Cisco PIX 506E Firewall setup

Here we have a default config:

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.4 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end


To allow those extra ports, set up some statics and allow them through access lists:

static (inside,outside) tcp interface 21 192.168.1.100 21 netmask 255.255.255.255
static (inside,outside) tcp interface 22 192.168.1.100 22 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.1.100 25 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255

access-list outside permit tcp any interface outside eq 21
access-list outside permit tcp any interface outside eq 22
access-list outside permit tcp any interface outside eq 25
access-list outside permit tcp any interface outside eq 3389

access-group outside in interface outside

That should get you going :)

Oh, VPN.....

What kind did you have in mind?

Hi erniebeek,

Wow thanks again for the help. I have a standard windows server 2003 setup with routing & remote access setup as our VPN server!

Sorry about the late reply but The Queen is visiting Dublin today and its mental in town!

Heard something about (even on the other side of the channel :)
So if I understand correct you want the pix to pass through pptp to the server?

Yea I will attach a screen shot of my router NAT config.

1 more question how do i configure the pix box. I have it beside me now. There are 3 ethernet ports on the back. Ethernet 1(yellow) Ethernet 0 (yellow) USB and an Ethernet that has Console (Blue).

Really applicate your help with this erniebeek!

Hi erniebeek,

I found this online so no need to worry about how to connect  http://www.cisco.com/en/US/docs/security/pix/pix63/quick/guide/63_506qk.html

Ok, good. That's one covered ;)

Now for the second.
It would be best if the netopia (which is in front of the PIX, I assume) would be set to bridge mode if possible. That way the pix will get the public ip (you got only one I think?) and you don't have a nat behind nat...

So if that is possible, change the outside interface:
ip address outside dhcp setroute
So it gets the public address through dhcp from your provider.

Then add the following to permit pptp passthrough:
fixup protocol pptp 1723
access-list outside permit tcp any interface outside eq pptp
static (inside,outside) tcp interface pptp 192.168.1.68 pptp netmask 255.255.255.255

Assuming that 192.168.1.68 is the pptp server.

Sorry erniebeek, I am having difficulty connecting to the PIX web based startup wizard.

I am following these steps

 If you have not already done so, use an Ethernet cable to connect your PC to the inside port (Ethernet 1) on the rear panel of the PIX Firewall.

Step 2 Configure your PC to use DHCP (to receive an IP address automatically from the PIX Firewall) or assign a static IP address to your PC by selecting an address outside of the 192.168.1.0 network.


Note The inside interface of the PIX Firewall is assigned 192.168.1.1, so choose a different IP address.

Step 3 Check the ACT LED on the rear panel of the PIX Firewall (see Table 2) to verify that your PC has basic connectivity to the inside port (Ethernet 1). When connectivity occurs, the ACT LED next to the port lights up solid green.

Step 4 To access the Startup Wizard, use a PC connected to the inside port and enter the URL https://192.168.1.1/startup.html into your browser.

but not getting connected. I have turned off my wifi can i changed my NIC to:  192.168.1.3

So you're not connecting through the management interface?

The PIX might have an old config on it using a different ip range....

Yea Trying to connect to the management interface but not getting in, is there a way to rest the PIX box?

There is, through the management interface.......

Are you using the correct (blue flat Cisco) cable?

No just a normal cat 5 cable, is there a difference? If so where can i get a blue flat Cisco. I have a cross over cable would that do?

This is what i found...

Restore the Default Configuration

 You can restore your configuration back to the factory default values in one of the following ways:

 •You can start the Startup Wizard at: https://192.168.1.1/startup.html 

 •Enter the following CLI commands:

        Command        Description

 Step 1        
configure factory-default [<inside ip address> [address mask]] 1       
 Erases the running configuration and replaces it with the factory default configuration.

 Step 2        
write memory       
 Writes the factory default configuration to Flash memory.

1 If the optional inside IP address and address mask are specified, the factory-default configuration will reflect the specified IP address.

1 Entering the configure factory-default command erases the current running configuration.

Though the ports looks like an ethernet, it isn't. You need that cisco 'rollover' cable. It has a RJ45 on one end and a DB9 (COM) at the other. So it didn't came with the PIX?

You might try to set your pc up for DHCP and see if it gets an address from the PIX. Then you'd know where to go....

