Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 506e outbound connection on port 443 1

Status
Not open for further replies.

techbunney

IS-IT--Management
May 16, 2007
11
US
I have an internal device (for vulnerability scanning) that needs to connect to x.x.x.x (outside)on port 443. The connection could be two way but really only needs to be outbound.

Right now I can ping the gateway for the main campus and the firewall. I can even ping out to other remote campuses so I know the pings can make it pass the firewall.

For some reason I cannot ping external IPs such as google (72.14.209.104) or anything else external.

I am pasting a copy of my PIX config. I hope someone may know the answer or could point me in the right direction. The internalscanner listed in the config with 10.1.1.16 is the device that needs outbound access on port 443 to a specific ip address.
-------------------------------------
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 768
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.16 InternalScanner
object-group service web tcp
port-object eq www
port-object eq https
object-group service webports tcp-udp
port-object range 12100 12109
object-group service symitar_host_access tcp
port-object eq ftp
port-object eq telnet
access-list outside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq 30000
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any interface outside eq telnet
access-list outside_access_in permit tcp host Symitar interface outside eq 22339
access-list outside_access_in permit ip any host 208.191.137.38
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit ip host Newweb.gpfc.com any
access-list inside_outbound_nat0_acl permit ip any 10.1.99.244 255.255.255.252
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside citrix_server 17/62000
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 208.191.137.37 255.255.255.248
ip address inside 10.1.1.5 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp_pool 10.1.99.245-10.1.99.246
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 10.1.99.244 255.255.255.252 outside
pdm location NVPN 255.255.255.0 inside
pdm location Newweb.gpfc.com 255.255.255.255 inside
pdm location 24.0.0.0 255.0.0.0 outside
pdm location InternalScanner 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface https Newweb.gpfcu.com https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet Newweb.gpfcu.com telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 22339 Newweb.gpfc.com 22339 netmask 255.255.255.255 0 0
static (inside,outside) InternalScanner InternalScanner netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 208.191.137.36 1
route inside 10.0.0.0 255.0.0.0 10.1.1.232 1
route inside NVPN 255.255.255.0 10.1.1.232 1
route inside 192.168.0.0 255.255.0.0 10.1.1.232 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 67.99.3.149
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 67.99.3.149 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local pptp_pool
vpdn group PPTP-VPDN-GROUP client configuration wins citrix_server
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
 
All traffic is allowed outbound unless you restrict it with an ACL. You can take off your outbound ACL.
try adding
fixup prot icmp error



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
I tried this. This scanner still cannot talk to the world. I'm beginning to think the device is bad or may be plugged in somewhere it shouldn't be on the switch. I will most likely sniff the tone out and see what I can find.
 
From what I see the config looks good.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
I think so too. I'm going to tone out that cable and see where it's plugged in. That will have to wait til next week. Thank you so much for your replies so far. :)
 
Does it look like ping is disabled through the firewall on this config? I need to verify that I can ping past it.
 
Would this allow me to ping past the firewall during a configuration testing phase?

icmp permit any any outside
 
OK, I think I found it.
static (inside,outside) InternalScanner InternalScanner netmask 255.255.255.255 0 0

You have the same internal IP for each on this. It needs to be the same as the statics above it. If you don't have another public IP to use then you have to use interface and specify the ports (one for each.) Sorry I missed that - I didn't check to seee if the names where different.

To allow ICMP - the ACL to ping internal from external and you need to add this
fixup prot icmp error



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
I'll rework the static statement. I didn't catch that either. I'm not much on PIX firewalls but I did try to go through and make sure everything had the same theme.

YOu mentioned how to ping from the outside to the inside. How do I ping from my internal network past the firewall to the internet?
 
Brent,

How about -

static(inside,outside)tcp interface https InternalScanner https netmask 255.255.255.255 0 0

Will I have to copy/paste the configuration, make my changes and then paste back in?
 
That should do it. Just copy the static that is wrong, paste it back and put "no" in front of it. Then add the new static.

no static (inside...
static (inside,outside) ***new
clear xlate



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Brent,

Is there a way to copy/paste in PDM? Also, what are the benefits of using the Pix Firewall software? I'm assuming th is is different than the PDM? Is a TFTP server the only good way to backup a config?

Also, what training do you recommend to get my feet wet with the cisco PIX?
 
I don't use the PDM very much. Sorry I am not that much help on that front.

The PDM is one way to access the PIX OS, the other is the command line (SSH, telnet), and then SNMP.
I just use the command line and copy and paste. It won't back up the cert for SSH but that is it. You can always recreate it with 3 lines.

The cisco books work well and this website. Try to see if you can solve the problem and then see what others post as the solution.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top