Cisco PiX 506 port mapping issue 1

[itspoint]

Hello Guys, I will try and give scenario as clearly as i can.

I have 3 networks A ,B And C the main office network is in network B and i have the Pix firewall in Network B. Also in network B, i have 2 cisco routers within network B with Lan interface ip on the same network with network B and these 2 cisco routers is used to route traffic to Network C.

Ip address of A is : 213.226.X.X
Ip address of the Cisco Pix in Network Bthe firewall is 87.252.X.X with Lan interface of 192.168.0.1)and the lan interface of the 2 cisco routers are 192.168.0.6 and 192.168.0.7.
Ip address of Network C is :160.40.X.X.
On the cisco PIX(87.252.X.77), I want to create a static route to C (160.40.X.X.) through 192.168.0.6 and 192.168.0.7(the 2 cisco routers).
I also want to provide access from A (213.226.X.X) through the firewall through 192.168.0.6 and 192.168.0.7 to C (160.40.X.X.) using port 23515 and 23526.

I think my command should be as below.
access-list smtp permit tcp any host 87.252.X.X eq 23526 and access-list smtp permit tcp any host 87.252.X.X eq 23515
i am also thinking of doing a static command like below.
static (inside,outside) 87.252.X.X 192.168.0.6 netmask 255.255.255.255 0 0 and also
static (inside,outside) 87.252.X.X 192.168.0.7 netmask 255.255.255.255 0 0
How do i allow static route from A (213.226.X.X) to pass through the firewall and through either to the 2 cisco routers to the C (160.40.X.X)

Find below the config of the firewall if it will help.


access-list smtp permit icmp any any echo-reply
access-list smtp permit icmp any any time-exceeded
access-list smtp permit icmp any any unreachable
access-list smtp permit tcp any host 87.252.X.76 eq smtp

access-list 102 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 10.0.0.0 255.255.255.224
pager lines 24
logging monitor debugging
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 87.252.X.77 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.0.0.10-10.0.0.25
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 87.252.X.78
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 87.252.X.76 192.168.0.5 netmask 255.255.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 87.252.X.78 1

Your suggestion will realy help. I also do have a set of free IP address thet i can use in the routing.
Regards.
I Can do a grahical rep if my explanations are not clear.

 

[Supergrrover]

For the route :
route inside 160.40.X.X [SubnetMask] 192.168.0.6
I am not sure if you can add the second route to a different gateway and have it load balance.
Here's an example with 2 internal networks -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00804619d8.shtml

For network A - how is it connected to the pix? direct? VPN?





Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[itspoint]

Thanks for your response Brent.
Network A is a remote network or any remote network. I have done an access-list command allowing access through the pix with the required ports open and a static route also done on the Pix to map all traffic with the port to the LAN IP interface of the cisco router (192.168.0.6).

 

[Supergrrover]

Above with your ACL's should do the trick.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[itspoint]

What command do i need to debug to see if the traffic is actually reaching the firewall and at what point the connection drops using the ports 23515 and 23516.

 

[Supergrrover]

Try this

logging enable
logging timestamp
logging device-id hostname
logging buffered debugging
logging history debugging
logging buffer-size 40960

and check the counters on your ACLs
sho access-l


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[itspoint]

How do i check the counters and what do i need to do to see the traffic and monitor?

 

[Supergrrover]

You can use the PDM to monitor traffic but a show access-list will display counters at the end of each line to see that it's been hit.

sho logg will display the logging events you will have to parse through them to see what's going on.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[itspoint]

Thanks Brent,I still seem not to get my head around the routing and have still not been able to resolve the issue.

originally we were sending traffic to network C with routes configured manually (batch file with below syntax)on the server to reach required ip addresses:
route add 160.43.X.0 mask 255.255.255.0 192.168.0.6
route add 160.43.X.0 mask 255.255.255.0 192.168.0.6

Then from the above server on network B we are connecting to network C using these connections/ports
160.43.166.x:23515
160.43.94.x:23515
160.43.166.x:23526
160.43.94.x:23526

But now the connection will be feed from outside the office . I would think that the firewall configuration should be similar. Do i need to add a route?
(I don't now exact syntax, but somehting like that)
ip route 160.43.x.0 255.255.255.0 192.168.0.6
ip route 160.43.x.0 mask 255.255.255.0 192.168.0.6

And the there should be port forwarding as well
23515->160.43.166.x:23515
23516->160.43.94.x:23515
23517->160.43.166.x:23516
23518->160.43.94.x:23516
Something like that (again not sure about syntax)
ip nat inside source static tcp 160.43.166.168 23515 interface BVI1 23515
ip nat inside source static tcp 160.43.94.168 23515 interface BVI1 23516
ip nat inside source static tcp 160.43.166.168 23516 interface BVI1 23517
ip nat inside source static tcp 160.43.94.168 23516 interface BVI1 23518

Hope my esplanation is clear enough.

 

[Supergrrover]

post your config - leave out passwords and mask the middle 2 octets of the public ip. Can you also give some sort of diagram of the network and how you want it to work?
We should be able to get this sorted out.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[itspoint]

Hello Brent,
Find below the config as requested. The diagram is also attached.
We originally have the webserver inside the lAN with IP 192.168.0.9 . All we did on the webserver was to do a batch file with add route command

route add 160.43.X.0 mask 255.255.255.0 192.168.0.6
route add 160.43.X.0 mask 255.255.255.0 192.168.0.6

Now, we will be using the 192.168.0.9 server as the backup server.
New feed will be coming from WAN IP's (213.X.X.28 & 213.X.X.2)to the same 160.43X.X address.

