Cisco Pix blocking anything even with ip any any

[jonas21]

Heya,

i am rather new to PIX, i just got a 525 temporary from a friend.

The scenario:

Network X.X.144.0/24
Outside world gateway: X.X.144.254
Inside hosts: X.X.144.*
What i want to have:
Pix allowing all inside hosts to connect to outside world
and otherwise. I want to allow all connections in and out and be able to block something on a per rule basis.
I do not want to have anyone see the pix via traceroute etc.
Inside hosts have X.X.144.10 as default gateway set.

What works right now:
traceroute from an inside host to anything outside
traceroute from an outside host to a inside host (144.151)

What doesnt work:
anything besides traceroute ;(


My config:
: Saved
: Written by enable_15 at 09:39:35.909 UTC Thu Nov 28 2002
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
enable password XXX encrypted
passwd XXX encrypted
hostname XXX
domain-name xxx.xxx
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol ftp 21
no fixup protocol http 80
names
access-list outside permit tcp any any
access-list outside permit udp any any
access-list outside permit icmp any any
access-list outside permit ip any any
access-list inside permit tcp any any
access-list inside permit udp any any
access-list inside permit icmp any any
access-list inside permit ip any any
pager lines 24
logging buffered debugging
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside X.X.144.2 255.255.255.248
ip address inside X.X.144.10 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
pdm history enable
arp timeout 14400
access-group outside in interface outside
access-group inside in interface inside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 X.X.144.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server login-radius protocol radius
snmp-server location XXX
snmp-server contact XXX
snmp-server community XXX
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 15
ssh timeout 5
terminal width 80

I would appreciate any suggestions/help.

Thanks,
Jonas

 

[gbiello]

You need a nat 0 statement to allow the inside network to see the outside world. Like this:
nat (inside) 0 X.X.144.0 255.255.255.0
You could also replace the &quot;X.X.144.0 255.255.255.0&quot; portion with &quot;access-list <whatever>&quot;

Next, you may wish to allow telnet access to the pix from the inside, either a single host, or the entire subnet:
telnet X.X.144.Y 255.255.255.255 inside
or
telnet X.X.144.0 255.255.255.0 inside

More importantly, you internal network is wide open. Unless you have servers you want the outside world to have access to (www, email, etc.) get rid of your access-lists.

There are several examples in this forum on how to open the firewall up for your public servers if you have any.

hope this helps,
-gbiello

 

[jonas21]

Thanks for the help.
I just used those commands and now i can telnet to the pix from inside but i still cant acess any port on an inside server from outside. Nor can i connect from inside to any port outside (tcp).

Jonas

 

[jonas21]

Update: my statement was incorrect.
Its only blocking tcp now.
access-list outside permit tcp any any
access-list outside permit udp any any
access-list outside permit icmp any any
access-list outside permit ip any any
access-list inside permit tcp any any
access-list inside permit udp any any
access-list inside permit icmp any any
access-list inside permit ip any any

But it still drops all tcp connections.

Jonas

 

[jonas21]

This is starting to get really strange. I have set a specific access-list for the .151 test host, even that doesnt work.
Everything except tcp connections works fine, this smells like a pixos bug to me.

 

[yizhar]

HI.

> ip address outside X.X.144.2 255.255.255.248
> ip address inside X.X.144.10 255.255.255.0
The pix is not designed to work with overlaping subnets.
It needs different subnets on each interface.

> logging buffered debugging
Syslog messages are very good for troubleshooting.
You might need the following additional command to get it working:
logging on

If you get too much messages (if this is in production), then lower the logging level to 4.

You can also view syslog messages in real time on a telnet console:
logging on
logging monitor 4
terminal monitor

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar