Solved

PIX 506E config and rules

Posted on 2010-09-22
2
458 Views
Last Modified: 2012-05-10
Hello

I have a pix 506e that i need to have SMTP, WWW, and other services.  i have been given an IP allocation of xxx.xxx.140.119/24 and a subnetted network address of xxx.xxx.183.128/28 as my usable IP's.

i configured my firewall and was able to get all of the servers behind to have 3389 working (for testing)  since then i have tried to apply additional rules, such as FTP, 1433, www, smtp, imap, and others.  each time i do so i get an error where i am unable to add due to a network error.  re:u cant assign an ip address of xxx.xxx.183.131 becuase the mask is not correct.  

any ideas?
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
hostname 
domain-name 
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type icmp-grp 
  description ICMP Types allowed into the PIX
  icmp-object echo-reply 
  icmp-object unreachable 
  icmp-object time-exceeded 
object-group service Email tcp 
  description Http-RPC,
  port-object range 3389 3389 
  port-object range 6003 6003 
  port-object eq imap4 
  port-object eq www 
  port-object eq telnet 
  port-object eq smtp 
  port-object range 6001 6001 
  port-object eq pop3 
  port-object range 6002 6002 
  port-object eq https 
  port-object eq nntp 
access-list outside_in permit icmp any any object-group icmp-grp 
access-list inside_in deny ip any any 
access-list inside_in deny icmp any any 
access-list outside_access_in remark DC01
access-list outside_access_in permit tcp any host xxx.xxx.183.129 eq 3389 
access-list outside_access_in remark DC02
access-list outside_access_in permit tcp any host xxx.xxx.183.130 eq 3389 
access-list outside_access_in remark Email01
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.133 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.134 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.135 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.136 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.137 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.138 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.139 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.140 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.141 eq 3389 
access-list inside_access_in permit tcp interface inside object-group Email interface outside object-group Email 
pager lines 24
logging on
logging timestamp
logging standby
logging console notifications
logging monitor notifications
logging buffered notifications
logging history emergencies
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.140.119 255.255.255.0
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.11.21 255.255.255.255 inside
pdm location 10.10.11.22 255.255.255.255 inside
pdm location 10.10.11.23 255.255.255.255 inside
pdm location 10.10.11.25 255.255.255.255 inside
pdm location 10.10.11.26 255.255.255.255 inside
pdm location 10.10.11.27 255.255.255.255 inside
pdm location 10.10.11.28 255.255.255.255 inside
pdm location 10.10.11.29 255.255.255.255 inside
pdm location 10.10.11.30 255.255.255.255 inside
pdm location 10.10.11.31 255.255.255.255 inside
pdm location 10.10.11.32 255.255.255.255 inside
pdm location 10.10.11.33 255.255.255.255 inside
pdm location xxx.xxx.183.128 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.133 3389 10.10.11.25 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.134 3389 10.10.11.26 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.135 3389 10.10.11.27 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.136 3389 10.10.11.28 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.137 3389 10.10.11.29 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.138 3389 10.10.11.30 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.139 3389 10.10.11.31 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.140 3389 10.10.11.32 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.141 3389 10.10.11.33 3389 netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.140.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http xxx.xxx.140.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
snmp-server 
snmp-server contact 
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
isakmp enable outside
telnet 0.0.0.0 0.0.0.0 outside
telnet xxx.xxx.140.0 255.255.255.0 outside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15
terminal width 80
Cryptochecksum:ab5e9ccf12761249efa4f3fb81e95507
: end
[OK]

Open in new window

0
Comment
Question by:johnkesoglou
2 Comments
 
LVL 3

Accepted Solution

by:
beezleinc earned 500 total points
ID: 33735135
Can you post the commands you are using to try and add the other services?
0
 

Author Closing Comment

by:johnkesoglou
ID: 33735397
free money - i figured it out :)

thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now