When these feed come through thye firewall,what will they be presented as?. Will it be the IP address of the pix or the source IP.(reason is that the routers 192.168.0.6 and .7 and not controlled by us and hence will need to know the ip to allow access. When we were feeding from 192.168.0.9 they allowed ip 192.168.0.9 access.
Can i email the diagram as i cannot attach the file?
Thanks.

PIX Version 6.3(5)
interface ethernet0 100basetx
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
encrypted
hostname RADAR
domain-name bondradar.com
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list smtp permit icmp any any echo-reply
access-list smtp permit icmp any any time-exceeded
access-list smtp permit icmp any any unreachable
access-list smtp permit tcp any host 87.X.X.76 eq smtp
access-list smtp permit tcp any host 87.X.X.76 eq https
access-list smtp permit tcp any host 213.X.X.28 eq 23515
access-list smtp permit tcp any host 213.X.X.28 eq 23526
access-list smtp permit tcp any host 213.X.X.2 eq 23526
access-list smtp permit tcp any host 213.X.X.2 eq 23515
access-list smtp permit tcp any host 87.X.X.77 eq 23515
access-list smtp permit tcp any host 87.X.X.77 eq 23526
access-list 102 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 10.0.0.0 255.255.255.224
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging history debugging
logging device-id hostname
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 87.X.X.77 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.0.0.10-10.0.0.25
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 87.X.X.78
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 87.X.X.77 23515 192.168.0.8 23515 netmask 255.255
.255.255 0 0
static (inside,outside) tcp 87.X.X.77 23526 192.168.0.8 23526 netmask 255.255
.255.255 0 0
static (inside,outside) 87.X.X.76 192.168.0.5 netmask 255.255.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 87.X.X.78 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 192.168.0.5 xxxxxxxx timeout 5
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.0.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set strongdes esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 match address outside_cryptomap_dyn_10
crypto dynamic-map dynmap 10 set transform-set strongdes
crypto map partner-map 65535 ipsec-isakmp dynamic dynmap
crypto map partner-map client authentication partnerauth
crypto map partner-map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup radar address-pool ippool
vpngroup radar dns-server 192.168.0.5
vpngroup radar wins-server 192.168.0.5
vpngroup radar default-domain
vpngroup radar idle-time 1800
vpngroup radarr password ********
vpngroup default-domain idle-time 86400
telnet 192.168.0.0 255.255.255.255 inside
telnet 192.168.0.65 255.255.255.255 inside
telnet 192.168.0.5 255.255.255.255 inside
telnet 192.168.0.10 255.255.255.255 inside
telnet 192.168.0.9 255.255.255.255 inside

telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

 

[Supergrrover]

You can upload it here and then paste a link.

http://tinypic.com

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Supergrrover]

Did you ever get the diagram uploaded?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[itspoint]

Hello Brent,
I am sorry> I have been off sick for a while. I will upload the diagram later today.

 

[itspoint]

I have uploaded the image. You can access it at

http://i37.tinypic.com/6zufdv.jpg

 

[Supergrrover]

They should be presented as their own IPs - 213.x.x.x

Do you have multiple external IPs? The static mappings cannot be load balanced.

What I suggest is that you put the VPN client on the external server and have it vpn to the PIX. Then add the internal routes to the interesting traffic on the pix and that should be a better hookup than what you have going. Then you can add the redundant routes to your server.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[itspoint]

Hi bent,
Any possibility of suggesting command lines.
I have done routing inside to the external IP addresses, and static routes to the these IP addresses. I have also created access-list allowing these wan ip addresses access via the ports.
How do i also trace to find out if the access is reaching the firewall and what happens when it reaches the firewall?

 

[Supergrrover]

To check the packet tracer (CLI and ASDM)

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml#topic1

to enable logging
logging enable
logging timestamp
logging device-id hostname
logging buffered debugging
logging history debugging
logging buffer-size 40960

then to view
sho logg

and check the hit counts on your ACL's
sho access-list


Now for the outside ACL these lines don't belong
access-list smtp permit tcp any host 213.X.X.28 eq 23515
access-list smtp permit tcp any host 213.X.X.28 eq 23526
access-list smtp permit tcp any host 213.X.X.2 eq 23526
access-list smtp permit tcp any host 213.X.X.2 eq 23515

The outside ACL just allows access to the IP's the pix controls - 87.x.x.x.

The static mapping
static (inside,outside) tcp 87.X.X.77 23515 192.168.0.8 23515 netmask 255.255
.255.255 0 0
points to 192.168.0.8. There is no .8 on your network diagram.

Let me know what the logg, tracer and ACL counts say about the traffic.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[itspoint]

Thanks Brent,
Please can you advice how you will set the command line from the diagram, to allow traffic coming from the WAN link to the destination infrastructure Via the routers with 192.168.0.6 and 192.168.0.7.

Regards.

 

[Supergrrover]

Do you want the VPN or try and do it with the static mappings?

Brent
Systems Engineer / Consultant
CCNP, CCSP