No I cant find that cable, it says thats an Alternative Ways to Access the PIX 506E

 You can access the command-line interface (CLI) for administration using the console port on the PIX Firewall. To do so, you must run a serial terminal emulator on a PC or workstation.

I will see if i can get a blue console cable (72-1259-01) online somewhere.

No other Cisco stuff laying around that might have one?

Unfortunately No but i am looking for 1 online and found this site http://www.elara.ie/results.aspx?search=rj45+serial 

Not sure if its 1. (Cisco Auxiliary Cable - Serial cable - RJ-45) or 4. (Straight serial cable - RJ45 to DB25 male)

So going 2 do a bit more research and maybe contact Cisco about the part no.

I will let you know as soon as I have 1 and am connected to the management console.

Looks like this is the one: http://www.elara.ie/productdetail.aspx?productcode=MMEV930866

Great, I will order it now. and see if I can collect it. Thanks again!!!

My pleasure :)

Hi erniebeek,

Finally got the console cable and I can connect to the firewall (http://192.168.1.254) but whoever set it up before me put a password onto it and left no documentation. Any ideas on reseting the firewall to factory default settings? Going 2 have a look on google!  

So did you find this one:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml
?

Hi erniebeek,

found that thanks, will need a day or 2 with it sorry for the delay. Thanks again!!!

No problem. I'll be here :)

Hi erniebeek,

I have never done anything like this before. What serial terminal or a PC with terminal emulation software will I use and how do I know what binary file, depending on the PIX software version to download?

I always use putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html works great. And you'll need a machine with a COM port (DB-9) or a USB to serial converter.

When you connect to the firewall (with putty) and start it, you should be able to see what version of the OS it loads. After that you can download the correct binary and use it.

Legend, got all that

 Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000

so downloaded the nppix.bin (4.3 and earlier releases)

then when i run putty and hit esc, I enter..

monitor>interface 0  (and i get)

0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Ethernet auto negotiation timed out.
Ethernet port 0 could not be initialized.

This is were i am getting stuck not sure if i am putting in the right ip here.

monitor> address 192.168.1.254 (i put that in because that what i use in web browser to get username and password)

What you saw there is the bios version, not the OS (!).

If you let it boot you should see it (this is from a 501 but it should look the same):

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
Platform PIX-501
Flash=E28F640J3 @ 0x3000000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 1974784 bytes of image from flash.
#################################################################################################################
16MB RAM
mcwa i82559 Ethernet at irq  9  MAC: 0008.e3b3.799e
mcwa i82559 Ethernet at irq 10  MAC: 0008.e3b3.799f
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000

  -----------------------------------------------------------------------
                               ||        ||
                               ||        ||
                              ||||      ||||
                          ..:||||||:..:||||||:..
                         c i s c o S y s t e m s
                        Private Internet eXchange
  -----------------------------------------------------------------------
                        Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(5)
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

This PIX has a Restricted (R) license.

The port of the firewall is plugged in to the network is it?

OK my bad so its  
-----------------------------------------------------------------------
                               ||        ||
                               ||        ||
                              ||||      ||||
                          ..:||||||:..:||||||:..
                         c i s c o S y s t e m s
                        Private Internet eXchange
  -----------------------------------------------------------------------
                        Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(3)

Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

I downloaded np63.bin (6.3 release)


Yea i have it plugged in with the blue console cable and i select com's port in putty but i also have a cross-wired Lan cable in ethernet 1 going 2 the lan on my pc.

when i open internet explorer and put https://192.168.1.254 it try's to connect to the pix box, i get a cert error then it asks me for username and pass which i don't have

Hehehe, it's not that easy.

So reboot it again and go through the moves, it looks like it first tries to get an ip through dhcp.

The interfaces are up? And you also have a tftp server installed on your pc?

monitor>interface 0
0: i8255X @ PCI(bus:0 dev:13 irq:10)
1: i8255X @ PCI(bus:0 dev:14 irq:7 )
 
Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9
monitor>address x.x.x.x (address you give to the PIX)
address x.x.x.x
monitor>server y.y.y.y (the static address you gave your pc in the same range)
server y.y.y.y
monitor>file np63.bin
file np63.bin
monitor>ping y.y.y.y
Sending 5, 100-byte 0xf8d3 ICMP Echoes to y.y.y.y, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor>tftp
tftp np63.bin@172.18.125.3 via 10.21.1.1...................................
Received 73728 bytes
 
Cisco Secure PIX Firewall password tool (3.0) #0: Tue Aug 22 23:22:19 PDT 2000
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xd8000
 
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
 
Rebooting....

