• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Configuring PIX 506E

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
lazyboy
Just Arrived
Just Arrived


Joined: 01 May 2004
Posts: 0
Location: San Jose, CA

Offline

PostPosted: Mon Jan 10, 2005 11:17 am    Post subject: Configuring PIX 506E Reply with quote

I was able to finally run the PDM and configure the basics on the firewall. However, now my problem is: I do not have traffic neither way, in nor out! Here is the config, just in case. Somebody, take a look at it. I want to allow inbound connections to ports 80, 443, and 25. Thanks.

Notes:
XXXXXXXXXXXXX Is the password
my_static_DSL_address Is my DSL-provided static IP address
my_DSL_provider_gateway_address Is my DSL-provided gateway IP address
computer_name Server name
192.168.1.1 pix Firewall Inside Interface
192.168.1.2 The web server internal IP address
------------------------------------------------------------------------------------

Building configuration...
: Saved
:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.2 computer_name
access-list acl_out deny icmp any any
access-list acl_out permit tcp any host my_static_DSL_address eq www
access-list acl_out permit tcp any host my_static_DSL_address eq https
access-list acl_out permit tcp any host my_static_DSL_address eq smtp
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside my_static_DSL_address 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location computer_name 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) my_static_DSL_address computer_name netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 my_DSL_provider_gateway_address 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address computer_name-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80 Cryptochecksum:18109948600691c322b27df46105a036
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Wed Jan 12, 2005 7:11 am    Post subject: Reply with quote

Ok let's try and get things up and running for you.

Disclaimer:
It is a little late here, and I'm exhausted, so please make sure you backup your config prior to making any changes to your PIX. Wink

When dealing with only one public IP address, you'll need to use PAT instead of NAT. So your current static line needs to be altered. Once that's done the ACLs need to be changed to reflect those changes.
Since you said you can't send traffic in or out of the PIX, let's verify outbound connections first.

Easiest way to do that will be to remove your static command and your current ACLs (you don't need ACLs to allow outbound access). Don't worry about tearing those out, we'll be putting them back in there in a minute.
Code:
no static (inside,outside) my_static_DSL_address computer_name netmask 255.255.255.255 0 0
no access-list acl_out
no access-group acl_out in interface outside

Once that's done, your nat and global commands should deal with translating outbound requests, and you should be able to send outbound requests through the PIX (ICMP (pings) won't work though, so try going to a website).

Now we need to set up PAT for your internal webserver, and add the appropriate ACLs.
Code:
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.1.2 25 netmask 255.255.255.255

access-list acl_out deny icmp any any
access-list acl_out permit tcp any interface outside eq 80
access-list acl_out permit tcp any interface outside eq 443
access-list acl_out permit tcp any interface outside eq 25
access-list acl_out deny ip any any

access-group acl_out in interface outside

That should do it! Packets that are destined for the PIX's outside interface on those specified ports should be translated and passed through to your internal web server. Outbound packets from the internal network to the internet should be translated according to the nat and global rules in your config, and outbound access should be functional.

Hope this helps! If you're still having problems with this, let me know and we'll keep working on it.
Back to top
View user's profile Send private message Visit poster's website
lazyboy
Just Arrived
Just Arrived


Joined: 01 May 2004
Posts: 0
Location: San Jose, CA

Offline

PostPosted: Wed Jan 12, 2005 9:23 am    Post subject: Configuring PIX 506E Reply with quote

Thanks Sgt_B for your help. This pix is driving me crazy. I did your changes with no luck so far. It seems like the pix is forwarding packets to the server but the server does not respond. What about the route command? I am not sure if the default gateway provided by my ISP is the one to use. When I connect directly the server to the internet I can get my IP address, Gateway, and DNS servers though their DHCP server.

My log is reporting the following for an inbound connection:

"Built inbound TCP connection 61 for outside: xxxxx/1433 (xxxxx/1433) to inside: 192.168.1.2/80 (my-public-IP-address/80)"

where xxxxx is the extarnal IP trying to connect to port 80. For outbound connections I am getting:

"Teardown static TCP translation from inside 192.168.1.2/80 to outside: my-public-IP-address/80 duration 0:02:07"

According to your suggestions, the current config is like this:


PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out deny icmp any any
access-list acl_out permit tcp any interface outside eq www
access-list acl_out permit tcp any interface outside eq https
access-list acl_out permit tcp any interface outside eq smtp
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside my-public-IP-address 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.2 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 my-Default-Gateway-IP-address 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside

Hope this clarifies the situation. Thanks.
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Wed Jan 12, 2005 4:33 pm    Post subject: Reply with quote

Quote:
"Built inbound TCP connection 61 for outside: xxxxx/1433 (xxxxx/1433) to inside: 192.168.1.2/80 (my-public-IP-address/80)"

This is a good thing. It lets us know that the address translation is working properly. You normally won't get log entries for packets that match and are allowed to traverse the PIX. No log entries from the ACL here, so it looks like the PIX is ok.
Quote:
"Teardown static TCP translation from inside 192.168.1.2/80 to outside: my-public-IP-address/80 duration 0:02:07"

This one has me a little confused. Are you trying to access your own public IP address from inside your LAN (from the webserver). If so, then that won't work. The PIX has built in mechanisms to prevent packets going out, then in the same interface.

The route looks good as long as you're sure that the gateway IP address is correct.

I'm not seeing anything in your logs that shows clearly what the problem is. So let's run some simple tests.

