Firewall Wizards mailing list archives
RE: PIX Config Problem
From: Dave Rinker <firewall () dsrtech com>
Date: 22 Apr 2003 19:53:10 -0400
Paul, Wes is correct. All is correct with exception of ACL 100 destination host IP, should be the outside interface IP. I use the 501 w/ DSL config as well and use "interface" option in my static translations and it works fine. (6.2.2 code) I'm testing the new 6.3.1 code and have found the following in the ACL that is NEW. You can use the "interface" command in the ACL! This will be beneficial to users with dynamic IPs. Example: (1.1.1.1 is my bogus external host) PIX501(config)# access-list 120 permit tcp host 1.1.1.1 interface outside eq ftp PIX501(config)# sh access-list 120 access-list 120; 1 elements access-list 120 line 1 permit tcp host 1.1.1.1 interface outside eq ftp PIX501(config)# So far I'm pleased with the mods Cisco has put in place. The numbered ACL is a real plus. Thanks, Dave On Tue, 2003-04-22 at 17:50, Noonan, Wesley wrote:
Couple of things. 1) You ACLs need to point to legit addresses, not your internal addresses. i.e. access-list 100 permit tcp host <real source ip> host <real external destination IP> eq 3389 2) I have never used the static command with the "interface" variable. I always map the real external IP from the ACL to the internal IP address of the server. i.e. static (inside,outside) tcp <real external IP> ftp 10.1.1.200 ftp netmask 255.255.255.255 0 0 HTH Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+ Senior QA Rep. BMC Software, Inc. (713) 918-2412 wnoonan () bmc com http://www.bmc.com-----Original Message----- From: Paul Stewart [mailto:pauls () nexicom net] Sent: Tuesday, April 22, 2003 12:31 To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX Config Problem Hi there... I'm trying to get a PIX 501 to allow two inbound connections to an inside server... Terminal services and ftp to a Windows 2000 box. I want an access list that only allows certain IP's through as well. The PIX works great currently but now a consultant needs access remotely to a Win2k machine inside the network. Here's my config... I can't figure out what's wrong... Thanks in advance for any help. Paul PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXXXXXXXXX encrypted passwd XXXXXXXXXXXXXXXXX encrypted hostname fw domain-name XXXXXX.net clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable access-list 100 permit tcp host 123.123.123.123 host 10.1.1.200 eq 3389 access-list 100 permit tcp host 123.123.123.123 host 10.1.1.200 eq ftp pager lines 24 logging on logging trap warnings logging facility 23 logging queue 0 logging host outside 123.123.123.123 interface ethernet0 10baset interface ethernet1 10full mtu outside 1492 mtu inside 1500 ip address outside 123.123.123.123 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit info action alarm ip audit attack action alarm pdm location 123.123.123.123 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.1.1.0 255.255.255.0 dns 0 0 static (inside,outside) tcp interface 3389 10.1.1.200 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp 10.1.1.200 ftp netmask 255.255.255.255 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 123.123.123.123 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL ntp server 130.126.24.44 source outside http server enable http 123.123.123.123 255.255.255.255 outside http 10.1.1.0 255.255.255.0 inside snmp-server host outside 123.123.123.123 snmp-server location blahblahblah snmp-server contact Paul Stewart snmp-server community blahblahblah no snmp-server enable traps floodguard enable sysopt noproxyarp outside sysopt noproxyarp inside no sysopt route dnat telnet timeout 5 ssh 123.123.123.123 255.255.255.255 outside ssh timeout 10 dhcpd address 10.1.1.100-10.1.1.120 inside dhcpd dns 216.168.96.10 216.168.96.13 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username admin password XXXXXXXXXXXXXXXX encrypted privilege 15 username nrtco password XXXXXXXXXXXXXXXX encrypted privilege 5 terminal width 80 Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: PIX Config Problem Noonan, Wesley (Apr 22)
- RE: PIX Config Problem Dave Rinker (Apr 22)