Cisco Pix Router and VPN

[JJBean1]

Hi,

We put in a cisco Pix router about 6 months ago and it worked getting us connected to the net. Now I have a user who wants to connect from home but can't connect to server. Here's what I have tried so far and just to warn you, i'm a noob when it comes to dealing with setting up this Pix router. Ok. Heres the lay of the land.

Internet <-> Cable Modem "Satellite" <-> Cisco Pix Firewall Router <-> Small Business 2003 server <-> our internal net.

Sbs 2003 has Exchange 2003 on it that uses what is called OWA - Outlook Web Access. You are suppose to be able to access the server through internet using port 80 which is regular internet access port. So when at home if I supply the ip address I would get right into server and access email if I supply credentials. But every time I try this I get a cannot access server in trying to connect to server. Ok so don't know why this doesn't work. Now I tried disconnecting the firewall and going directly to server from cable modem but I got the same error when I tried using VPN to access server or even trying the internet direct access way. I have a feeling that maybe an IP issue. I went to whatsmyip.com and what it reported was my ip is different than the static one that Direcway "satellite" is telling me it is. Anyway I tried both IPs but get same error "Unable to connect".
Not quite sure why so I'll talk to them next but I am wondering how can I tell if VPN is setup correctly on the PIX router? I need some sort of guide as to check that VPN is enabled on the pix and if not how to enable. Sorry for my ramblings.

Thanks,

JJ

 

[lgarner]

Is the server actually between the firewall and your network, or is it simply connected to your network. That's not a big issue, but could come into play if it's supporting two network interfaces.

Posting your Pix configuration would be helpful. What kind of VPN client are you using? Is the VPN client connecting to the Pix or to the server?

Note that forum35 is dedicated to the Pix, and you'll probably get a lot more help there. Even though the both come from Cisco, the Pix and router product lines are different.

 

[JJBean1]

Yes server is between firewall and network. The server uses 2 nic cards. The client is just win xp pro and using MS's VPN connection client. I am totally new to the PIX so how do I get current configuration from the pix? I now to use hyperterm and connect by console but dont know commands to issue to PIX 506E.

Thanks for replying,

JJ

 

[lgarner]

enable" gets you the ability to configure the unit. Then "show run" will display the current running configuration.

 

[JJBean1]

Hi Lgarner,

Ok I think I know what my problem is. In my first post I showed you the layout:

Internet <-> Cable Modem "Satellite" <-> Cisco Pix Firewall Router <-> Small Business 2003 server <-> our internal net.

Well that's not exactly true. It's is this:

Internet <-> Cable Modem "Satellite" <-> Cisco Pix Firewall Router <-> Switch <-> Small Business 2003 server <-> our internal net.

There is a switch in between the Pix and the server. I think that is where my problem is. When I give the IP address to the cable modem it doesn't know where to go from there because the cable modem dishs out dhcp and new ip's to the server. So I tried just connecting the Pix directly to the servers nic and it wouldn't work, it needs a switch or router to connnect to. So im thinking that I should put a cable/dsl router in place of the switch and port forward the ip to the server. What do you think? Do you have any a better solution for this?

Thanks,

JJ

 

[JJBean1]

Oh also here's the config for the PIX that you requested:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd
encrypted
hostname xxxxxxxxx
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ra
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside_acl_inbound permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.255.255.0 inside
pdm logging inform
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_acl_inbound in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

hope this helps,

JJ

 

[JJBean1]

lgarner,

I found this and was wondering if this will work for configuring the PIX to forward the Static IP address for cable modem and corelate it to the servers assigned IP address. Take a look at it and let me know if this is possible. I would port forward 1723 and GRE Protocol 47 from the router to the external NIC of the server. Is the article below going to help in port forwarding. If not how do I do this?

Thanks,
JJ

Incoming Connections NAT Configuration
It is possible to dedicate a single public IP address to a single server on your home network. This is called one-to-one NAT.

Here we allow the firewall to handle traffic to a second IP address, namely 97.158.253.26. We then allow all incoming traffic to be forwarded to the protected web server which has an IP address of 192.168.1.100. Only

http://www and

DNS (Port 53) traffic is allowed to access it via an access control list applied to the outside interface.



access-list inbound permit icmp any any

access-list inbound permit tcp any host 97.158.253.26 eq www

access-list inbound permit tcp any host 97.158.253.26 eq 53

access-list inbound permit udp any host 97.158.253.26 eq 53
access-group inbound in interface outside
static (inside,outside) 97.158.253.26 192.168.1.100 netmask 255.255.255.255 0 0



Once configured, you will be able to hit your webserver using the firewall's outside interface's IP address as the destination. eg:

http://one-to-one-NAT-ip-address.

Remember, it's not possible to hit your firewall's public NAT IP address from servers on your home network. You'll have to ask a friend to check it out.

 

[fs483]

Hmm, try adding :
static (inside,outside) yourpublicip 192.168.1.1 netmask 255.255.255.255 0 0
no fixup protocol pptp 1723
access-list outside_acl_inbound permit gre any host yourpublicip
access-list outside_acl_inbound permit tcp any host yourpublicip eq pptp
access-list outside_acl_inbound permit tcp any host yourpublicip eq www

just out of curiosity, are emails coming into your MS Exchange ?

I think you also need :
no fixup protocol smtp 25
access-list outside_acl_inbound permit tcp any host yourpublicip eq smtp

And finally :
wr mem

GRE and PPTP are your VPN
SMTP is for your inbound mail

http://WWW is

for your inbound connection to OWA

Good luck.

 

[JJBean1]

Yes email is coming to our exchange server but after the PIX firewall I have a basic switch before it goes to the server. So I need to tell the PIX the server IP to basically forward everything to the server. Does your script that you wrote handle that in there?

Thanks,

JJ

 

[JJBean1]

Can anyone help me here ?

Thanks,

JJ

 

[JJBean1]

Hi lgarner,

Need your help plz.

Thanks,

JJ

 

[lgarner]

The switch isn't an issue. I expect that the IP address of the server and that of the Pix is on the same network (i.e. they're both 192.168.1.something).

AKWong's configuration is right, as far as I can tell. Substitute your server's IP address (facing the Pix) where he put 192.168.1.1. Then http, mail, and MS VPN traffic should be sent to your server. Everything else will bounce.

For testing you'll also want "access-list inbound permit icmp any any echo-reply" so you can ping out. Inbound pings will still be blocked.

 

[JJBean1]

ok so all I have to do is login to the pix and type in the lines in akwongs post along with substiting in the static ip address from ISP for yourPublicIP and sub the 192.168.1.1 address with the servers IP, correct?

Thanks,

JJ

 

[fs483]

That's what I have for all my Pix Firewalls and it works fine for me.