From an internal client, access www.yahoo.com. Do you get a page? What do the logs from the PIX say hen you attempt to make this connection?

Can an outside source access your webserver. For the sake of simplicity lets try port 80. Perhpas have a friend try to access the site, or if you want I could always have a look.
Once that's done, what were the results on the client machine? What did the logs on the PIX show? Run a sh access-list acl_out as well. This will display that ACL, but it also show a "hitcount". That number should increment every time a packet matches that rule. If we see the counter going up with each attempt, we know the ACL is working probperly

Can internal clients (192.168.1.0/24) access the web server's http service via the web server's internal IP address?

PS - If you want me to help test this out, by serving as an outside source, PM me your IP address, and I'll have a look.
Back to top
View user's profile Send private message Visit poster's website
lazyboy
Just Arrived
Just Arrived


Joined: 01 May 2004
Posts: 0
Location: San Jose, CA

Offline

PostPosted: Wed Jan 12, 2005 6:01 pm    Post subject: Configuring the PIX 506E Reply with quote

Answer to your questions: The webserver is alone in the internal network, no more clients nor servers in the inside, that explains the log entry in the previous message (I can access my webserver from outside because I have another dial-up connection to the internet, so I do not need a friend to do it for me, fortunately). Again the built inbound log message got there when I try from outside to access the webserver, for completeness I tried again and got this log:

"Built inbound TCP connection 130 for outside 204.x.x.x/46758 (204.x.x.x/46758) to inside 192.168.1.2/80 (192.168.1.2/80)"

which is basically the same than before, and the "Cannot find server" "Page not found" message in the browser. What I noted is that a few lines later the PIX log shows:

"Teardown TCP connection 130 for outside 204.x.x.x/46758 to inside 192.168.1.2/80"

The sh command shows the information correctly as you mentioned (TCP) is increasing:

access-list acl_out; 4 elements
access-list acl_out line 1 deny icmp any any (hitcount=0)
access-list acl_out line 2 permit tcp any interface outside eq www (hitcount=110)
access-list acl_out line 3 permit tcp any interface outside eq https (hitcount=0)
access-list acl_out line 4 permit tcp any interface outside eq smtp (hitcount=0)

When I try to access the internet from the webserver I do not see any log entry. Should the webserver have configured a default gateway? If so, what will it be (192.168.1.1)? Thanks so much for your help Sgt_B.
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Thu Jan 13, 2005 6:43 am    Post subject: Reply with quote

If TCP/IP settings are not configured properly on the web server then you'll definitely run into some problems.
You need to have a default gateway set on the web server. Without one, the packets will reach the web server, but it will have no idea how to route responses back to the requesting host.
That would explain the current issue. Everything on the PIX side looks to be, and probably is, working as it should. Its the web server that's the problem.

So just put the DG on the web server as the internal IP address of the PIX. Once that's set, things should start working for you.

In order to access the internet fro mthe web server, you'll also have to add a DNS server to the web server as well. You can just use the one supplied to you by your ISP.
Back to top
View user's profile Send private message Visit poster's website
lazyboy
Just Arrived
Just Arrived


Joined: 01 May 2004
Posts: 0
Location: San Jose, CA

Offline

PostPosted: Thu Jan 13, 2005 6:14 pm    Post subject: Configuring PIX 506E Reply with quote

Thanks for your continued support Sgt_B, that is what makes this forum so important, caring people like you. I called my ISP provider, they reconfigured the router and told me that the PIX should act as a DHCP server, I activated as a DHCP server and traffic started flowing smoothly, the commands to activate the DHCP (dor completeness of the thread) are:

dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd dns <DNS-ISP-provided>
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside


One last think Sgt_B. SMTP seems to be working OK, I see the connections coming and seems like the PIX is allowing them. I can send e-mails out, but for some reason I do not get the incoming mails in the corresponding directory. This issue might not be firewall related, but if you have any suggestions they will be certainly appeciated.

Thanks again and have a nice day!
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Thu Jan 13, 2005 8:34 pm    Post subject: Reply with quote

Glad everything (almost everything) is working for you now! Very Happy

About the SMTP thing...

The only SMTP related problem I know of with PIX is when the SMTP server is Microsoft Exchange. This may affect an MS SMTP relay as well.

PIX comes standard with fixup protocol smtp. This prevents attackers from sending funky SMTP commnds to the server. Problem is, Exchange uses some unique commands in order to function. The PIX will filter those commands.

If you're running Exchange, then you need to disable the SMTP fixup on the PIX.
no fixup protocol smtp

If that doesn't resolve the issue, then I'd imagine the problem lies on the server, not the firewall.
I don't know much about Exchange, so you might want to post a new topic in the Exchange forum if its the server causing the problem. We have quite a few outstanding Exchange admins that are members here at SFDC, so hopefully one of them will be able to help you out.

Quote:
Thanks for your continued support Sgt_B, that is what makes this forum so important, caring people like you.

Thanks! Smile
SF Rules, Yes WE DO!
Back to top
View user's profile Send private message Visit poster's website
lazyboy
Just Arrived
Just Arrived


Joined: 01 May 2004
Posts: 0
Location: San Jose, CA

Offline

PostPosted: Sat Jan 15, 2005 1:45 am    Post subject: Configuring PIX 506E Reply with quote

Regarding the SMTP, it was a configuration problem on the server side. The PIX is allowing traffic. Everything is running smoothly now. Thanks Sgt_B for your continued support. Lets close this one.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register