PIX 501 access issues

[gavin77]

Hi everyone,

Please help, I need to make some config changes to our 501, have been trying to get external access to one server from one ip for some remote support to 3rd party stuff, in trying to get this up and running I have also lost the ability to ping from inside the PIX to the internet, I'm sure its something simple! I've been inputting commands in via telnet, our curreent configs below (this does still show some of the commands I have entered / removed

nb - the external ip I need to give access to server internal addy - 10.99.3.4 is 195.50.80.2 and port udp 4403 is the port to be used,

sheffpix# show config
: Saved
: Written by enable_15 at 14:13:31.470 UTC Fri Dec 8 2006
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NhJomtAXSYZ.qZxg encrypted
passwd NhJomtAXSYZ.qZxg encrypted
hostname sheffpix
domain-name snacksdirect.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.99.26.245 Gary
name 10.99.3.1 sh-nt-01
name 10.99.25.105 raeserver
name 10.99.25.106 TServer
name 10.99.25.102 mailsweeper
name 10.99.3.2 new_server
name 10.99.26.238 Gavin
name 10.99.26.133 John
name 10.99.26.117 RAT
name 10.99.25.243 HR
name 10.99.3.4 sh-ex-01
object-group service Oncore tcp-udp
description Remote access for online backup solution
port-object range 4403 4403
access-list inside_access_in permit ip host sh-ex-01 any
access-list inside_access_in permit ip host Gary any
access-list inside_access_in permit ip host Gavin any
access-list inside_access_in permit ip host new_server any
access-list inside_access_in permit ip host HR any
access-list inside_access_in permit ip host sh-nt-01 any
access-list inside_access_in permit ip host raeserver any
access-list inside_access_in permit ip host TServer any
access-list inside_access_in permit ip host John any
access-list inside_access_in permit ip host RAT any
access-list inside_access_in permit icmp any any
access-list outside_to_in permit icmp any any
access-list outside_to_in permit tcp any host 80.229.196.113 eq smtp
access-list nonat permit ip 10.99.0.0 255.255.0.0 host 172.31.254.5
access-list nonat permit ip 10.100.0.0 255.255.0.0 172.31.254.0 255.255.255.252
access-list nonat permit ip 10.100.0.0 255.255.0.0 host 172.31.254.5
access-list nonat permit ip 10.99.0.0 255.255.0.0 172.31.254.0 255.255.255.0
access-list splitunnel permit ip 10.99.0.0 255.255.0.0 172.31.254.0 255.255.255.
252
access-list splitunnel permit ip 10.99.0.0 255.255.0.0 host 172.31.254.5
access-list splitunnel permit ip 10.100.0.0 255.255.0.0 172.31.254.0 255.255.255
.252
access-list splitunnel permit ip 10.100.0.0 255.255.0.0 host 172.31.254.5
access-list outbound permit icmp any any
access-list inbound permit tcp any host 192.50.80.2 eq www
access-list inbound permit tcp any host 165.50.80.2 eq www
access-list inbound permit tcp any host 195.80.50.2 eq 4403
access-list inbound permit udp any host 195.0.0.50
pager lines 24
logging on
logging buffered informational
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 80.229.196.114 255.255.255.248
ip address inside 10.99.25.103 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 172.31.254.1-172.31.254.8
pdm location Gary 255.255.255.255 inside
pdm location 10.100.0.0 255.255.0.0 inside
pdm location 10.99.99.0 255.255.255.252 outside
pdm location 10.99.99.5 255.255.255.255 outside
pdm location 172.31.254.0 255.255.255.252 outside
pdm location 172.31.254.5 255.255.255.255 outside
pdm location 10.99.26.241 255.255.255.255 inside
pdm location 10.99.26.0 255.255.255.0 inside
pdm location mailsweeper 255.255.255.255 inside
pdm location sh-nt-01 255.255.255.255 inside
pdm location raeserver 255.255.255.255 inside
pdm location TServer 255.255.255.255 inside
pdm location 80.242.41.146 255.255.255.255 inside
pdm location 80.242.41.146 255.255.255.255 outside
pdm location 172.31.254.0 255.255.255.0 outside
pdm location 195.166.140.163 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location new_server 255.255.255.255 inside
pdm location Gavin 255.255.255.255 inside
pdm location John 255.255.255.255 inside
pdm location RAT 255.255.255.255 inside
pdm location HR 255.255.255.255 inside
pdm location sh-ex-01 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.99.0.0 255.255.0.0 0 0
static (inside,outside) 80.229.196.113 mailsweeper netmask 255.255.255.255 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 80.229.196.113 1
route inside 10.100.0.0 255.255.0.0 10.99.10.1 1
route outside 172.31.254.0 255.255.255.0 80.229.196.114 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.99.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set des_set esp-des esp-md5-hmac
crypto dynamic-map sheffield_dynamic 10 set transform-set des_set
crypto map sheffield 10 ipsec-isakmp dynamic sheffield_dynamic
crypto map sheffield interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup sheffield_vpn address-pool vpnpool1
vpngroup sheffield_vpn dns-server sh-nt-01
vpngroup sheffield_vpn wins-server sh-nt-01
vpngroup sheffield_vpn split-tunnel splitunnel
vpngroup sheffield_vpn idle-time 360
vpngroup sheffield_vpn password ********
vpngroup beltek address-pool vpnpool1
vpngroup beltek dns-server sh-nt-01
vpngroup beltek wins-server sh-nt-01
vpngroup beltek idle-time 1800
vpngroup beltek password ********
telnet 10.99.0.0 255.255.0.0 inside
telnet timeout 5
ssh 80.242.41.146 255.255.255.255 outside
ssh 195.166.140.163 255.255.255.255 outside
ssh 80.242.41.146 255.255.255.255 inside
ssh timeout 5
terminal width 80
Cryptochecksum:868ce855636af6261b9bd1a666861bdd