I am so close i can taste it, this is where i am falling over the tftp part i think,

monitor> ping 192.168.1.109
Sending 5, 100-byte 0x569 ICMP Echoes to 192.168.1.109, timeout is 4 secons:

Success rate is 0 percent (0/5)
monitor>
 
Nothing is happening

I put the np63.bin file into the tftp current dir, do i need to do anything else e.g connect the tftp to the box ?????

I assumed the tftp is on your pc.........

Is it?

Otherwise we have to check the physical connection to see if it is up.

Yes its on my PC!

TFTP on my pc
tftp.jpg

Interfaces are up? Cables ok? Did you plugged it in eth0 on the pix?

I have a crosswired lan cable pluged into ethernet 1 on the back of the pix. and my lan ip is set at 192.168.1.3 with a subnet mask of 255.255.255.0 and a gateway of 192.168.1.254 (same as the pix box)
 and I also have the blue console cable attached to coms port 1 on my pc.

So I will change the crosswired lan cable to ethernet 0 on the back of the pix box?

Either that or give as the first command 'interface 1'

Ok i am understanding it now,

So I am leaving lan cable in ethernet 1 and changing the start to interface 1 then address 192.168.1.254 (the pix box) then server 192.168.1.3 (my tftp pc ip (lan cable)) but I am still getting

monitor> ping 192.168.1.3
Sending 5, 100-byte 0x8cc4 ICMP Echoes to 192.168.1.3, timeout is 4 seconds:

Success rate is 0 percent (0/5)
monitor>

It looks like it is not connecting to my pc or i havent setup tftp correct! here is a pic of all my lan settings and the tftp and the np63.bin file location.
lanpic.jpg

AGHHH getting so close

Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 0012.4324.d56a
Use ? for help.
monitor> interface 1
0: i8255X @ PCI(bus:0 dev:14 irq:10)
1: i8255X @ PCI(bus:0 dev:13 irq:11)

Using 1: i82557 @ PCI(bus:0 dev:13 irq:11), MAC: 0012.4324.d56a
monitor> address 192.168.1.254
address 192.168.1.254
monitor> server 192.168.1.3
server 192.168.1.3
monitor> file np63.bin
file np63.bin
monitor> ping 192.168.1.3
Sending 5, 100-byte 0x97b2 ICMP Echoes to 192.168.1.3, timeout is 4 seconds:
!!!!
Success rate is 80 percent (4/5)
monitor>

Eh,
tftp ?

Yea got it! your a Genius!!!!!

know to start programming it!!!  Thanks again!!!!!!

Sorry since I have rest the password, what is the new username and password?

Well I need 50000 points more to become a genius ;)

Glad we solved it though!

Username password should be pix and cisco

Leaving them blank works, but it just stuck on the loading page. It asks me for 2 passwords a internet explorer pass and then a java script pass

please see attached pics
pass1.jpg
pass2.jpg

pix and cisco dont work

And putting in just the password?

The only thing that works is if i leave them both blank but then it just says loading pix driver manager please wait?

What version of java do you have?

version 6 update 24 (build 1.6.0_24-b07)

Java 6 standard edition

There are known issues with java. If possible try to go back to v6 update 7.

will do

still the same???????

I am going 2 try it on an older PC running XP and an older version on internet explorer 6 with java V6 update 7
java-6-update7.jpg

Is there any othre way of configuring the pix box now that the password is reset. Going in through internet explorer is not working for me, just get stuck on the loading page. And i have tried it on an xp Pc with IE6 and the oldest version of java i could find. still the same.

What about using telnet or putty?

Those are my favorites :)
But use ssh, more secure. So what do you need (to know)?

Hi erniebeek,

I have no idea how to configure the PIX box with the code you have so generously given me. Thanks again for all the time you have spent on this already!

Never mind, I'm just having fun over here :)

So give me the addresses you would like to use for the pix (inside and outside) and I'll post an adjusted config suited to your needs. Then you can just cut and paste it in to putty.

