Can't complete configuration of PIX 515E 1

[arie01]

Hello,

I need help resolving an issue with our PIX 515E configuration.
Basically, I need to configure the inside interface for DHCP and NAT then make sure I have access to the Internet.

Here is my initial config but I'm not sure what to do next. I tried a few config options but they didn't work. I was only able to ping the inside interface IP address but not the outside or hosts on the Internet.


pix# sh config
: Saved
: Written by enable_15 at 10:32:14.102 EST Thu Mar 4 2010
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ********* encrypted
passwd ********* encrypted
hostname pix
domain-name domain
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.x50 255.255.255.248
ip address inside 192.168.1.253 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.78 255.255.255.255 inside
pdm location 192.168.1.240 255.255.255.255 inside
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.78 255.255.255.255 inside
http 192.168.1.240 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.220-192.168.1.252 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:b03b890c4a063b44032c3bfeb7214527
pix#

I also need to perform port-forwarding or the equivalent on PIX, from a specific external IP to a specific internal IP and port, lets say from 114.248.42.179 to 192.168.1.148:3658, how do I accoplish this?

Thank you,

 

[unclerico]

add these two lines to start:

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[arie01]

Ok, I added the two lines above and received no errors. Previously, when I tried to enter global (outside) 1 interface, I errors, but this time it worked.

Is there anything else I need to do to make this work?

Thanks again,
Arie

 

[arie01]

After adding the two lines above, I was able to ping my next hop IP but not the outside IP of my PIX. Any idea why?

Thank you,

 

[Supergrrover]

You can't ping your external. You need a route statement as well.
Route outside 0.0.0.0 0.0.0.0 gateway_ip

Here is the basic formula for outside in access-

Build Access List to allow the traffic in (one line for each port)-
access-list outside_access_in permit [TCP/UDP] any [host ExternalIP/interface outside] eq [Port#]

Apply the ACL to the outside interface -
access-group outside_access_in in interface outside

Map incoming port to an IP and port on the inside (one line for each port)-
static (inside,outside) [TCP/UDP] [ExternalIP/interface] [Port#] [InteralIP] [Port#] netmask 255.255.255.255


Anything in brackets needs to be replaced for your specific config. Bold means you have to enter a value (either a port # or IP address)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[arie01]

Hi Brent,

Thanks again for your help.

I added the route statement above.

As for the "port forwarding", if I have a need to allow connection from anywhere to a specific IP/port inside, can I just do that?

static (inside,outside) [TCP/UDP] any [Port#] [InteralIP] [Port#] netmask 255.255.255.255

Thans again,
Arie

 

[arie01]

Hello Brent,

How do I enable RDP from any external IP address to a specific host inside?

Thank you,
Arie

 

[Supergrrover]

The port is 3389 and you need the ACL as well as the static.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[arie01]

Hello Brent,

I tried a few things suche as the following:

access-list rdp_in permit tcp any host <Inside_IP> eq 3389
access-group rdp_in in interface outside
That didn't work!

I then tried this:

static (inside,outside) <Outside_IP> <Inside_IP> netmask 255.255.255.0
access-list 120 permit tcp any host <Inside_IP> eq 3389
access-group 120 in interface outside

In the second config, I didn't get very far, because as soon as I entered the (config)# static command, the firewall responded with the following:

static (inside,outside) <Outside_IP> <Inside_IP> netmask 255.255.255.0
ERROR: invalid netmask 255.255.255.0 with global address <Outside_IP>

So I changed the mask and again I got the following:

static (inside,outside) <Outside_IP> <Inside_IP netmask 255.255.255.248
ERROR: invalid netmask 255.255.255.248 with global address <Outside_IP>

/29 is the actual mask. The /24 was entered because I didn't understand the structure of the command.

What am I missing?

Thank you,
Arie

 

[arie01]

Hello Brent,

I think I got it but if I didn't please correct me.

static (inside,outside) <Outside_IP> <Inside_IP> netmask 255.255.255.255 --> (PIX accepted this command)
access-list 120 permit tcp any host <Inside_IP> eq 3389 --> (PIX accepted this command)
access-group 120 in interface outside --> (PIX accepted this command)

If all is correct, then for the access-list, can I specify a name instead of the number?

Thank you so much,
Arie

 

[arie01]

Hello everyone,

I'm still having issues opening port 3389 from any to a specific host inside. Here is my runing config:

pix(config)# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ********** encrypted
passwd ********** encrypted
hostname pix
domain-name domain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list allow_ping permit icmp any any
access-list ping_acl permit ip any any
access-list outside_access_in permit tcp any host <Outside_IP> eq 3389
pager lines 75
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside <Outside_IP> 255.255.255.248
ip address inside 192.168.1.253 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.78 255.255.255.255 inside
pdm location 192.168.1.240 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) <Outside_IP> 192.168.1.222 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 <Outside_GW_IP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.78 255.255.255.255 inside
http 192.168.1.240 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
terminal width 120
Cryptochecksum:49ce518aeedb698e431488bd4fb53f9c
: end
pix(config)#

I opened RDC on my computer (which is on another external network) and entered my <Outside_IP> --> nothing happened. I entered my <Outside_IP>:3389 and again nothing happened.

Any help would be much appreciated.

Thank you all,
Arie

 

[Viconsul]

Hi,

[red]no static (inside,outside) <Outside_IP> 192.168.1.222 netmask 255.255.255.255 0 0 [/red]

static (inside,outside) tcp <Outside_IP> 3389 192.168.1.222 3389 netmask 255.255.255.255 0 0

HTH

 

[arie01]

Hello to all those who helped me solve this issue.

I just want to let you know that I finally got it to work the way I wanted.

Basically, I followed Brent's formula. I had to enter it a few times until I got it right, but when it was done, my port forwarding worked great.

Brent: Thank you very much for your help.

Arie

 

[Supergrrover]

No problem. Glad it worked.

Brent
Systems Engineer / Consultant
CCNP, CCSP