Any help would be appreciated

Cheers,

Gav

 

[KiscoKid]

Try the following:

access-group inbound in interface outside
static (inside,outside) 195.50.80.2 sh-ex-01
netmask 255.255.255.255 0 0
access-list inbound permit icmp any any echo-reply


Note there seems to be 2 access lists associated with access from the outside to the inside but neither are applied. I've applied the one called inbound as it already has an entry to allow UDP 4403 to the inside host. The other ACL called "outside_to_in" has different entries not covered in the access list "inbound". You may want to review this other ACL and, if necessary, update the "inbound" ACL with these entries also.#


Out of interest, the 195.50.80.2 is a obviously a different netblock from the external address assigned to the PIX currently. Do you know for sure your ISP is routing this other range to your site also?

 

[gavin77]

Thanks,

I'll try this mate, fairly sure that my isp will pass the traffic but something I'll look into for sure,
from what I can see the other acl is for the router accesss to the pix as the routers on the 113 ip address,
can I remove the incorrect entries I have added?

Cheers

 

[gavin77]

Ping working fine now, thanks, still unsure of the access list entries though as they look very strange via the GUI,
I need to give access to sh-ex-01 (10.99.3.4) from an external ip of - 195.50.80.2, this ip has nothing to do with our company, the company in question need to gain access to sh-ex-01 on udp port 4403 for maintenance.
Unless I'm mistaken the static rule added looked like it had translated 10.99.3.4 to 195.50.80.2 on the outside interface? instead of one of our block ip's for the adsl line, our pix is on? apologies if I've misunderstood, I have removed the access control entries from the GUI as they didn't look right, they will probably still show in the fresh config below,



