SETUP STATIC ENTRY FOR HOST BEHIND PIX
SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 12.09.2006 18:05:46 von vreyesii
Hi,
The current Network looks like this>>>>
PIX --------- Server 1
| --------- Server 2
|
|
Switch 1 ------------ Multiple Hosts
------------ Host AS500
Currently the PIX has static statements and access-list which allow SSH
from the outside into Server 1 and Server 2. When one tries to ssh into
216.X.X.A which is the public IP on the PIX. The PIX sends you too
Server 1. When you SSH into 216.X.X.B. The PIX sends you too Server 2.
What I need is the PIX to allow SSH into the AS500 host which is
located behind the PIX using SSH. How can I set this up?
Thank You,
vreyesii
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 12.09.2006 19:02:35 von roberson
In article <1158077146.864729.194080@h48g2000cwc.googlegroups.com>,
vreyesii wrote:
>The current Network looks like this>>>>
> PIX --------- Server 1
> | --------- Server 2
> |
> |
> Switch 1 ------------ Multiple Hosts
> ------------ Host AS500
>Currently the PIX has static statements and access-list which allow SSH
>from the outside into Server 1 and Server 2. When one tries to ssh into
>216.X.X.A which is the public IP on the PIX. The PIX sends you too
>Server 1. When you SSH into 216.X.X.B. The PIX sends you too Server 2.
>What I need is the PIX to allow SSH into the AS500 host which is
>located behind the PIX using SSH. How can I set this up?
On the PIX, give the command show static
That will show you the existing static configuration commands that
make the connection between 216.X.X.A and Server 1, or
216.X.X.B and Server 2. You'll need another one of those commands
except modified for 216.X.X.C and the AS500 host.
Then on the PIX, show access-group
and find the access-group entry that is marked as being
"in interface outside". The name between the token 'access-group'
and the 'in' will be the name of an access-list. For the purposes
of this discussion I'll call that Out2In_ACL. show access-list
followed by that name (e.g., show access-list Out2In_ACL )
and you will see an entry about permit tcp any host 216.X.X.A eq 22
(that is, the ssh port) and another similar for 216.X.X.B .
You need to add another entry like those for 216.X.X.C .
Note, though, that if you simply go into configuration mode and command
access-list Out2In_ACL permit tcp any host 216.X.X.C eq 22
then that will go at the *bottom* of the access-list, and if there
happens to be a 'deny' statement above that point on the list, that
deny statement might happen to block some of the traffic you want.
You need to get the new entry into the right location in the list;
the methods of doing that are dependant on the software version
and I don't have time (or interest) to describe them.
After you have put in the new access-list entry and the new
static entry, give the command clear xlate
Test the result, and if it works, then command write memory
in order to save the changes to be known at the next reboot.
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 12.09.2006 20:35:27 von vreyesii
I do not have another external IP. Is there anyway I can use the IP:
216.X.X.A and change the incoming ssh port to something else like (port
# 4000) and then direct it to the AS500 host.
vreyesii
Walter Roberson wrote:
> In article <1158077146.864729.194080@h48g2000cwc.googlegroups.com>,
> vreyesii wrote:
>
> >The current Network looks like this>>>>
>
> > PIX --------- Server 1
> > | --------- Server 2
> > |
> > |
> > Switch 1 ------------ Multiple Hosts
> > ------------ Host AS500
>
> >Currently the PIX has static statements and access-list which allow SSH
> >from the outside into Server 1 and Server 2. When one tries to ssh into
> >216.X.X.A which is the public IP on the PIX. The PIX sends you too
> >Server 1. When you SSH into 216.X.X.B. The PIX sends you too Server 2.
> >What I need is the PIX to allow SSH into the AS500 host which is
> >located behind the PIX using SSH. How can I set this up?
>
> On the PIX, give the command show static
> That will show you the existing static configuration commands that
> make the connection between 216.X.X.A and Server 1, or
> 216.X.X.B and Server 2. You'll need another one of those commands
> except modified for 216.X.X.C and the AS500 host.
>
> Then on the PIX, show access-group
> and find the access-group entry that is marked as being
> "in interface outside". The name between the token 'access-group'
> and the 'in' will be the name of an access-list. For the purposes
> of this discussion I'll call that Out2In_ACL. show access-list
> followed by that name (e.g., show access-list Out2In_ACL )
> and you will see an entry about permit tcp any host 216.X.X.A eq 22
> (that is, the ssh port) and another similar for 216.X.X.B .
> You need to add another entry like those for 216.X.X.C .
