515E - Basic config allowing all incoming & outgoing traffic

[cls3152]

im looking to completely open up my pix515E to allow everything in and out - IP, multicast IGMP, ICMP, RIP etc. No NAT or PAT. I'm running ver 6.3(4). And from there I will go and lock down the system afterwards. w/o the firewall in place everything works fine but once i put it in, i lose all communications no matter what ive tried config wise. So id like to start w/ a basic config allowing everything and then lock it down.

 

[computerhighguy]

I will assume that you have the NAT or PAT pools already setup. Issue this command and you are done.

access-list All_Traffic permit IP any any
access-group All_Traffic in interface outside



It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[cls3152]

Well, it did open it up. Although it doesnt look like it's allowing everything cuz i'm still not getting any data to my program. I'm pretty sure it's IP dependent, so I don't think NAT or PAT would work, but when i try to disable it I get no communications. So maybe I'm doing that wrong. 2nd, I'm pretty sure registering the computer requires multicast and RIPv2 so I tried playing with that as well but didnt get anywhere. I'm hoping somebody can look at this config and let me know where I'm going wrong. Thanx in advance

PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix-1
domain-name DDG
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list All_Traffic permit ip any any
access-list inside_multicastACL permit igmp any host 225.2.1.14
access-list outside_multicastACL permit igmp any host 225.2.1.14
pager lines 22
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.96.190 255.255.255.128
ip address inside XXX.XXX.96.193 255.255.255.192
multicast interface inside
igmp access-group inside_multicastACL
igmp join-group 225.2.1.14
multicast interface outside
igmp forward interface inside
igmp access-group outside_multicastACL
igmp join-group 225.2.1.14
mroute XXX.XXX.96.195 255.255.255.255 inside 225.2.1.14 255.255.255.255 outside
ip audit info action alarm
ip audit attack action alarm
pdm location XXX.XXX.96.195 255.255.255.255 inside
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group All_Traffic in interface outside
rip outside default version 2
route outside 0.0.0.0 0.0.0.0 XXX.XXX.96.143 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http XXX.XXX.96.195 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

 

[cls3152]

oh maybe some extra info might help

the systems on the inside are .193(fw) - .202

the outside is an EIOM (Ethernet Input/Output Module) address to the card is .143 - which needs to get the RIPv2 update which then is connected on a FDDI ring and then out another EIOM to a another LAN XXX.XXX.98.130 - .98.134

there's a multicast address on the outside at 225.2.1.14 that all the system inside need to join

any other info u need to know just ask.

 

[computerhighguy]

You need to create a static address translation statement. This assigns 1 outside IP address to an inside ip address. You can also, if you have a recent version of code, you can to static port mappings in addition to static ip addressing. It looks like you are using a single outside IP address. You can map that that single outside ip address port (not I address) to an inside port and IP address.

I didn't spend much time on your config, but if you are trying to pass RIP traffic, I am pretty sure the PIX supports rip (both versions) and can pass the information from the outside to the inside.

Anyway, let me know if this helps.


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[kurttorok]

Just looking at the first part of the thread, if you are looking to forward traffic without NAT, then you need to add the following statement.

nat (inside) 0 0.0.0.0 0.0.0.0

With the other NAT statements:
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
you are NATing all traffic to the outside interface IP. Sounds like you didn't want this. The 'nat 0' statement says what NOT to NAT and with the PIX you need a nat statement to cross interfaces.

Kurt

 

[cls3152]

if i do a nat 0 i lose (at least) my icmp communications. as long as i have my global & nat statements using the same # in this case 10, i can still get somet communication. But, I'm still not seeing all the data I want. It certainly didn't open the firewall to allow ALL communications since my data comes in fine w/o the firewall in place. Any other thoughts, suggestions, comments, things to try?

-frustrated