User Access Verification

Password:
Type help or '?' for a list of available commands.
sheffpix> enable
Password: ******
sheffpix# show config
: Saved
: Written by enable_15 at 11:51:12.322 UTC Wed Dec 13 2006
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NhJomtAXSYZ.qZxg encrypted
passwd NhJomtAXSYZ.qZxg encrypted
hostname sheffpix
domain-name snacksdirect.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.99.26.245 Gary
name 10.99.3.1 sh-nt-01
name 10.99.25.105 raeserver
name 10.99.25.106 TServer
name 10.99.25.102 mailsweeper
name 10.99.3.2 new_server
name 10.99.26.238 Gavin
name 10.99.26.133 John
name 10.99.26.117 RAT
name 10.99.25.243 HR
name 10.99.3.4 sh-ex-01
object-group service Oncore tcp-udp
description Remote access for online backup solution
port-object range 4403 4403
access-list inside_access_in permit ip host sh-ex-01 any
access-list inside_access_in permit ip host Gary any
access-list inside_access_in permit ip host Gavin any
access-list inside_access_in permit ip host new_server any
access-list inside_access_in permit ip host HR any
access-list inside_access_in permit ip host sh-nt-01 any
access-list inside_access_in permit ip host raeserver any
access-list inside_access_in permit ip host TServer any
access-list inside_access_in permit ip host John any
access-list inside_access_in permit ip host RAT any
access-list outside_to_in permit icmp any any
access-list outside_to_in permit tcp any host 80.229.196.113 eq smtp
access-list nonat permit ip 10.99.0.0 255.255.0.0 host 172.31.254.5
access-list nonat permit ip 10.100.0.0 255.255.0.0 172.31.254.0 255.255.255.252
access-list nonat permit ip 10.100.0.0 255.255.0.0 host 172.31.254.5
access-list nonat permit ip 10.99.0.0 255.255.0.0 172.31.254.0 255.255.255.0
access-list splitunnel permit ip 10.99.0.0 255.255.0.0 172.31.254.0 255.255.255.
252
access-list splitunnel permit ip 10.99.0.0 255.255.0.0 host 172.31.254.5
access-list splitunnel permit ip 10.100.0.0 255.255.0.0 172.31.254.0 255.255.255
.252
access-list splitunnel permit ip 10.100.0.0 255.255.0.0 host 172.31.254.5
access-list outbound permit icmp any any
access-list inbound permit icmp any any echo-reply
access-list from-insidezone-coming-in permit icmp any any
pager lines 24
logging on
logging buffered informational
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 80.229.196.114 255.255.255.248
ip address inside 10.99.25.103 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 172.31.254.1-172.31.254.8
pdm location Gary 255.255.255.255 inside
pdm location 10.100.0.0 255.255.0.0 inside
pdm location 10.99.99.0 255.255.255.252 outside
pdm location 10.99.99.5 255.255.255.255 outside
pdm location 172.31.254.0 255.255.255.252 outside
pdm location 172.31.254.5 255.255.255.255 outside
pdm location 10.99.26.241 255.255.255.255 inside
pdm location 10.99.26.0 255.255.255.0 inside
pdm location mailsweeper 255.255.255.255 inside
pdm location sh-nt-01 255.255.255.255 inside
pdm location raeserver 255.255.255.255 inside
pdm location TServer 255.255.255.255 inside
pdm location 80.242.41.146 255.255.255.255 inside
pdm location 80.242.41.146 255.255.255.255 outside
pdm location 172.31.254.0 255.255.255.0 outside
pdm location 195.166.140.163 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location new_server 255.255.255.255 inside
pdm location Gavin 255.255.255.255 inside
pdm location John 255.255.255.255 inside
pdm location RAT 255.255.255.255 inside
pdm location HR 255.255.255.255 inside
pdm location sh-ex-01 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.99.0.0 255.255.0.0 0 0
static (inside,outside) 80.229.196.113 mailsweeper netmask 255.255.255.255 0 0
static (inside,outside) 195.50.80.2 sh-ex-01 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 80.229.196.113 1
route inside 10.100.0.0 255.255.0.0 10.99.10.1 1
route outside 172.31.254.0 255.255.255.0 80.229.196.114 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.99.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set des_set esp-des esp-md5-hmac
crypto dynamic-map sheffield_dynamic 10 set transform-set des_set
crypto map sheffield 10 ipsec-isakmp dynamic sheffield_dynamic
crypto map sheffield interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup sheffield_vpn address-pool vpnpool1
vpngroup sheffield_vpn dns-server sh-nt-01
vpngroup sheffield_vpn wins-server sh-nt-01
vpngroup sheffield_vpn split-tunnel splitunnel
vpngroup sheffield_vpn idle-time 360
vpngroup sheffield_vpn password ********
vpngroup beltek address-pool vpnpool1
vpngroup beltek dns-server sh-nt-01
vpngroup beltek wins-server sh-nt-01
vpngroup beltek idle-time 1800
vpngroup beltek password ********
telnet 10.99.0.0 255.255.0.0 inside
telnet timeout 5
ssh 80.242.41.146 255.255.255.255 outside
ssh 195.166.140.163 255.255.255.255 outside
ssh 80.242.41.146 255.255.255.255 inside
ssh timeout 5
terminal width 80
Cryptochecksum:4206c738c592dd23a1ab63fec3caf5db

 

[KiscoKid]

Ah ok that makes sense and explains my concerns about routing this other netblock, i.e. you don't have another netblock!

The original static I provided needs to be removed using the no form of the command, i.e.:

no static (inside,outside) 195.50.80.2 sh-ex-01 netmask 255.255.255.255 0 0

You can then add a new static NAT or policy NAT statement (whichever you prefer). A static NAT statement would be as follows:

static (inside,outside) a.b.c.d sh-ex-01 netmask 255.255.255.255 0 0

where a.b.c.d is a unique public IP address taken from the IP address allocation in use by your ADSL line.

A policy NAT statement would instead be:

static (inside,outside) udp interface 4403 sh-ex-01 4403 netmask 255.255.255.255 0 0

This will basically redirect only UDP 4403 traffic destined for the outside of the PIX to the internal host called sh-ex-01.

You then need to allow access to your inbound ACL, as follows:

access-list inbound permit udp host 195.50.80.2 host 80.229.196.114 eq 4403

 

[gavin77]

Cheers, sounds good,

have already removed previous commands relating to the translation etc in the PDM, just added these new ones so I'll check if the 3rd party got access now, I'll keep ya posted,

Nice one, cheers,

Gav

 

[gavin77]

all workin now, cheers!!

 

[gavin77]

Hi there,

I need to be able to ping users in our vpn pool so I can acetain who's staying connected for longer than they should and tying the system up for everyone else,
would access-list permit icmp any vpnpool1 echo reply work?

cheers

Gav