>
> Note, though, that if you simply go into configuration mode and command
>
> access-list Out2In_ACL permit tcp any host 216.X.X.C eq 22
>
> then that will go at the *bottom* of the access-list, and if there
> happens to be a 'deny' statement above that point on the list, that
> deny statement might happen to block some of the traffic you want.
> You need to get the new entry into the right location in the list;
> the methods of doing that are dependant on the software version
> and I don't have time (or interest) to describe them.
>
> After you have put in the new access-list entry and the new
> static entry, give the command clear xlate
> Test the result, and if it works, then command write memory
> in order to save the changes to be known at the next reboot.
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 12.09.2006 20:54:01 von roberson
In article <1158086127.531516.83540@b28g2000cwb.googlegroups.com>,
vreyesii wrote:
>I do not have another external IP. Is there anyway I can use the IP:
>216.X.X.A and change the incoming ssh port to something else like (port
># 4000) and then direct it to the AS500 host.
The below work only for PIX 6.0 and later:
Provided that 216.X.X.A is not the address of the PIX itself,
static (inside,outside) tcp 216.X.X.A 4000 AS500IP 22 netmask 255.255.255.255
access-list Out2In_ACL permit tcp any host 216.X.X.A eq 4000
access-group Out2In_ACL in interface outside
followed by a clear xlate
If 216.X.X.A *is* the IP of the PIX itself, and you are using PIX 6.2 then
static (inside,outside) tcp interface 4000 AS500IP 22 netmask 255.255.255.255
access-list Out2In_ACL permit tcp any interface eq 4000
access-group Out2In_ACL in interface outside
followed by a clear xlate
If 216.X.X.A *is* the IP of the PIX itself, and you are using PIX 6.3 then
static (inside,outside) tcp interface 4000 AS500IP 22 netmask 255.255.255.255
access-list Out2In_ACL permit tcp any interface outside eq 4000
access-group Out2In_ACL in interface outside
Each of these versions would require that the client request connection
to port 4000 but that the server on AS500 would still be on port 22.
If you want to change the server to also be on 4000, then in the
static statements where you see the 22, repace it with 4000.
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 12.09.2006 21:23:50 von vreyesii
I did what you said and I got an error I was not able to connect to the
internal host.
Walter Roberson wrote:
> In article <1158086127.531516.83540@b28g2000cwb.googlegroups.com>,
> vreyesii wrote:
> >I do not have another external IP. Is there anyway I can use the IP:
> >216.X.X.A and change the incoming ssh port to something else like (port
> ># 4000) and then direct it to the AS500 host.
>
> The below work only for PIX 6.0 and later:
>
> Provided that 216.X.X.A is not the address of the PIX itself,
>
> static (inside,outside) tcp 216.X.X.A 4000 AS500IP 22 netmask 255.255.255.255
> access-list Out2In_ACL permit tcp any host 216.X.X.A eq 4000
> access-group Out2In_ACL in interface outside
>
> followed by a clear xlate
>
> If 216.X.X.A *is* the IP of the PIX itself, and you are using PIX 6.2 then
>
> static (inside,outside) tcp interface 4000 AS500IP 22 netmask 255.255.255.255
> access-list Out2In_ACL permit tcp any interface eq 4000
> access-group Out2In_ACL in interface outside
>
> followed by a clear xlate
>
> If 216.X.X.A *is* the IP of the PIX itself, and you are using PIX 6.3 then
>
> static (inside,outside) tcp interface 4000 AS500IP 22 netmask 255.255.255.255
> access-list Out2In_ACL permit tcp any interface outside eq 4000
> access-group Out2In_ACL in interface outside
>
>
> Each of these versions would require that the client request connection
> to port 4000 but that the server on AS500 would still be on port 22.
> If you want to change the server to also be on 4000, then in the
> static statements where you see the 22, repace it with 4000.
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 13.09.2006 08:41:40 von roberson
In article <1158089030.445371.152970@e63g2000cwd.googlegroups.com>,
vreyesii wrote:
>I did what you said and I got an error I was not able to connect to the
>internal host.
You haven't given us enough to work with here. *What* error?
And which PIX version? And are you trying to work with the interface IP
or with a different IP?
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 13.09.2006 15:24:55 von vreyesii
Walter Roberson wrote:
> In article <1158089030.445371.152970@e63g2000cwd.googlegroups.com>,
> vreyesii wrote:
> >I did what you said and I got an error I was not able to connect to the
> >internal host.
>
> You haven't given us enough to work with here. *What* error?
> And which PIX version? And are you trying to work with the interface IP
> or with a different IP?
The error is that I cannot connect to the ip address 216.X.X.A using
port 4000. The remote host just keeps on trying to connect and nothing.
The PIX version is > Cisco PIX Firewall Version 6.3(5)
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 13.09.2006 16:50:39 von roberson
In article <1158153895.805925.15220@h48g2000cwc.googlegroups.com>,
vreyesii wrote:
>Walter Roberson wrote:
>> In article <1158089030.445371.152970@e63g2000cwd.googlegroups.com>,
>> vreyesii wrote:
>> >I did what you said and I got an error I was not able to connect to the
>> >internal host.
>> You haven't given us enough to work with here. *What* error?
>> And which PIX version? And are you trying to work with the interface IP
>> or with a different IP?
>The error is that I cannot connect to the ip address 216.X.X.A using
>port 4000. The remote host just keeps on trying to connect and nothing.
>The PIX version is > Cisco PIX Firewall Version 6.3(5)
Push up your logging level to debugging and see what shows up in the
logs when you make the attempt.
It would be easier if we had your config to work with; in particular,
show access-group
show access-list
show static
show nat
show global
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 14.09.2006 14:42:06 von vreyesii
For this example let just say I am trying to enable telnet instead of
ssh. I know thats not a good idea however, it's just to see if this
works correctly. Because if I want to use with the host behind the
firewall I must upgrade the IOS for one that has the SSH feature. Below
is a copy of the PIX config.
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXx encrypted
hostname pixfirewall
domain-name xxxx.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit icmp any any echo-reply
access-list allow_inbound permit tcp any interface outside eq ssh
access-list allow_inbound permit tcp any host 216.X.X.B eq www
access-list allow_inbound permit tcp any host 216.X.X.B eq ssh
access-list allow_inbound permit tcp any host 216.X.X.B eq h323
access-list allow_inbound permit tcp any host 216.X.X.B eq 5060
access-list allow_inbound permit tcp any interface outside eq pptp
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit tcp any interface outside eq 13492
access-list allow_inbound permit udp any interface outside eq 13492
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.49
eq www
access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.48
eq www
access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.50
eq www
access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.51
eq www
access-list deny_outbound permit ip any any
access-list deny_outbound permit esp any any
access-list deny_outbound permit gre any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0
255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 216.X.X.A 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask
255.255.255.255 0 0
static (inside,outside) tcp interface ssh 10.1.1.6 ssh netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pptp 10.1.1.23 pptp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask
255.255.255.255 0 0
static (inside,outside) 216.X.X.B 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.X.X.A 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community nyc4u2me
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain pix.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password XXXXXX
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain pix.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password XXXXXXX
vpngroup grace address-pool ippool
vpngroup grace default-domain pix.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password XXXXXX
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username vmr2 password XXXXXXXXXXXX encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner login Unauthorized access and use of this network/device will be
prosecuted.
banner motd Unauthorized access and use of this network/device will be
prosecuted.
Cryptochecksum:94691b44eea9790777e8d9d5cf2648e1
: end
Walter Roberson wrote:
> In article <1158153895.805925.15220@h48g2000cwc.googlegroups.com>,
> vreyesii wrote:
>
> >Walter Roberson wrote:
> >> In article <1158089030.445371.152970@e63g2000cwd.googlegroups.com>,
> >> vreyesii wrote:
> >> >I did what you said and I got an error I was not able to connect to the
> >> >internal host.
>
> >> You haven't given us enough to work with here. *What* error?
> >> And which PIX version? And are you trying to work with the interface IP
> >> or with a different IP?
>
> >The error is that I cannot connect to the ip address 216.X.X.A using
> >port 4000. The remote host just keeps on trying to connect and nothing.
> >The PIX version is > Cisco PIX Firewall Version 6.3(5)
>
> Push up your logging level to debugging and see what shows up in the
> logs when you make the attempt.
>
> It would be easier if we had your config to work with; in particular,
>
> show access-group
> show access-list
> show static
> show nat
> show global
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 14.09.2006 21:27:04 von roberson
In article <1158237726.867449.154380@m73g2000cwd.googlegroups.com>,
vreyesii wrote:
>For this example let just say I am trying to enable telnet instead of
>ssh. I know thats not a good idea however, it's just to see if this
>works correctly.
telnet to which address? You cannot telnet to the outside interface
IP of the PIX, even if you have set up port forwarding from the
interface to some internal host. The PIX *specifically* blocks
telnet to the outside interface. (The only exception is if the
traffic is within a VPN tunnel.)
This restriction on the PIX does not apply if you are using any
destination address other than the PIX outside interface address:
you are allowed to configure the PIX to allow telnet to public
address and have that sent on to the host.
