501 limiting inside access

[scrimmy]

Hi,
I am a newbie to the world of PIX and I need some help configuring a PIX-501 3des to allow access into specified devices from the outside interface.
One of these inside devices has an IP address of 193.39.99.21 and access may be required by telnet, ping and web browser.
All devices on the inside interface need access to all devices on the outside interface.
With the config below, I can access devices on the outside interface, but can not access the 193.39.99.21 device from the outside interface
Copy of existing config below.

Host site
|
Cisco PIX 501 inside interface 172.31.11.10
|
Cisco PIX 501 outside interface 10.250.245.1
|
Cisco C1603 router 10.250.245.250
|
Leased line
|
Cisco 1603 router 172.16.157.250
|
Remote site 172.16.157.220


Many thanks in advance


sh conf
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIXfirewall
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any
access-list 101 permit ip any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 10.250.245.1 255.255.255.0
ip address inside 172.31.11.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.30.24.245 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.250.245.1 255.255.255.255 outside
pdm location 172.30.24.0 255.255.255.0 inside
pdm location 172.30.11.0 255.255.255.0 inside
pdm location 172.30.0.0 255.255.0.0 inside
pdm location 172.31.11.10 255.255.255.255 inside
pdm location 172.31.0.0 255.255.0.0 inside
pdm location 193.39.0.0 255.255.0.0 inside
pdm location 172.16.157.0 255.255.255.0 outside
pdm location 172.16.157.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 10.250.245.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.250.245.250 172.31.11.10 netmask 255.255.255.255 0 0
access-group 101 in interface outside
rip inside default version 1
route outside 172.16.157.0 255.255.255.0 10.250.245.1 1
route inside 172.30.0.0 255.255.0.0 172.31.11.10 1
route inside 172.31.0.0 255.255.0.0 172.31.11.10 1
route inside 172.31.11.10 255.255.255.255 172.31.11.250 1
route inside 193.39.0.0 255.255.0.0 172.31.11.10 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.30.11.0 255.255.255.0 inside
http 172.30.24.0 255.255.255.0 inside
http 172.30.24.245 255.255.255.255 inside
http 172.30.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 172.30.24.245 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:19d867cbd761f88d9440b63ba0a5068a

 

[gbiello]

Here's some comments:
First, remove
global (outside) 1 10.250.245.0
You don't need it. The "global (outside) 1 interface" is fine.

Next, become familiar with extended access-lists, and use them in place of
access-list 101 permit tcp any any
access-list 101 permit ip any any
Those two lines leave you wide open. Instead, use something like:
access-list 101 permit tcp any host 10.250.245.250 eq smtp
access-list 101 permit tcp any host 10.250.245.250 eq pop3
access-list 101 permit tcp any host 10.250.245.250 eq www

Now on to routes. You can remove this line:
route inside 172.31.11.10 255.255.255.255 172.31.11.250 1
The lines
route inside 172.30.0.0 255.255.0.0 172.31.11.10 1
route inside 172.31.0.0 255.255.0.0 172.31.11.10 1
route inside 193.39.0.0 255.255.0.0 172.31.11.10 1
just point to the inside interface, they need to point to a routing device on the inside network that will lead to the subnets specified.

Finally, PIX's don't really route. If a packet hits the internal interface, it will NOT be redirected back out the internal interface. It will either be dropped, or sent out the outside interface (or DMZ).

Now on to the 3DES.
For starters, do a "show version" to make sure the firewall has a 3DES license.

Next, you have not static translation for 193.39.99.21. You need one like:
static (inside,outside) 10.250.245.251 193.39.99.21 netmask 255.255.255.255

You will also need to open ports to it. Something like:
access-list 101 permit tcp any host 10.250.245.251 eq isakmp
access-list 101 permit esp any host 10.250.245.251

Things may likely need to change as I'm not exactly sure what your 3DES setup and needs are. Setting up a syslog server will help in troubleshooting. Other threads here will tell you how to do this.

hope this helps,
-gbiello

 

[scrimmy]

I have somehow managed to completely screw up my configs.
Is there a way the config can be reset to factory defaults so I can start again from scratch?

Cisco PIX Firewall Version 6.1(4)
Cisco PIX Device Manager Version 1.1(2)

Compiled on Tue 21-May-02 08:40 by morlee

PIXfirewall up 24 mins 17 secs

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000a.417e.60ce, irq 9
1: ethernet1: address is 000a.417e.60cf, irq 10

Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Inside Hosts: 10

 

[gbiello]

write erase