Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 501 config

Status
Not open for further replies.
michelpf

michelpf

Technical User
Apr 22, 2010
1
CH
I got a pix 501 and i really have problems in configuring it, as i want... it just doesn't do what i'd like to do it...

my router has the following ip: 192.168.1.1

the pix has 192.168.1.2 on the outside, and 172.20.20.1 on the inside interface. my server has 172.20.20.2.

my problems:
- port forwarding to server (ports 21, 22, 80, 5000) doesn't work
- ssh from inside doesn't work
- pdm does not work. when i try to access it from inside ( i just get nothing.

my pix - config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-acl permit tcp host 192.168.1.1 any
access-list outside-acl permit tcp any host 172.20.20.2 eq www
access-list outside-acl permit tcp any host 172.20.20.2 eq ftp
access-list outside-acl permit tcp any host 172.20.20.2 eq ssh
access-list outside deny tcp any any
pager lines 24
logging on
logging timestamp
logging console warnings
logging monitor warnings
logging buffered warnings
logging history warnings
logging queue 1000
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 172.20.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.20.20.0 255.255.255.0 inside
pdm location 172.20.20.99 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 172.20.20.2 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ssh 172.20.20.2 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5000 172.20.20.2 5000 netmask 255.255.255.255 0 0
access-group outside-acl in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.20.0.0 255.255.255.0 inside
http 172.20.20.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 172.20.20.99 /
floodguard enable
telnet 192.168.1.0 255.255.255.252 outside
telnet 192.168.1.2 255.255.255.255 outside
telnet 172.20.20.0 255.255.255.0 inside
telnet timeout 5
ssh 172.20.20.0 255.255.255.0 inside
ssh 172.20.20.2 255.255.255.255 inside
ssh timeout 60
console timeout 0
dhcpd address 172.20.20.10-172.20.20.40 inside
dhcpd dns 192.168.1.1
dhcpd lease 3600
dhcpd ping_timeout 100
dhcpd auto_config outside
dhcpd enable inside
username password encrypted privilege 2
terminal width 80
: end

i'm thankful for any hint...

greets!
 
Sort by date Sort by votes
Your outside ACL needs to be against the real IP address, not the translated one:

Code: 
no access-list outside-acl permit tcp any host 172.20.20.2 eq www
no access-list outside-acl permit tcp any host 172.20.20.2 eq ftp
no access-list outside-acl permit tcp any host 172.20.20.2 eq ssh
no access-list outside deny tcp any any
  -Line is redundant due to implicit deny any any on ACL
  
access-list outside-acl permit tcp any host 192.168.1.2 eq www
access-list outside-acl permit tcp any host 192.168.1.2 eq ftp
access-list outside-acl permit tcp any host 192.168.1.2 eq ssh
access-list outside-acl permit tcp any host 192.168.1.2 eq 5000

SSH will require a hostname and domain-name. You will also need to generate RSA keys on the device. These commands should set you straight:

Code: 
hostname <your hostname>
domain-name <your domain>
ca gen rsa key 1024
ca save all

If you have already generated keys then check them with 'show ca mypubkey rsa'. You should be able to authenticate through the SSH client with the local credentials.

As for PDM, everything in the config looks good. If you haven't generated RSA keys then that is likely the problem.

If not...Did you copy over the PDM image to flash successfully? What does 'show flashfs' show? You say nothing is happening in the browser but you should get some type of Java prompt. You might need to roll back to JRE 1.4 (or IE7, etc...) See the link here for workstation requirements
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
580
Johnkite
Johnkite
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
108
xwray
xwray
tjbradford
  • Locked
  • Question
ASAX 5508 - basic config - packet loss
Replies
0
Views
157
tjbradford
tjbradford
RMurr34
  • Locked
  • Question
ASA Config - Open port 3389 for all IPs
Replies
1
Views
170
iggsterman
iggsterman
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
147
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top