>Because if I want to use with the host behind the
>firewall I must upgrade the IOS for one that has the SSH feature.
The IOS of what? PIX doesn't use IOS: it uses an operating system
named Finesse but more commonly called "PIX OS". And ssh to the PIX
has been supported on all PIX for a number of releases, including
6.3(5). You do not need to upgrade your PIX to be able to ssh to
the PIX itself (e.g., to manage the PIX); you do, though, need
to use the "ca generate" command (with appropriate parameters) to generate
an RSA key, and then use the "ca save all" command to save that RSA key to
permanent memory.
>Below
>is a copy of the PIX config.
>PIX Version 6.3(5)
>access-list allow_inbound permit tcp any interface outside eq smtp
>access-list allow_inbound permit tcp any interface outside eq pop3
>access-list allow_inbound permit tcp any interface outside eq www
>access-list allow_inbound permit icmp any any source-quench
Personally, I don't allow source-quench through: source-quench
packets have no authentication information, so they can be used
as a small Denial of Service against your machines.
>access-list allow_inbound permit icmp any any echo-reply
>access-list allow_inbound permit tcp any interface outside eq ssh
>access-list allow_inbound permit tcp any host 216.X.X.B eq www
>access-list allow_inbound permit tcp any host 216.X.X.B eq ssh
>access-list allow_inbound permit tcp any host 216.X.X.B eq h323
>access-list allow_inbound permit tcp any host 216.X.X.B eq 5060
>access-list allow_inbound permit tcp any interface outside eq pptp
>access-list allow_inbound permit gre any interface outside
Those two lines are likely to fail for you. gre does not have any
port numbers, and so cannot be used with Port Address Translation
like TCP and UDP can be. PIX 6.x does not provide any mechanism to
forward gre packets to a specific inside host -- there is, for example, NO
! non-existant command below!
static (inside,outside) gre interface 10.1.1.17 netmask 255.255.255.255
The gre packets are not going to go anywhere.
If your intention was to allow pptp connections to terminate -at-
the PIX, then you do not need to allow to permit pptp or gre in
your access-list as the PIX will automatically open them to support
configured vpdn
>access-list allow_inbound permit tcp any interface outside eq 3000
>access-list allow_inbound permit tcp any interface outside eq 13492
>access-list allow_inbound permit udp any interface outside eq 13492
>access-list allow_inbound permit udp any interface outside eq 49153
>access-list allow_inbound permit tcp any interface outside eq 49153
>access-list allow_inbound permit tcp any interface outside eq 10240
>access-list allow_inbound permit tcp any interface outside eq 10241
>access-list allow_inbound permit tcp any interface outside eq 10242
>access-list allow_inbound permit udp any interface outside eq 10240
>access-list allow_inbound permit udp any interface outside eq 10241
>access-list allow_inbound permit udp any interface outside eq 10242
>access-list allow_inbound permit tcp any interface outside eq 41170
>access-list allow_inbound permit udp any interface outside eq 41170
>access-list allow_inbound permit tcp any interface outside eq 4662
>access-list allow_inbound permit tcp any interface outside eq 4000
If I recall correctly which thread this is, you wanted to be able
to ssh to an alternate port (4000) on the PIX and have that go to
a different machine. If so then the line you configured above
should be fine.
>access-list deny_outbound deny tcp any host 63.236.240.73 eq https
>access-list deny_outbound deny tcp any host 209.202.9.7 eq https
>access-list deny_outbound deny tcp any host 63.236.240.73 eq www
>access-list deny_outbound deny tcp any host 66.28.235.59 eq www
>access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.49
>eq www
>access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.48
>eq www
>access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.50
>eq www
>access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.51
>eq www
>access-list deny_outbound permit ip any any
>access-list deny_outbound permit esp any any
>access-list deny_outbound permit gre any any
esp and gre are subsets of ip, so those last two lines are redundant.
Also if the idea was to permit VPN tunnels terminating -at- the PIX
(rather than VPN that passes -through- the PIX) then you do not need
these, as the PIX will automatically permit that traffic if it
needs it.
>access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
>icmp deny any outside
You should allow icmp time-exceeded and icmp unreachable to the outside
interface: otherwise icmp packets coming back for traffic that
was PAT'd to the outside interface address will not make it through.
The permit icmp that you have in the access-list applied to the outside
interface does not affect icmp traffic that has the PIX outside IP
as its destination, even if that destination IP is only there
because of PAT.