Sound!

At the moment the Pix has an IP address of 192.168.1.254, but i would prefer if it was 192.168.1.250. It will be connecting to our eircom broadband which has a static IP of x.x.x.209.

Ports I need open are

Service Name&#9;Service Mode&#9;&#9;&#9;
PPTP&#9;Server&#9;192.168.1.68&#9;&#9;
FTP&#9;Server&#9;192.168.1.167&#9;&#9;
HTTP&#9;Server&#9;192.168.1.167&#9;&#9;
HTTPS&#9;Server&#9;192.168.1.167&#9;&#9;
SMTP&#9;Server&#9;192.168.1.167

If your ever in Dublin you will have 2 let me know so I can buy you a pint or 10!

Be carefull posting you public ip's, you never know ;)

So what's the subnet of that eircom?


Always wanted to go to Ireland so who knows, I might keep you to that promise :))

Yea just thought of that after i posted it! I will edit it later, thanks for the heads up.

The Subnet mask is 255.255.255.0

I cant believe that there has been 2 Hangover movies and not I of them has been filimed in Ireland, The hangover capital of the world. fingers crossed for the 3rd. Yea you should its a mad kip!

:)

So mail the film studios! Perhaps we can play in it as well :-0

Ok, 255.255.255.0? that means you have 254 publics? Or just a few are yours?

Ha ha sounds like a plan.

I am not sure if i am giving you the right subnet mask. Sorry. How do i find the subnet mask of my router?

By the looks of it you have x.x.x.208-223 (try inserting your ip at www.dnstools.com).

Give me a sec, I'll cook up a config for you.

Oh, I'll also ask a mod to mask/remove the public ip.

So your subnet mask is 255.255.255.240 b.t.w.

Yeah i did the same, seriously I can't thank you enough!

Stop, you're making me blush ;)

Right, here we go. Paste this in to your putty session, first log on type: enable and than conf t. That puts you in to configuration mode. After that, paste this:

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password your_password
passwd you_other_password
hostname your_hostname

names

ip address outside x.x.x.222 255.255.255.240
ip address inside 192.168.1.250 255.255.255.0

pdm logging informational 100
pdm history enable

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0

http server enable
http 192.168.1.0 255.255.255.0 inside

access-list outside permit tcp any interface outside eq 21
access-list outside permit tcp any interface outside eq 25
access-list outside permit tcp any interface outside eq 80
access-list outside permit tcp any interface outside eq 443
access-list outside permit tcp any host x.x.x.221 eq 1723
access-list outside permit gre any host x.x.x.221

access-group outside in interface outside

static (inside,outside) tcp interface 21 192.168.1.167 21 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.1.167 25 netmask 255.255.255.255
static (inside,outside) tcp interface 80 192.168.1.167 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 192.168.1.167 443 netmask 255.255.255.255

static (inside,outside) x.x.x.221 192.168.1.68 netmask 255.255.255.255


The bold parts you have to adjust to your likings and the x.x.x's you need to replace with the first three digits of you public ip.

After that do a wr mem and a wr t. The latter will write the current config to screen. Copy that and paste it back here (removing the public ip's, paswwords, etc.) so I can see if more tweaking is required.

Og, this one is also handy to put in:
route outside 0.0.0.0 0.0.0.0 x.x.x.209

OK erniebeek,

One problem when I start the pix and open up putty this is what i see:



Copyright (c) 1996-2003 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

outside interface address added to PAT pool
.
Cryptochecksum(changed): 47b04476 b8788cb0 64ceef05 ddec5b5c
Type help or '?' for a list of available commands.
SyscoDub-Pix>


If I type "login" it asks me for a username and pass which we reset. but I still don't know what to put in here. I have tried username: pix password: cisco to no avail. If I type "?" this is what i see:


At the end of show <command>, use the pipe character '|' followed by:
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.

enable          Turn on privileged commands
help            Help list
login           Log in as a particular user
logout          Exit from current user profile, and to unprivileged mode
pager           Control page length for pagination
quit            Quit from the current mode, end configuration or logout
SyscoDub-Pix>

Hehe, you're allready logged in. There's no password on the telnet yet.

When you see SyscoDub-Pix> just enter enable and conf t

Ha ha, Classic!!!!

