i know nothing about PIX but need some help

[puckslinger]

Hello,

My boss dropped another project on me at which i know nothing about.
i need to setup a rule for my PIX 506E that will allow anyone from outside to access TermServ inside. i have looked around and used the PDM but it doesnt work at all.. can someone help me out. right now the config on the PIX is out of the box setup with only the public and private IPs assigned.


Thanks,


Puck

 

[s5lcs]

Try this:

Im assuming you aready setup your
global (outside)
static (DMZ1,outside) x.x.x.x(outside) x.x.x.x(DMZ address) netmask 255.255.255.255 0 0

Ideally, You want to put your term server on the DMZ.

This will permit telnet to your inside network on a per host basis:

conduit permit tcp host x.x.x.x eq 23 any
the x.x.x.x is your Outside address your natting too.

telnet x.x.x.x(DMZ ip) 255.255.255.255 inside
' telnet from the internal network.


L.S.

 

[puckslinger]

im sorry, i'm not following you....


here is my run


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.20.2.244 255.255.255.0
ip address inside 192.168.1.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.20.2.4 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:cd0f2931a2a1328862351cea815cf11c
: end

 

[puckslinger]

i have zero knowledge of PIX or anything more than zonealarm... so i know holding my hand or pointing me in the direction of some idiot proof steps would be the way for me.


Thanks for the quick response

 

[s5lcs]

What is your ip address for the term server, the inside and outside address ? This will make it easier.

L.S.

 

[puckslinger]

inside we can make it anything its not in place yet so lets go with 192.168.1.51 outside 172.20.2.245

 

[s5lcs]

What is the ip address you want to assign to the Term server ? pick an address on the 192.168.1.x network. And you only have 1 ip address from the outside correct ?

L.S.

 

[puckslinger]

.51 will work for the term server. and to my knowledge yes we will have 1 public ip

 

[s5lcs]

Here is the config then, try it.

1st: global (outside) 1 172.20.2.245 netmask 255.255.255.0

2nd: nat (inside) 1 192.168.1.0 255.255.255.0 0 0
3rd: nat (DMZ1) 1 172.20.2.0 255.255.255.0 0 0

4th: static (DMZ1,outside) 172.20.2.245 192.168.1.51 netmask 255.255.255.255 0 0

5th: conduit permit tcp host 172.20.2.245 eq 23 any
6th: telnet 192.168.1.51 255.255.255.255 inside

Let me know how it goes.

L.S.

 

[puckslinger]

i get a "cannot find name" error on #3

 

[s5lcs]

If you have only 1 public IP Address registered to your internet service, you would then want to ask for another IP Address or use the same one of the 172.20.2.244. Its up to you.

 

[s5lcs]

Oh, ya, make this change.

3rd: nat (inside) 1 172.20.2.0 255.255.255.0 0 0

4th: static (inside,outside) 172.20.2.245 192.168.1.51 netmask 255.255.255.255 0 0

5th: conduit permit tcp host 172.20.2.245 eq 23 any
6th: telnet 192.168.1.51 255.255.255.255 inside

 

[s5lcs]

you don't have another interface, so you can skip
3rd: nat (inside) 1 172.20.2.0 255.255.255.0 0 0

 

[puckslinger]

wtih #4 i get WARNING: static overlaps with global (outside) 1 172.20.2.245
but it does go in

 

[puckslinger]

here is the new run


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.20.2.244 255.255.255.0
ip address inside 192.168.1.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 172.20.2.245 netmask 255.255.255.0
nat (inside) 1 172.20.2.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.20.2.245 192.168.1.51 netmask 255.255.255.255 0 0
conduit permit tcp host 172.20.2.245 eq telnet any
route outside 0.0.0.0 0.0.0.0 172.20.2.4 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.51 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd dns 64.105.199.74 64.105.159.250
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:cd0f2931a2a1328862351cea815cf11c
: end

 

[s5lcs]

Remove the following line:

nat (inside) 1 172.20.2.0 255.255.255.0 0 0

do a:

no nat (inside) 1 172.20.2.0 255.255.255.0 0 0

Since you only have 1 IP Address to the outside, then it would be: not 245

static (inside,outside) 172.20.2.244 192.168.1.51 netmask 255.255.255.255 0 0
conduit permit tcp host 172.20.2.244 eq telnet any

 

[puckslinger]

ok so that changes .245 to .244 allowing connections from .244 to .51 . . right?

 

[s5lcs]

Yes it will allow .244 to 51 only telnet.

L.S.

 

[NetworkGhost]

Please dont use conduit command. Not supported anymore anyways.

create your static:

static(inside,outside) ooo.ooo.ooo.ooo iii.iii.iii.iii netmask 255.255.255.255


ooo= Outside IP
iii = Inside

access-list acl_outside permit tcp any host ooo.ooo.ooo.ooo eq 3389

access-group acl_outside in interface outside

 

[s5lcs]

Dear network Ghost, he wants to telnet into the term server. Why did you put 3389, that is Windows Remote desktop. TCP port telnet 23.

L.S.