>ip address outside 216.X.X.A 255.255.255.0
>ip address inside 10.1.1.1 255.255.255.0
>ip local pool ippool 10.1.2.1-10.1.2.254
>global (outside) 1 interface
>nat (inside) 0 access-list do_not_nat
>nat (inside) 1 10.1.1.0 255.255.255.0 0 0
Those are good.
>nat (inside) 1 0.0.0.0 0.0.0.0 0 0
That's not really necessary: if you have traffic from the inside
that has a source IP address that is not in the 10.1.1/24 range,
then something is misconfigured or rogue, and the traffic should
probably not be permitted to go outside.
>static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
>static (inside,outside) tcp interface ssh 10.1.1.6 ssh netmask 255.255.255.255 0 0
>static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
>static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
>static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
>static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
>static (inside,outside) tcp interface pptp 10.1.1.23 pptp netmask 255.255.255.255 0 0
>static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
>static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
>static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
>static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
Related to the discussion above about telnet: that discussion does not
apply when the target port is not the telnet port. The above line should
indeed redirect outside interface port TCP 4000 to the telnet port of
10.1.1.251
>static (inside,outside) 216.X.X.B 10.1.1.7 netmask 255.255.255.255 0 0
>access-group allow_inbound in interface outside
>access-group deny_outbound in interface inside
>snmp-server host inside 10.1.1.23
>snmp-server host inside 10.1.1.252
Most people should have 'poll' on the end of their snmp-server statements.
snmp-server host inside 10.1.1.23 poll
I recommend that you change your
logging trap notifications
to
logging trap debug
and look at your syslog on 10.1.1.23 as you make the attempt to
telnet in through port 4000.
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 16.09.2006 05:46:57 von vreyesii
Sorry that I took a while to get back. Below is the output from the
syslog server. The IP address 71.X.X.174, is where the telnet
connection was issued to the PIX.
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 216.X.X.85,
src_addr= 71.X.X.174, prot= tcp
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 216.X.X.85,
src_addr= 71.X.X.174, prot= tcp
305012: Teardown dynamic UDP translation from inside:10.1.1.2/4871 to
outside:216.X.X.85/32189 duration 0:00:32
305012: Teardown dynamic TCP translation from inside:10.1.1.2/4247 to
outside:216.X.X.85/27789 duration 0:00:32
302014: Teardown TCP connection 6367571 for outside:67.158.75.133/6346
to inside:10.1.1.23/3313 duration 0:55:29 bytes 38069 FIN Timeout
305012: Teardown dynamic TCP translation from inside:10.1.1.23/3313 to
outside:216.X.X.85/27625 duration 0:55:32
305012: Teardown dynamic UDP translation from inside:10.1.1.252/2683 to
outside:216.X.X.85/32190 duration 0:00:31
402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 216.X.X.85,
src_addr= 71.X.X.174, prot= tcp
710005: UDP request discarded from 10.1.1.23/138 to
inside:10.1.1.255/netbios-dgm
302015: Built outbound UDP connection 6367949 for
outside:66.214.114.23/21236 (66.214.114.23/21236) to
inside:10.1.1.23/27867 (216.254.64.85/30380)
710005: UDP request discarded from 10.1.1.252/7500 to
inside:10.1.1.255/7500
710005: UDP request discarded from 10.1.1.252/7500 to
inside:10.1.1.255/7500
710005: UDP request discarded from 10.1.1.252/7500 to
inside:10.1.1.255/7500
Walter Roberson wrote:
> In article <1158237726.867449.154380@m73g2000cwd.googlegroups.com>,
> vreyesii wrote:
> >For this example let just say I am trying to enable telnet instead of
> >ssh. I know thats not a good idea however, it's just to see if this
> >works correctly.
>
> telnet to which address? You cannot telnet to the outside interface
> IP of the PIX, even if you have set up port forwarding from the
> interface to some internal host. The PIX *specifically* blocks
> telnet to the outside interface. (The only exception is if the
> traffic is within a VPN tunnel.)
>
> This restriction on the PIX does not apply if you are using any
> destination address other than the PIX outside interface address:
> you are allowed to configure the PIX to allow telnet to public
> address and have that sent on to the host.
>
>
> >Because if I want to use with the host behind the
> >firewall I must upgrade the IOS for one that has the SSH feature.
>
> The IOS of what? PIX doesn't use IOS: it uses an operating system
> named Finesse but more commonly called "PIX OS". And ssh to the PIX
> has been supported on all PIX for a number of releases, including
> 6.3(5). You do not need to upgrade your PIX to be able to ssh to
> the PIX itself (e.g., to manage the PIX); you do, though, need
> to use the "ca generate" command (with appropriate parameters) to generate
> an RSA key, and then use the "ca save all" command to save that RSA key to
> permanent memory.
