Cisco PIX 501 Question

[Yogiz]

Hi there,

Just wanted to find out how do I point static IP from my ISP to my web-server sitting behind PIX 501?

Thanks in advance,

Dan

 

[Yogiz]

Ultimately what I would like to achieve is to redirect web-traffic from outside 72.0.0.0 to inside web-server which is on 10.164.117.2 PIX is on 10.164.117.1

Cheers

Dan

 

[Supergrrover]

Here is the basic formula for outside in access-

Build Access List to allow the traffic in (one line for each port)-
access-list outside_access_in permit [TCP/UDP] any [host ExternalIP/interface outside] eq [Port#]

Apply the ACL to the outside interface -
access-group outside_access_in in interface outside

Map incoming port to an IP and port on the inside (one line for each port)-
static (inside,outside) [TCP/UDP] [ExternalIP/interface] [Port#] [InteralIP] [Port#] netmask 255.255.255.255


Anything in brackets needs to be replaced for your specific config. Bold means you have to enter a value (either a port # or IP address)

If you run into problems, post your config.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Yogiz]

Thanks for that Brent.

Any Idea why I can't ping my pix from outside.

The config looks like that,

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Of3dxO64dl0.NQSr encrypted
passwd Of3dxO64dl0.NQSr encrypted
hostname pix
domain-name cisco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network INSIDE-LAN
network-object 10.164.117.0 255.255.255.0
object-group network VPNCLIENTB
network-object 10.10.10.0 255.255.255.0
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit ip host 1.2.3.4 any
access-list NONAT permit ip 10.164.117.0 255.255.255.0 object-group VPNCLIENTB
access-list VPN_NONAT permit ip 10.164.117.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list DUMP permit icmp any any
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.164.117.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNCLIENTB 10.10.10.1-10.10.10.10
pdm location 10.164.117.6 255.255.255.255 inside
pdm location 172.16.8.0 255.255.255.0 outside
pdm location 1.2.3.4 255.255.255.255 outside
pdm location 10.164.117.0 255.255.255.0 inside
pdm group INSIDE-LAN inside
pdm group VPNCLIENT outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN_NONAT
nat (inside) 1 10.164.117.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.164.117.6 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 10.164.117.6 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 10.164.117.2 8080 netmask 255.255.255.255 0 0
access-group 101 in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 1.2.3.4 255.255.255.255 outside
http 10.164.117.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set VPN3DES esp-3des esp-sha-hmac
crypto dynamic-map CLIENT 1 set transform-set VPN3DES
crypto map VPN 80 ipsec-isakmp dynamic CLIENT
crypto map VPN client authentication LOCAL
crypto map VPN interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup WAYNVPN address-pool VPNCLIENTB
vpngroup WAYNVPN split-tunnel VPN_NONAT
vpngroup WAYNVPN idle-time 1800
vpngroup WAYNVPN password ********
telnet 10.164.117.2 255.255.255.255 inside
telnet 10.164.117.6 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.164.117.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.164.117.2-10.164.117.6 inside
dhcpd dns 4.2.2.1 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username test password qYX9nlCkUx69vx0O encrypted privilege 15
username ****** password 9reCdzQiHs8gZy/P encrypted privilege 10
terminal width 80
Cryptochecksum:3dc9b5c245c74ca52781b70917cebffe
: end

 

[Supergrrover]

You didn't permit the ICMP echo itself.

Add this line
access-list 101 permit icmp any any echo




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Yogiz]

Thanks for that Brent.

I have added that it made no difference seems like its all gone wrong as vpn or redirection to web-server don't work.

Could you check check my config to make sure its all ok

The pix is plugged to ADSL modem with has firewall disabled could that be blocking the ICMP packets?


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Of3dxO64dl0.NQSr encrypted
passwd Of3dxO64dl0.NQSr encrypted
hostname dw
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network INSIDE-LAN
network-object 10.164.117.0 255.255.255.0
object-group network VPNCLIENTB
network-object 10.10.10.0 255.255.255.0
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any any eq 44417
access-list 101 permit icmp any any echo
access-list NONAT permit ip 10.164.117.0 255.255.255.0 object-group VPNCLIENTB
access-list VPN_NONAT permit ip 10.164.117.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list DUMP permit icmp any any
access-list WEB_SERVER_ACL permit tcp any interface outside eq www
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.164.117.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNCLIENTB 10.10.10.1-10.10.10.10
pdm location 10.164.117.6 255.255.255.255 inside
pdm location 172.16.8.0 255.255.255.0 outside
pdm location 10.164.117.0 255.255.255.0 inside
pdm group INSIDE-LAN inside
pdm group VPNCLIENT outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN_NONAT
nat (inside) 1 10.164.117.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 44417 10.164.117.2 44417 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.164.117.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface

http://www 10.164.117.2

http://www netmask

255.255.255.255 0 0
access-group WEB_SERVER_ACL in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.164.117.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set VPN3DES esp-3des esp-sha-hmac
crypto dynamic-map CLIENT 1 set transform-set VPN3DES
crypto map VPN 80 ipsec-isakmp dynamic CLIENT
crypto map VPN client authentication LOCAL
crypto map VPN interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup WAYNVPN address-pool VPNCLIENTB
vpngroup WAYNVPN split-tunnel VPN_NONAT
vpngroup WAYNVPN idle-time 1800
vpngroup WAYNVPN password ********
telnet 10.164.117.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.164.117.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.164.117.2-10.164.117.10 inside
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username password 9reCdzQiHs8gZy/P encrypted privilege 10
terminal width 80
Cryptochecksum:67354b7d4ce8d57770b57efbacd997be
: end

Thanks in advance.

Dan