Ok so this is what I got:

SyscoDub-Pix# conf t
SyscoDub-Pix(config)# interface ethernet0 auto
Type help or '?' for a list of available commands.
SyscoDub-Pix(config)# interface ethernet1 auto
SyscoDub-Pix(config)# nameif ethernet0 outside security0
SyscoDub-Pix(config)# nameif ethernet1 inside security100
SyscoDub-Pix(config)# enable password x.x.x
SyscoDub-Pix(config)# passwd x.x.x
Not enough arguments.
Usage:  password|passwd <password> encrypted
SyscoDub-Pix(config)# hostname SyscoDub-Pix
SyscoDub-Pix(config)#
SyscoDub-Pix(config)# names
SyscoDub-Pix(config)#
SyscoDub-Pix(config)# ip address outside x.x.x.222 255.255.255.240
SyscoDub-Pix(config)# ip address inside 192.168.1.250 255.255.255.0
SyscoDub-Pix(config)#
SyscoDub-Pix(config)# pdm logging informational 100
SyscoDub-Pix(config)# pdm history enable
SyscoDub-Pix(config)#
SyscoDub-Pix(config)# global (outside) 1 interface
global for this range already exists
SyscoDub-Pix(config)# nat (inside) 1 192.168.1.0 255.255.255.0
SyscoDub-Pix(config)#
SyscoDub-Pix(config)# http server enable
SyscoDub-Pix(config)# http 192.168.1.0 255.255.255.0 inside
ERROR: entry for address/mask = 192.168.1.0/255.255.255.0 exists
SyscoDub-Pix(config)#
SyscoDub-Pix(config)# access-list outside permit tcp any interface outside eq $
SyscoDub-Pix(config)# access-list outside permit tcp any interface outside eq $
SyscoDub-Pix(config)# access-list outside permit tcp any interface outside eq $
SyscoDub-Pix(config)# access-list outside permit tcp any interface outside eq $
SyscoDub-Pix(config)# access-list outside permit tcp any host x.x.x.221 eq$
SyscoDub-Pix(config)# access-list outside permit gre any host x.x.x.221
SyscoDub-Pix(config)#
SyscoDub-Pix(config)# access-group outside in interface outside
SyscoDub-Pix(config)#
SyscoDub-Pix(config)# static (inside,outside) tcp interface 21 192.168.1.167 2$
SyscoDub-Pix(config)# static (inside,outside) tcp interface 25 192.168.1.167 2$
SyscoDub-Pix(config)# static (inside,outside) tcp interface 80 192.168.1.167 8$
SyscoDub-Pix(config)# static (inside,outside) tcp interface 443 192.168.1.167 $
SyscoDub-Pix(config)#
SyscoDub-Pix(config)# static (inside,outside) x.x.x.221 192.168.1.68 netma$
SyscoDub-Pix(config)# wr mem
Building configuration...
Cryptochecksum: c986c5b2 4e7c3897 cd28b8a7 722ed2cf
[OK]
SyscoDub-Pix(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SyscoDub-Pix
domain-name sysco.ie
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit tcp any host 192.168.10.101 eq smtp
access-list outside_in permit tcp any host 192.168.10.101 eq www
access-list outside_in permit tcp any host 192.168.10.101 eq https
access-list outside_in permit tcp any host 192.168.10.101 eq 3389
access-list outside_in permit tcp any host 192.168.10.101 eq ftp
access-list outside permit tcp any interface outside eq ftp
access-list outside permit tcp any interface outside eq smtp
access-list outside permit tcp any interface outside eq www
access-list outside permit tcp any interface outside eq https
access-list outside permit tcp any host x.x.x.221 eq pptp
access-list outside permit gre any host x.x.x.221
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.222 255.255.255.240
ip address inside 192.168.1.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 192.168.10.101 www 192.168.1.241 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.10.101 smtp 192.168.1.241 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.10.101 https 192.168.1.241 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.10.101 3389 192.168.1.241 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.10.101 ftp 192.168.1.241 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.1.167 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.167 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.167 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.167 https netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.221 192.168.1.68 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
username owenhiggins password dThG.LTmrkn3tNWB encrypted privilege 2
terminal width 80
Cryptochecksum:c986c5b24e7c3897cd28b8a7722ed2cf
: end
[OK]
SyscoDub-Pix(config)# route outside 0.0.0.0 0.0.0.0 x.x.x.209
cannot add route entry. possible conflict with existing routes
Usage:  [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
SyscoDub-Pix(config)#

