• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1170
  • Last Modified:

Inbound traffic on a PIX 505

Below is a pretty basic PIX config and I am having trouble getting inbound traffic for SMTP, HTTPS, and PPTP. I am able to connect inbound on 3389 to a PC so that works. I believe with the PIX you can use the same outside interface to redirect different ports to different inside hosts with the static commands below. If anyone can assist me in helping ot see why these other ports are not connecting. I'm not too familiar with the intricacies of the PIX troubleshooting commands - seems lke this is a pretty simple config and should work. Thanks in advance for assistance.



PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password WxymcYdmmmFVFzVI encrypted
passwd WxymcYdmmmFVFzVI encrypted
hostname sofix-fw
domain-name sfix.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network blocked_hosts
  description BLOCKED INTERNAL HOSTS
  network-object 192.168.20.80 255.255.255.255
  network-object 192.168.20.81 255.255.255.255
  network-object 192.168.20.82 255.255.255.255
  network-object 192.168.20.83 255.255.255.255
  network-object 192.168.20.84 255.255.255.255
  network-object 192.168.20.85 255.255.255.255
  network-object 192.168.20.86 255.255.255.255
  network-object 192.168.20.87 255.255.255.255
  network-object 192.168.20.88 255.255.255.255
  network-object 192.168.20.89 255.255.255.255
  network-object 192.168.20.90 255.255.255.255
  network-object 192.168.20.91 255.255.255.255
  network-object 192.168.20.92 255.255.255.255
  network-object 192.168.20.93 255.255.255.255
  network-object 192.168.20.94 255.255.255.255
  network-object 192.168.20.95 255.255.255.255
  network-object 192.168.20.201 255.255.255.255
  network-object 192.168.20.252 255.255.255.255
  network-object 192.168.20.254 255.255.255.255
  network-object 192.168.20.113 255.255.255.255
  network-object host 192.168.20.227
access-list 110 permit tcp any host 66.18.44.17 eq 3389
access-list 110 permit tcp any host 66.18.44.17 eq pptp
access-list 110 permit tcp any host 66.18.44.17 eq https
access-list 110 permit tcp any host 66.18.44.17 eq smtp
access-list 105 permit tcp host 192.168.20.80 any eq daytime
access-list 105 permit udp host 192.168.20.80 any eq 13
access-list 105 permit udp host 192.168.20.80 any eq ntp
access-list 105 permit tcp host 192.168.20.80 any eq 123
access-list 105 permit ip object-group blocked_hosts host 74.205.135.199
access-list 105 deny ip object-group blocked_hosts any
access-list 105 permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.18.44.17 255.255.255.240
ip address inside 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.20.208 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.20.8 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.20.8 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.20.8 smtp netmask 255.255.255.255 0 0
access-group 110 in interface outside
access-group 105 in interface inside
route outside 0.0.0.0 0.0.0.0 66.18.44.18 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
ssh 74.205.135.25 255.255.255.255 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:86da3ca330524b21158d57e34b10f2fc
: end
sofix-fw#
0
x09project
Asked:
x09project
  • 4
  • 2
  • 2
  • +2
1 Solution
 
RPPreacherCommented:
access-group 110 in interface outside
0
 
qbakiesCommented:
"I believe with the PIX you can use the same outside interface to redirect different ports to different inside hosts with the static commands below."

You are incorrect.  The PIX cannot map an external IP to multiple internal IPs.  The 3389 works because it is the first static statement in your config.
0
 
x09projectAuthor Commented:
RPPreacher - the comment you left on the access-group 110 in interface outside line is in my config - are you indicating it is incorrect or that it should be included and you did not see it?

qbakies - I read in a Syngress book on the PIX that Port redirection will allow a single IP address to server as the public IP address for more than one internal server. I'm almost positive the functionality I describe is present in the PIX.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
MikeKaneCommented:
I think that in 6.3.5, PIX did support Static PAT....  
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

Example from the doc:
To redirect FTP traffic from the PIX Firewall outside interface to the inside host at 10.1.1.30, enter:
static (inside,outside) tcp interface ftp 10.1.1.30 ftp netmask 255.255.255.255


pptp will not work in this case though.  

https and smtp should be ok forwarded to the internal hosts according to the command reference.

0
 
MikeKaneCommented:
In your Access-list 110, replace the IP address with the keyword INTERFACE.    See if that helps matters.
Reference: http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1067755
0
 
Markus BraunCEOCommented:
Hi,

change the IP to either interface or any

e.g.

access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any any eq pptp
access-list 110 permit tcp any any eq https
access-list 110 permit tcp any any eq smtp

then it will work - the static's are correct

preferably use the next free public IP and not the interface IP address
Interface IP should only be used for VPN or to acces the Pix from the outside
0
 
Markus BraunCEOCommented:
Basically like this

access-list 110 permit tcp any host 66.18.44.18 eq 3389
access-list 110 permit tcp any host 66.18.44.18 eq pptp
access-list 110 permit tcp any host 66.18.44.18 eq https
access-list 110 permit tcp any host 66.18.44.18 eq smtp

static (inside,outside) tcp 66.18.44.18 3389 192.168.20.208 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.18.44.18 pptp 192.168.20.8 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.18.44.18 https 192.168.20.8 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 66.18.44.18 smtp 192.168.20.8 smtp netmask 255.255.255.255 0 0
0
 
Markus BraunCEOCommented:
for pptp, you may need to add the fixup protocol, but i am not sure on that - i know you need it tunneling from the inside to outside

fixup protocol pptp 1723



0
 
x09projectAuthor Commented:
Thanks for all of the great responses - I have noted the correct syntax for future use - BUT I'VE DISCOVERED ANOTHER PATTERN -

At first I thought inbound access was the problem but I have come to learn my inside host (192.168.20.8)is unable to access OUTBOUND thus hosing my inbound connecion attempts. If I change the IP address of the 192.168.20.8 host to another IP address it hits the Internet like ther's no tomorrow - so I said "Hhmm - that's odd, it looks like there must be an outbound rule stopping only this host (since all other hosts hit the Internet just fine)" - then I said I'll get real tricky and add an entry in Access list 105 to specifically allow 192.168.20.8 outbound on anything. So I add the access list entry, change the server 's IP address back to 192.168.20.8 and it works like a charm. So here's the new question - From looking at my simple config above WHAT WAS STOPPING 192.168.20.8 FROM OUTBOUND ACCESS AND WHY WOULD IT REQUIRE AN EXPLICIT ALLOW RULE?
0
 
Markus BraunCEOCommented:
Judging by your use of acces-lists (meaning using numbers instead of names) you look like you have used Cisco routers before. (Also by using permit ip any any at the end of teh access-list)

On firewalls you explicitly permit traffic - you just dont allow everything - they work the opposite way then routers.
So you should not use the permit any any at the end, but actually permit only what you want as there is no reason to allow everything anyways cause it leaves the door wide open for any malicious traffic to exit your network.
Also its better to name your access-lists e.g.
access-list LANOUT permit tcp host 192.168.20.80 any eq daytime
access-list LANOUT permit udp host 192.168.20.80 any eq 13
access-list LANOUT permit udp host 192.168.20.80 any eq ntp
access-list LANOUT permit tcp host 192.168.20.80 any eq 123
access-list LANOUT permit ip object-group blocked_hosts host 74.205.135.199

so you can see with one look what the ACL is for

Besides that, if that is your actual access-list config snipplet , 192.168.20.8 should not be blocked
because you do permit any any at the end of your ACL and its not explicitly denied
i would need to see the logg for why it is doing it
0

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now