>
>
> >Below
> >is a copy of the PIX config.
>
> >PIX Version 6.3(5)
>
> >access-list allow_inbound permit tcp any interface outside eq smtp
> >access-list allow_inbound permit tcp any interface outside eq pop3
> >access-list allow_inbound permit tcp any interface outside eq www
> >access-list allow_inbound permit icmp any any source-quench
>
> Personally, I don't allow source-quench through: source-quench
> packets have no authentication information, so they can be used
> as a small Denial of Service against your machines.
>
> >access-list allow_inbound permit icmp any any echo-reply
> >access-list allow_inbound permit tcp any interface outside eq ssh
>
> >access-list allow_inbound permit tcp any host 216.X.X.B eq www
> >access-list allow_inbound permit tcp any host 216.X.X.B eq ssh
> >access-list allow_inbound permit tcp any host 216.X.X.B eq h323
> >access-list allow_inbound permit tcp any host 216.X.X.B eq 5060
>
> >access-list allow_inbound permit tcp any interface outside eq pptp
> >access-list allow_inbound permit gre any interface outside
>
> Those two lines are likely to fail for you. gre does not have any
> port numbers, and so cannot be used with Port Address Translation
> like TCP and UDP can be. PIX 6.x does not provide any mechanism to
> forward gre packets to a specific inside host -- there is, for example, NO
>
> ! non-existant command below!
> static (inside,outside) gre interface 10.1.1.17 netmask 255.255.255.255
>
> The gre packets are not going to go anywhere.
>
> If your intention was to allow pptp connections to terminate -at-
> the PIX, then you do not need to allow to permit pptp or gre in
> your access-list as the PIX will automatically open them to support
> configured vpdn
>
> >access-list allow_inbound permit tcp any interface outside eq 3000
> >access-list allow_inbound permit tcp any interface outside eq 13492
> >access-list allow_inbound permit udp any interface outside eq 13492
> >access-list allow_inbound permit udp any interface outside eq 49153
> >access-list allow_inbound permit tcp any interface outside eq 49153
> >access-list allow_inbound permit tcp any interface outside eq 10240
> >access-list allow_inbound permit tcp any interface outside eq 10241
> >access-list allow_inbound permit tcp any interface outside eq 10242
> >access-list allow_inbound permit udp any interface outside eq 10240
> >access-list allow_inbound permit udp any interface outside eq 10241
> >access-list allow_inbound permit udp any interface outside eq 10242
> >access-list allow_inbound permit tcp any interface outside eq 41170
> >access-list allow_inbound permit udp any interface outside eq 41170
> >access-list allow_inbound permit tcp any interface outside eq 4662
> >access-list allow_inbound permit tcp any interface outside eq 4000
>
> If I recall correctly which thread this is, you wanted to be able
> to ssh to an alternate port (4000) on the PIX and have that go to
> a different machine. If so then the line you configured above
> should be fine.
>
> >access-list deny_outbound deny tcp any host 63.236.240.73 eq https
> >access-list deny_outbound deny tcp any host 209.202.9.7 eq https
> >access-list deny_outbound deny tcp any host 63.236.240.73 eq www
> >access-list deny_outbound deny tcp any host 66.28.235.59 eq www
> >access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.49
> >eq www
> >access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.48
> >eq www
> >access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.50
> >eq www
> >access-list deny_outbound deny tcp host 10.1.1.253 host 216.178.32.51
> >eq www
> >access-list deny_outbound permit ip any any
> >access-list deny_outbound permit esp any any
> >access-list deny_outbound permit gre any any
>
> esp and gre are subsets of ip, so those last two lines are redundant.
> Also if the idea was to permit VPN tunnels terminating -at- the PIX
> (rather than VPN that passes -through- the PIX) then you do not need
> these, as the PIX will automatically permit that traffic if it
> needs it.
>
> >access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
>
> >icmp deny any outside
>
> You should allow icmp time-exceeded and icmp unreachable to the outside
> interface: otherwise icmp packets coming back for traffic that
> was PAT'd to the outside interface address will not make it through.
> The permit icmp that you have in the access-list applied to the outside
> interface does not affect icmp traffic that has the PIX outside IP
> as its destination, even if that destination IP is only there
> because of PAT.
>
> >ip address outside 216.X.X.A 255.255.255.0
> >ip address inside 10.1.1.1 255.255.255.0
>
> >ip local pool ippool 10.1.2.1-10.1.2.254
>
> >global (outside) 1 interface
> >nat (inside) 0 access-list do_not_nat
> >nat (inside) 1 10.1.1.0 255.255.255.0 0 0
>
> Those are good.
>
> >nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> That's not really necessary: if you have traffic from the inside
> that has a source IP address that is not in the 10.1.1/24 range,
> then something is misconfigured or rogue, and the traffic should
> probably not be permitted to go outside.
>
> >static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 0 0
> >static (inside,outside) tcp interface ssh 10.1.1.6 ssh netmask 255.255.255.255 0 0
> >static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask 255.255.255.255 0 0
> >static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask 255.255.255.255 0 0
> >static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask 255.255.255.255 0 0
> >static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask 255.255.255.255 0 0
> >static (inside,outside) tcp interface pptp 10.1.1.23 pptp netmask 255.255.255.255 0 0
> >static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask 255.255.255.255 0 0
> >static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
> >static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask 255.255.255.255 0 0
> >static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask 255.255.255.255 0 0
>
> Related to the discussion above about telnet: that discussion does not
> apply when the target port is not the telnet port. The above line should
> indeed redirect outside interface port TCP 4000 to the telnet port of
> 10.1.1.251
>
> >static (inside,outside) 216.X.X.B 10.1.1.7 netmask 255.255.255.255 0 0
>
> >access-group allow_inbound in interface outside
> >access-group deny_outbound in interface inside
>
> >snmp-server host inside 10.1.1.23
> >snmp-server host inside 10.1.1.252
>
> Most people should have 'poll' on the end of their snmp-server statements.
> snmp-server host inside 10.1.1.23 poll
>
>
> I recommend that you change your
>
> logging trap notifications
>
> to
>
> logging trap debug
>
> and look at your syslog on 10.1.1.23 as you make the attempt to
> telnet in through port 4000.
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 17.09.2006 01:34:42 von roberson
In article <1158378417.419691.223110@m73g2000cwd.googlegroups.com>,
vreyesii wrote:
>Sorry that I took a while to get back. Below is the output from the
>syslog server. The IP address 71.X.X.174, is where the telnet
>connection was issued to the PIX.
>402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 216.X.X.85,
>src_addr= 71.X.X.174, prot= tcp
You would get that message if you tried to connect to the telnet
port of a PIX with outside address 216.X.X.85 .
You would not, however, get that message if you configure telnet
passing through on a different port (e.g., 4000) and connect to
that.
Your earlier configuration postings did show a translation on
port 4000; is it possible that whatever client you were using
was connecting to the default port (23) instead of to 4000 ?
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 17.09.2006 06:26:44 von vreyesii
These are the errors which I got when I tried again to telnet into the
PIX using port 4000. I used Hyperterminal on the remote host, and
changed the port number to 4000 and entered the IP address 216.X.X.85.
What am I doing wrong?
2006-09-17 00:09:24 Local4.Info 10.1.1.1 Sep 16 2006 12:03:07:
%PIX-6-302013: Built inbound TCP connection 6440580 for
outside:71.X.X.174/50439 (71.X.X.174/50439) to inside:10.1.1.251/23
(216.X.X.85/4000)
2006-09-17 00:09:38 Local4.Info 10.1.1.1 Sep 16 2006 12:03:21:
%PIX-6-302014: Teardown TCP connection 6440257 for
outside:71.X.X.174/50438 to inside:10.1.1.251/23 duration 0:02:01 bytes
0 SYN Timeout
Walter Roberson wrote:
> In article <1158378417.419691.223110@m73g2000cwd.googlegroups.com>,
> vreyesii wrote:
> >Sorry that I took a while to get back. Below is the output from the
> >syslog server. The IP address 71.X.X.174, is where the telnet
> >connection was issued to the PIX.
>
> >402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 216.X.X.85,
> >src_addr= 71.X.X.174, prot= tcp
>
> You would get that message if you tried to connect to the telnet
> port of a PIX with outside address 216.X.X.85 .
>
> You would not, however, get that message if you configure telnet
> passing through on a different port (e.g., 4000) and connect to
> that.
>
> Your earlier configuration postings did show a translation on
> port 4000; is it possible that whatever client you were using
> was connecting to the default port (23) instead of to 4000 ?
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 17.09.2006 07:23:03 von roberson
In article <1158467204.365458.94900@h48g2000cwc.googlegroups.com>,
vreyesii wrote:
>These are the errors which I got when I tried again to telnet into the
>PIX using port 4000. I used Hyperterminal on the remote host, and
>changed the port number to 4000 and entered the IP address 216.X.X.85.
