Hello,
I am working on fixing a small network that has several design flaws. First and foremost is get some sort of security besides access lists on the router. There is a 2524 router with a serial 0 and ethernet 0. Serial overload is being done on the serial 0 port. No NAT pool is being used. There is a PIX 515E running Firewall version 6.1(4) The PIX has three interfaces, OUTSIDE, INSIDE and DMZ. There are three DMZ hosts assigned public IP addresses. There is an internal network with private IP addresses. As I said there are several other issues that will be addressed in the near future but I am just working on getting this piece going now.
One of the DMZ hosts, 164.58.184.218 is the Exchange 2000/AD/DNS/FTP/IIS machine. Not the correct design but that is how it is for now. We need to allow the external users to access this machine for email, FTP and webserver. The internal users need to access it for email, webserver, AD, DNS and FTP.
When I connect the PIX to the 2524, all the interfaces show UP/UP and there is traffic going through the PIX. However, none of the access-lists are being matched. None of the internal users can surf the internet or do name resolution.
eighthfloor-pix# sh access-list
access-list outside_access_dmz permit tcp any host PDC eq access-list outside_access_dmz permit tcp any host PDC eq ftp (hitcnt=0)
access-list outside_access_dmz permit tcp any host PDC eq smtp (hitcnt=0)
access-list outside_access_dmz permit tcp any host PDC eq ftp-data (hitcnt=0)
access-list outside_access_dmz permit tcp any host PDC eq domain (hitcnt=0)
access-list inside_access_dmz permit ip any any (hitcnt=0)
access-list dmz_access_in permit ip any any (hitcnt=0)
eighthfloor-pix# sh traffic
outside:
received (in 2521515.660 secs):
1731 packets 745178 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 2521515.660 secs):
3626 packets 343167 bytes
0 pkts/sec 0 bytes/sec
inside:
received (in 2521515.660 secs):
801776 packets 73716363 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 2521515.660 secs):
15193 packets 15193206 bytes
0 pkts/sec 0 bytes/sec
dmz:
received (in 2521515.660 secs):
132871 packets 13652954 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 2521515.660 secs):
41 packets 3122 bytes
0 pkts/sec 0 bytes/sec
I have a nice drawing of the logical/physical connectivity. If you need a drawing just send me an email. This is a summary of how it is:
Cisco 2524 (eight-floor)
Serial0 (164.58.12.190 /30)
Ethernet0 (172.16.1.1 /16) (164.58.184.217 /29 SECONDARY) (192.168.100.1 /30 SECONDARY) Connects to PIX Ethernet0 (OUTSIDE)
Below is the router config:
eight-floor#sh run
!
version 11.2
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname eight-floor
!
ip subnet-zero
ip nat inside source list 2 interface Serial0 overload
ip host eight-floor 164.58.12.190 255.255.255.252
!
ip domain-name onenet.net
ip name-server 164.58.253.10
!
interface Ethernet0
ip address 164.58.184.217 255.255.255.248 secondary
ip address 192.168.100.1 255.255.255.252 secondary
ip address 172.16.1.1 255.255.0.0
ip nat inside
!
interface Serial0
ip address 164.58.12.190 255.255.255.252
ip access-group 110 in
ip nat outside
no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
access-list 1 permit 164.58.253.0 0.0.0.255
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 110 deny tcp any any eq 135 log
access-list 110 deny tcp any any eq 137 log
access-list 110 deny tcp any any eq 138 log
access-list 110 deny tcp any any eq 139 log
access-list 110 deny tcp any any eq 389 log
access-list 110 deny tcp any any eq 445 log
access-list 110 deny tcp any any eq 636 log
access-list 110 deny udp any any eq 135 log
access-list 110 deny udp any any eq netbios-ns log
access-list 110 deny udp any any eq netbios-dgm log
access-list 110 deny udp any any eq 139 log
access-list 110 deny udp any any eq 389 log
access-list 110 deny udp any any eq 636 log
access-list 110 permit ip any any
!
end
eight-floor#
This is a summary of the PIX:
PIX 515e (eightfloor-pix)
-------------------------
Ethernet0 (OUTSIDE) 192.168.100.2 /30
Ethernet1 (INSIDE) 172.16.18.1 /16
Ethernet2 (DMZ) 164.58.184.222 /29
Below is the firewall config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password *** encrypted
passwd *** encrypted
hostname eighthfloor-pix
domain-name eighthfloor.org
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 164.58.184.218 PDC
access-list outside_access_dmz permit tcp any host PDC eq www
access-list outside_access_dmz permit tcp any host PDC eq ftp
access-list outside_access_dmz permit tcp any host PDC eq smtp
access-list outside_access_dmz permit tcp any host PDC eq ftp-data
access-list outside_access_dmz permit tcp any host PDC eq domain
access-list inside_access_dmz permit ip any any
access-list dmz_access_in permit ip any any
pager lines 24
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any router-solicitation inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.100.2 255.255.255.252
ip address inside 172.16.18.1 255.255.0.0
ip address dmz 164.58.184.222 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
access-group outside_access_dmz in interface outside
access-group inside_access_dmz in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.14.12 255.255.255.255 inside
http 172.16.10.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community ***
no snmp-server enable traps
tftp-server inside 172.16.14.12 /tftp
floodguard enable
no sysopt route dnat
telnet 172.16.1.1 255.255.255.255 inside
telnet 164.58.184.217 255.255.255.255 inside
telnet 164.58.184.217 255.255.255.255 dmz
telnet 172.16.1.1 255.255.255.255 dmz
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:8005df691d5384de3ec95c57981932c9
eighthfloor-pix#
What is missing from the PIX config to make this work? Thank you.
Principal Consultant - ACE Network Consulting
I am working on fixing a small network that has several design flaws. First and foremost is get some sort of security besides access lists on the router. There is a 2524 router with a serial 0 and ethernet 0. Serial overload is being done on the serial 0 port. No NAT pool is being used. There is a PIX 515E running Firewall version 6.1(4) The PIX has three interfaces, OUTSIDE, INSIDE and DMZ. There are three DMZ hosts assigned public IP addresses. There is an internal network with private IP addresses. As I said there are several other issues that will be addressed in the near future but I am just working on getting this piece going now.
One of the DMZ hosts, 164.58.184.218 is the Exchange 2000/AD/DNS/FTP/IIS machine. Not the correct design but that is how it is for now. We need to allow the external users to access this machine for email, FTP and webserver. The internal users need to access it for email, webserver, AD, DNS and FTP.
When I connect the PIX to the 2524, all the interfaces show UP/UP and there is traffic going through the PIX. However, none of the access-lists are being matched. None of the internal users can surf the internet or do name resolution.
eighthfloor-pix# sh access-list
access-list outside_access_dmz permit tcp any host PDC eq access-list outside_access_dmz permit tcp any host PDC eq ftp (hitcnt=0)
access-list outside_access_dmz permit tcp any host PDC eq smtp (hitcnt=0)
access-list outside_access_dmz permit tcp any host PDC eq ftp-data (hitcnt=0)
access-list outside_access_dmz permit tcp any host PDC eq domain (hitcnt=0)
access-list inside_access_dmz permit ip any any (hitcnt=0)
access-list dmz_access_in permit ip any any (hitcnt=0)
eighthfloor-pix# sh traffic
outside:
received (in 2521515.660 secs):
1731 packets 745178 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 2521515.660 secs):
3626 packets 343167 bytes
0 pkts/sec 0 bytes/sec
inside:
received (in 2521515.660 secs):
801776 packets 73716363 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 2521515.660 secs):
15193 packets 15193206 bytes
0 pkts/sec 0 bytes/sec
dmz:
received (in 2521515.660 secs):
132871 packets 13652954 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 2521515.660 secs):
41 packets 3122 bytes
0 pkts/sec 0 bytes/sec
I have a nice drawing of the logical/physical connectivity. If you need a drawing just send me an email. This is a summary of how it is:
Cisco 2524 (eight-floor)
Serial0 (164.58.12.190 /30)
Ethernet0 (172.16.1.1 /16) (164.58.184.217 /29 SECONDARY) (192.168.100.1 /30 SECONDARY) Connects to PIX Ethernet0 (OUTSIDE)
Below is the router config:
eight-floor#sh run
!
version 11.2
service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname eight-floor
!
ip subnet-zero
ip nat inside source list 2 interface Serial0 overload
ip host eight-floor 164.58.12.190 255.255.255.252
!
ip domain-name onenet.net
ip name-server 164.58.253.10
!
interface Ethernet0
ip address 164.58.184.217 255.255.255.248 secondary
ip address 192.168.100.1 255.255.255.252 secondary
ip address 172.16.1.1 255.255.0.0
ip nat inside
!
interface Serial0
ip address 164.58.12.190 255.255.255.252
ip access-group 110 in
ip nat outside
no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
access-list 1 permit 164.58.253.0 0.0.0.255
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 110 deny tcp any any eq 135 log
access-list 110 deny tcp any any eq 137 log
access-list 110 deny tcp any any eq 138 log
access-list 110 deny tcp any any eq 139 log
access-list 110 deny tcp any any eq 389 log
access-list 110 deny tcp any any eq 445 log
access-list 110 deny tcp any any eq 636 log
access-list 110 deny udp any any eq 135 log
access-list 110 deny udp any any eq netbios-ns log
access-list 110 deny udp any any eq netbios-dgm log
access-list 110 deny udp any any eq 139 log
access-list 110 deny udp any any eq 389 log
access-list 110 deny udp any any eq 636 log
access-list 110 permit ip any any
!
end
eight-floor#
This is a summary of the PIX:
PIX 515e (eightfloor-pix)
-------------------------
Ethernet0 (OUTSIDE) 192.168.100.2 /30
Ethernet1 (INSIDE) 172.16.18.1 /16
Ethernet2 (DMZ) 164.58.184.222 /29
Below is the firewall config:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password *** encrypted
passwd *** encrypted
hostname eighthfloor-pix
domain-name eighthfloor.org
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 164.58.184.218 PDC
access-list outside_access_dmz permit tcp any host PDC eq www
access-list outside_access_dmz permit tcp any host PDC eq ftp
access-list outside_access_dmz permit tcp any host PDC eq smtp
access-list outside_access_dmz permit tcp any host PDC eq ftp-data
access-list outside_access_dmz permit tcp any host PDC eq domain
access-list inside_access_dmz permit ip any any
access-list dmz_access_in permit ip any any
pager lines 24
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any router-solicitation inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.100.2 255.255.255.252
ip address inside 172.16.18.1 255.255.0.0
ip address dmz 164.58.184.222 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
access-group outside_access_dmz in interface outside
access-group inside_access_dmz in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.14.12 255.255.255.255 inside
http 172.16.10.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community ***
no snmp-server enable traps
tftp-server inside 172.16.14.12 /tftp
floodguard enable
no sysopt route dnat
telnet 172.16.1.1 255.255.255.255 inside
telnet 164.58.184.217 255.255.255.255 inside
telnet 164.58.184.217 255.255.255.255 dmz
telnet 172.16.1.1 255.255.255.255 dmz
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:8005df691d5384de3ec95c57981932c9
eighthfloor-pix#
What is missing from the PIX config to make this work? Thank you.
Principal Consultant - ACE Network Consulting