Looking fairly good. Just the following:

SyscoDub-Pix(config)# passwd x.x.x
Not enough arguments.
Looks like that is still the default. Should work though like: passwd yourpassword. Just try again.

route outside 0.0.0.0 0.0.0.0 x.x.x.209
cannot add route entry. possible conflict with existing routes
First do: no route outside 0.0.0.0 0.0.0.0 192.168.10.254 , then route outside 0.0.0.0 0.0.0.0 x.x.x.209

Further, do a: no access-list outside_in and no nat (inside) 1 0.0.0.0 0.0.0.0 0

Also these:
no static (inside,outside) tcp 192.168.10.101 www 192.168.1.241 www netmask 255.255.255.255
no static (inside,outside) tcp 192.168.10.101 smtp 192.168.1.241 smtp netmask 255.255.255.255
no static (inside,outside) tcp 192.168.10.101 https 192.168.1.241 https netmask 255.255.255.255
no static (inside,outside) tcp 192.168.10.101 3389 192.168.1.241 3389 netmask 255.255.255.255
no static (inside,outside) tcp 192.168.10.101 ftp 192.168.1.241 ftp netmask 255.255.255.255

Even more:
telnet 192.168.1.0 255.255.255.0 inside

And don't forget to do a 'write mem' :)

SyscoDub-Pix(config)# route outside 0.0.0.0 0.0.0.0 x.x.x.209
cannot add route entry. possible conflict with existing routes
Usage:  [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
SyscoDub-Pix(config)# no route outside 0.0.0.0 0.0.0.0 192.168.10.254
SyscoDub-Pix(config)# route outside 0.0.0.0 0.0.0.0 x.x.x.209
SyscoDub-Pix(config)# no access-list outside_in and no nat (inside) 1 0.0.0.0 $
ERROR:<and> not a valid permission
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
SyscoDub-Pix(config)# no static (inside,outside) tcp 192.168.10.101 www 192.16$
SyscoDub-Pix(config)# no static (inside,outside) tcp 192.168.10.101 smtp 192.1$
SyscoDub-Pix(config)# no static (inside,outside) tcp 192.168.10.101 https 192.$
SyscoDub-Pix(config)# no static (inside,outside) tcp 192.168.10.101 3389 192.1$
SyscoDub-Pix(config)# no static (inside,outside) tcp 192.168.10.101 ftp 192.16$
SyscoDub-Pix(config)# telnet 192.168.1.0 255.255.255.0 inside
SyscoDub-Pix(config)# wr mem
Building configuration...
Cryptochecksum: fa2a3966 1b0b2739 bcc45f3b 1ade586b
[OK]
SyscoDub-Pix(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SyscoDub-Pix
domain-name sysco.ie
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit tcp any host 192.168.10.101 eq smtp
access-list outside_in permit tcp any host 192.168.10.101 eq www
access-list outside_in permit tcp any host 192.168.10.101 eq https
access-list outside_in permit tcp any host 192.168.10.101 eq 3389
access-list outside_in permit tcp any host 192.168.10.101 eq ftp
access-list outside permit tcp any interface outside eq ftp
access-list outside permit tcp any interface outside eq smtp
access-list outside permit tcp any interface outside eq www
access-list outside permit tcp any interface outside eq https
access-list outside permit tcp any host x.x.x.221 eq pptp
access-list outside permit gre any host x.x.x.221
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.222 255.255.255.240
ip address inside 192.168.1.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.1.167 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.167 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.167 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.167 https netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.221 192.168.1.68 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username owenhiggins password dThG.LTmrkn3tNWB encrypted privilege 2
terminal width 80
Cryptochecksum:fa2a39661b0b2739bcc45f3b1ade586b
: end
[OK]
SyscoDub-Pix(config)#

 

Hehehehehe, one more time:

Type:  no access-list outside_in and press enter.
Then type: no nat (inside) 1 0.0.0.0 0.0.0.0 and press enter.

After that, you should be good to go :)))

Or atleast give it a test drive ;)

Ok thanks for being so patient with me.