>What am I doing wrong?
>
>2006-09-17 00:09:24 Local4.Info 10.1.1.1 Sep 16 2006 12:03:07:
>%PIX-6-302013: Built inbound TCP connection 6440580 for
>outside:71.X.X.174/50439 (71.X.X.174/50439) to inside:10.1.1.251/23
>(216.X.X.85/4000)
>2006-09-17 00:09:38 Local4.Info 10.1.1.1 Sep 16 2006 12:03:21:
>%PIX-6-302014: Teardown TCP connection 6440257 for
>outside:71.X.X.174/50438 to inside:10.1.1.251/23 duration 0:02:01 bytes
>0 SYN Timeout
Those look fine in themselves: they indicate that the PIX accepted
the connection and forwarded the addressed 216.X.X.85 port 4000
on to 10.1.1.251 port 23, but that the PIX did not see any
response from 10.1.1.251 within 2 minutes and so timed out the
connection.
This could indicate that 10.1.1.251 does not have a default route
or gateway set so that the packets are not getting back to the PIX.
But the time stamps are odd. The first timestamp on the line is the
time that the logger received the message, and the second timestamp
on the line is the time registered on the PIX when it sent the message.
First off, notice that the elapsed time on both the PIX and the logger
was only 14 seconds, not 2 minutes.
Secondly, notice that the timestamps on the two are way out of sync,
with the logger being 12 hours, 6 minutes and 17 seconds ahead.
12 hours could be accounted for if you happen to be 12 hours off of
GMT and your PIX is set for GMT, but the 6 minutes and 17 seconds
implies that either the clocks are not synchronized or else that
you have a *very* large internal network delay.
Have you tried setting up 'ntp server' on the PIX? (Have you
tried setting up an ntp client on your logging machine) ?
Re: SETUP STATIC ENTRY FOR HOST BEHIND PIX
am 17.09.2006 17:13:07 von vreyesii
No I have not setup a ntp server on the PIX, and I have not tried
setting up an ntp client on the logging machine. The clocks have not
been set on the PIX or on the logging host. Regarding the packets from
the PIX not reaching the host 10.1.1.251 which is a Router. Packets
from the PIX are reaching the router. If I issue a ping from the PIX to
the Router I get a response and vice versa. Also, in the routing table
the Router has a route to the 10.1.1.0 network where the PIX resides.
Walter Roberson wrote:
> In article <1158467204.365458.94900@h48g2000cwc.googlegroups.com>,
> vreyesii wrote:
> >These are the errors which I got when I tried again to telnet into the
> >PIX using port 4000. I used Hyperterminal on the remote host, and
> >changed the port number to 4000 and entered the IP address 216.X.X.85.
> >What am I doing wrong?
> >
> >2006-09-17 00:09:24 Local4.Info 10.1.1.1 Sep 16 2006 12:03:07:
> >%PIX-6-302013: Built inbound TCP connection 6440580 for
> >outside:71.X.X.174/50439 (71.X.X.174/50439) to inside:10.1.1.251/23
> >(216.X.X.85/4000)
>
> >2006-09-17 00:09:38 Local4.Info 10.1.1.1 Sep 16 2006 12:03:21:
> >%PIX-6-302014: Teardown TCP connection 6440257 for
> >outside:71.X.X.174/50438 to inside:10.1.1.251/23 duration 0:02:01 bytes
> >0 SYN Timeout
>
> Those look fine in themselves: they indicate that the PIX accepted
> the connection and forwarded the addressed 216.X.X.85 port 4000
> on to 10.1.1.251 port 23, but that the PIX did not see any
> response from 10.1.1.251 within 2 minutes and so timed out the
> connection.
>
> This could indicate that 10.1.1.251 does not have a default route
> or gateway set so that the packets are not getting back to the PIX.
>
>
> But the time stamps are odd. The first timestamp on the line is the
> time that the logger received the message, and the second timestamp
> on the line is the time registered on the PIX when it sent the message.
>
> First off, notice that the elapsed time on both the PIX and the logger
> was only 14 seconds, not 2 minutes.
>
> Secondly, notice that the timestamps on the two are way out of sync,
> with the logger being 12 hours, 6 minutes and 17 seconds ahead.
> 12 hours could be accounted for if you happen to be 12 hours off of
> GMT and your PIX is set for GMT, but the 6 minutes and 17 seconds
> implies that either the clocks are not synchronized or else that
> you have a *very* large internal network delay.
>
> Have you tried setting up 'ntp server' on the PIX? (Have you
> tried setting up an ntp client on your logging machine) ?