq www
access-list external permit tcp any host 192.168.2.208 eq 50100
access-list external permit tcp any host 192.168.2.208 eq 3601
access-list external permit tcp any host 192.168.2.208 eq 3603
access-list external permit tcp any host 192.168.2.208 eq 3301
access-list external permit tcp any host 192.168.2.208 eq 3303
access-list external permit tcp any host 192.168.2.208 eq 3201
access-list external permit tcp any host 192.168.2.208 eq 3203
access-list external permit tcp any host 192.168.2.208 eq 50300
access-list external permit tcp any host 192.168.2.208 eq 3299
access-list external permit tcp any host 192.168.2.195 eq 3389
access-list external permit tcp any host 192.168.2.195 eq www
access-list external permit icmp host 194.39.131.34 host 192.168.2.208
access-list external permit tcp host 194.39.131.34 host 192.168.2.208 gt 1023
access-list external permit tcp any host 192.168.2.195 eq ftp
access-list external permit tcp any host 192.168.2.195 eq ftp-data
access-list external permit tcp any host 192.168.2.18 eq 3301
access-list external permit tcp any host 192.168.2.18 eq 3201
access-list external permit tcp any host 192.168.2.18 eq 3601
access-list external permit tcp any host 192.168.2.18 eq 50100
access-list external permit tcp any host 192.168.2.18 eq 3200
access-list external permit tcp any host 192.168.2.18 eq 3300
access-list external permit tcp any host 192.168.2.18 eq 3600
access-list external permit tcp any host 192.168.2.18 eq 50300
access-list external permit tcp any host 192.168.2.18 eq 3299
access-list external permit tcp any host 192.168.2.18 eq 1361
access-list external permit tcp any host 192.168.2.208 eq 50003
access-list external permit tcp any host 192.168.2.208 eq telnet
access-list external permit tcp any host 192.168.2.208 eq ssh
access-list external permit tcp any host 192.168.2.208 eq 8001
access-list extrenal permit tcp any host 192.168.2.21 eq 3389
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.3.195
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.1 255.255.255.0
ip address inside 192.168.3.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.2.100-192.168.2.199 netmask 255.255.255.0
global (outside) 1 192.168.2.200 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.2.19 192.168.3.19 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.2.21 192.168.3.66 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.2.195 192.168.3.195 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.2.208 192.168.3.43 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.2.18 192.168.3.41 netmask 255.255.255.255 0 0
access-group external in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.2 1
route inside 192.168.4.0 255.255.255.0 192.168.3.10 1
route inside 192.168.10.0 255.255.255.0 192.168.3.10 1
route inside 192.168.11.0 255.255.255.0 192.168.3.10 1
route inside 192.168.148.0 255.255.255.0 192.168.3.70 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.3.0 255.255.255.0 inside
telnet 192.168.148.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8de0db0dbdb690d955f0e2aadaf71b3a
: end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
what is the inside address of core switch?

192.168.3.10 ?

Author

Commented:
yes
Head of IT Security Division
Top Expert 2010
Commented:
access-list external permit only this icmp packets:

access-list external permit icmp host 194.39.131.34 host 192.168.2.208
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
should I add
access-list external permit icmp any any

Author

Commented:
wow,,, after adding this --- it worked

Commented:
what is the inside address of core switch?

192.168.3.10 ?

Author

Commented:
access list was not allowing ICMP which is identified by ikalmar

Author

Commented:
Just one thing more:-

Now I am able to go out from the Core Switch,,, but other side cannot see my LAN,,, I have added static routes for VLANs on my router. Is there naythign further to do on firewall to allow incoming traffic from 192.168.57.0/24 (other side of VPN)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial