Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Allow incoming HTTP & FTP Traffic

Status
Not open for further replies.

smokey7244521

IS-IT--Management
Nov 27, 2006
42
US
I have a Pix 515 and am needing to allow incoming traffic to a FTP & Web Server. Below are 2 different ways i have tried, and also my config. Thanks in advance

static (inside,outside) 68.188.127.9 10.1.16.24 netmask 255.255.255.255 0 0
conduit permit tcp any host 68.188.127.9 eq ftp
conduit permit tcp any host 68.188.127.9 eq http
access-group WebServer in interface outside




static (inside,outside) 68.188.127.9 10.1.16.24 netmask 255.255.255.255 0 0
access-list WebServer permit tcp any host 68.188.127.9 eq ftp
access-list WebServer permit tcp any host 68.188.127.9 eq http
access-group WebServer in interface outside





PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 102 permit ip 10.1.0.0 255.255.0.0 192.168.100.0 255.255.255.0
ip address outside 6X.X.X.7 X.X.X.X
ip address inside 10.1.1.1 255.255.0.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
global (outside) 1 6X.X.X.8 netmask X.X.X.X
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
static (inside,outside) 6X.X.X.10 10.1.18.96 netmask 255.255.255.255 0 0
static (inside,outside) 6X.X.X.9 10.1.16.24 netmask 255.255.255.255 0 0
conduit permit tcp host 6X.X.X.10 eq citrix-ica any
outbound 10 deny 0.0.0.0 0.0.0.0 0 tcp
outbound 10 deny 0.0.0.0 0.0.0.0 0 udp
outbound 10 deny 0.0.0.0 0.0.0.0 0 esp
outbound 10 permit 10.0.0.0 255.0.0.0 80 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 21 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 53 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 53 udp
outbound 10 permit 10.0.0.0 255.0.0.0 443 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 443 udp
outbound 10 permit 10.0.0.0 255.0.0.0 21 udp
outbound 10 permit 10.0.0.0 255.0.0.0 110 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 143 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 20 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 23 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 25 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 9001 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 3389 tcp
outbound 10 permit 10.0.0.0 255.0.0.0 8383 tcp
apply (inside) 10 outgoing_src
route outside 0.0.0.0 0.0.0.0 6X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community JEFF-manager
no snmp-server enable traps
tftp-server inside 10.1.89.83 \
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup GIS address-pool vpnpool1
vpngroup GIS dns-server 10.1.18.96
vpngroup GIS wins-server 10.1.18.96
vpngroup GIS split-tunnel 102
vpngroup GIS idle-time 1800
vpngroup GIS password ********
telnet 10.1.0.0 255.255.0.0 inside
telnet 10.1.0.0 255.255.0.0 intf2
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:e0ab41d5397006b5e9b92e7a4b3c432b
: end
[OK]

 
I think Networkghost said this in a earlier post - you are going want to convert the conduit and outbound commands to ACL's. Cisco has a tool but it isn't perfect.

Give this a try -
You can use object groups to limit the ACL lines

object-group service allowed-services tcp-udp
description Services allowed outbound after lockdown
group-object webservices
port-object eq 20
port-object eq 21
port-object eq 22
port-object eq 23
port-object eq 25
port-object eq 53
port-object eq 80
port-object eq 110
port-object eq 123
port-object eq 143
port-object eq 443
port-object eq 3389
port-object eq 8383
port-object eq 9001

and then
access-list inside-to-outside permit tcp 10.1.0.0 255.255.0.0 any object-group allowed-services
access-list inside-to-outside permit udp 10.1.0.0 255.255.0.0 any eq 53

access-list outside-to-inside permit tcp any host 68.188.127.9 eq 20
access-list outside-to-inside permit tcp any host 68.188.127.9 eq 21
access-list outside-to-inside permit tcp any host 68.188.127.9 eq 80
access-list outside-to-inside permit tcp any host 68.188.127.9 eq 443
access-list outside-to-inside permit tcp any host 68.188.127.10 eq citrix-ica

access-group outside-to-inside in interface outside
access-group inside-to-outside in interface inside

That looks like it should convert all your conduits to ACLs. Remove your conduits and outbounds and give it a try but be sure to back it up in case it doesn't work.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top