SyscoDub-Pix(config)# no access-list outside_in
SyscoDub-Pix(config)# no nat (inside) 1 0.0.0.0 0.0.0.0
SyscoDub-Pix(config)# wr mem
Building configuration...
Cryptochecksum: 5ca63616 58e5579f aa073d38 7d60b781
[OK]


will i do a wr t?

Just to make sure we haven't forgot anything.

Cool, here it is:

SyscoDub-Pix(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SyscoDub-Pix
domain-name sysco.ie
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit tcp any host 192.168.10.101 eq smtp
access-list outside_in permit tcp any host 192.168.10.101 eq www
access-list outside_in permit tcp any host 192.168.10.101 eq https
access-list outside_in permit tcp any host 192.168.10.101 eq 3389
access-list outside_in permit tcp any host 192.168.10.101 eq ftp
access-list outside permit tcp any interface outside eq ftp
access-list outside permit tcp any interface outside eq smtp
access-list outside permit tcp any interface outside eq www
access-list outside permit tcp any interface outside eq https
access-list outside permit tcp any host x.x.x.221 eq pptp
access-list outside permit gre any host x.x.x.221
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.222 255.255.255.240
ip address inside 192.168.1.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.1.167 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.167 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.167 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.167 https netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.221 192.168.1.68 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 username owenhiggins password dThG.LTmrkn3tNWB .209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username owenhiggins password dThG.LTmrkn3tNWB encrypted privilege 2
terminal width 80
Cryptochecksum:fa2a39661b0b2739bcc45f3b1ade586b
: end
[OK]
SyscoDub-Pix(config)# no access-list outside_in
SyscoDub-Pix(config)# no nat (inside) 1 0.0.0.0 0.0.0.0
SyscoDub-Pix(config)# wr mem
Building configuration...
Cryptochecksum: 5ca63616 58e5579f aa073d38 7d60b781
[OK]
SyscoDub-Pix(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SyscoDub-Pix
domain-name sysco.ie
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit tcp any interface outside eq ftp
access-list outside permit tcp any interface outside eq smtp
access-list outside permit tcp any interface outside eq www
access-list outside permit tcp any interface outside eq https
access-list outside permit tcp any host x.x.x.221 eq pptp
access-list outside permit gre any host x.x.x.221
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.222 255.255.255.240
ip address inside 192.168.1.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface ftp 192.168.1.167 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.167 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.167 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.167 https netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.221 192.168.1.68 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username owenhiggins password dThG.LTmrkn3tNWB encrypted privilege 2
terminal width 80
Cryptochecksum:5ca6361658e5579faa073d387d60b781
: end
[OK]
SyscoDub-Pix(config)#

Looking goooooood.

I think you can take that for a testdrive.

Fu*king excellent!!!! I will test it 2night and let you know the results 2maro. I really applicate all the time you have spent with this erniebeek!  

The pleasure is all mine mate :)

I'm not sure if I'm available 2morrow (holiday over here) but I'll check back as soon as I can to see if you haven't run in to any trouble.

Hi erniebeek,

So far so good. Getting 1 error in DC App event logs, but everything seems to be working!


Event: 3033    Source: Server ActiveSync


The average of the most recent [200] heartbeat intervals used by clients is less than or equal to [540].  Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.  For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, "Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=905013).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

http://support.microsoft.com/kb/905013

Would there be anything I can do code wise to solve this? If not don't worry.

There are ways to do that using policy maps, but you'll need a pix version > 7.0 for that.

You could try changing:
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
to
timeout conn 1:00:00 half-closed 0:20:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

This way you globally increase the timeout (for half-closed connections).
See if that helps.

Deadly, so I just type:

enable and conf t

timeout conn 1:00:00 half-closed 0:20:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

then wr mem and wr t!

Ha ha I wish. Thanks for all your help with this, you deserve way more that 500 points! Take care ;)

What a great help and very very patient with me. Deserves more than 500 points!

Just eternal glory will suffice :)

If I'm ever in dublin I'll drop by for those 10 pints ;)

Do let me know and I'll give you a real tour of Dublin!!


Guinness-pint-glass.jpg

Lol!

We'll do.

It was a pleasure working with you.

Yea same with you, Thanks again!!!!