Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515 and Speedstream 5861

Status
Not open for further replies.
yezleb

yezleb

IS-IT--Management
Oct 2, 2001
16
US
I am a relative newbie to routers and firewalls and need some help configuring our Pix 515 (v6.01) firewall and a Speedstream 5861 DSL router thru our isp (ameritech). We have received 5 static ip addr (65.43.xx.xx) with a subnet of 255.255.255.248. We want to configure a Web server (192.168.xx.xx) off of a switch connected to the f/w. My questions are two-fold: What do we need to configure on the router; second, what do we need to configure on the f/w for both inbound and outbound access for the web server? What ip's should be used for inside/outside of router and f/w? Any suggestions would be greatly appreciated.

Thanks for any help.
 
Sort by date Sort by votes
HI!

The first thing to do is planning and learning.
It is good that you asked here, but you must also read the PIX manuals,
and/or consult a profesional.
There is a lot of info, and configuration examples in CISCO web site.

The router is normaly configured by the ISP, isn't it in your case?
Anyway if not, you should get its configuration and IP addresses from the ISP.

The whole 5 registered IP addresses will be configured on the PIX, something like that:
* an IP used for the PIX outside interface.
* an IP used for PAT of outgoing connections.
* an IP used for the web server (but configured on the PIX with STATIC mapping)
* The rest IP addresses will not be configured and reserved for later needs, like a mail server.

The "inside" of the PIX (and the DMZ if aplicable) will be configured with private IP addresses like 10.0.0.X.
The web server will get an internal IP address, and the mapping to the registered IP will be done by the PIX.
For better security, the web-server should be in the DMZ and not in the "inside" network. It is also important to apply all needed pathces on the web-server as PIX will not prevent many HTTP attacks.

You may find a utility that I wrote called PIXCRIPT usefull for configuring the PIX:

Using PDM in the pix can be helpful aswell.

Bye



Yizhar Hurwitz
 
Upvote 0 Downvote
OK..I have read the manual(s) and entered the configuration listed below. I can access the web from any of the nodes/servers on the internal network thru the pix f/w and the router. I can not access the internal web server from the outside however. No traffic can come in. I am stumped. Any help would be greatly appreciated. Thanks.

Router IP: 65.43.xx.xx
F/W Outside IP: 65.43.xx.xx
F/W Inside IP: 192.168.xx.xx

Router and F/W Outside IP are public addresses from static pool from isp.



PIX 515 (v6.0) configuration:

nameif ethernet0 outside security0
nameif ethernet1 inside security 100
interface ethernet0 auto
interface ethernet1 auto
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 65.43.xx.xx eq www
access-list 100 permit tcp any host 65.43.xx.xx eq ftp
ip address outside 65.43.xx.xx 255.255.255.248
ip address inside 192.168.xx.xx 255.255.255.0
global (outside) 1 65.43.xx.xx
arp timeout 14400
nat (inside) 1 0 0
static (inside,outside) 65.43.xx.xx 192.168.xx.xx netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0 0 65.43.xx.xx
conduit permit icmp any any
no snmp-server location
no snmp-server contact
snmp-server community public

 
Upvote 0 Downvote
HI!

Combining both conduit and access-list commands is not recommended.

Have you used DIFFERENT ip addresses for these commands:
global (outside) 1 65.43.xx.xx
static (inside,outside) 65.43.xx.xx 192.168.xx.xx netmask
?


How have you tested the connections from outside?
Are the records for your FTP servers registered in DNS?

It is recommended to first test from your router.
In most router you can telnet to your router, then try to telnet from it to port 80 and to port 21 of your web/ftp server, using the registered IP of the server (not the local one).

Can you reach your router from outside? Can you PING / TELNET to it?
Try using traceroute from a site like
to your router - is it reachable?

Your problem could be related to your ISP - a routing or filtering issue.
Contact them to check out.

You can also try to connect the PIX outside interface to a workstation for testing inbound connections.

Bye





Yizhar Hurwitz
 
Upvote 0 Downvote
I'm back...
I made a couple of changes to the router configuration and I can now access the web server from the outside thru a web browser. I can not access the ftp server from the outside. Both the web and ftp server share the same ip (same box). What am I missing? In addition, I can no longer get to my web server from the inside (using both the public or private ip address of the site).

Any ideas...

By the way, the trick with attaching a workstation to the outside interface help diagnose the router problem. Thanks.
 
Upvote 0 Downvote
HI!

For troubleshooting FTP access, do the following:

1) Try to telnet to port 21 of the FTP server, from the outside (Internet).

2) Verify that this line exists in your configuration.
fixup ftp 21

If not - add it.
If you use non-standard FTP port, add a fixup line for it:

fixup ftp 11111

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
We can telnet to the server from the outside on port 21 but as soon as we try to do anything (i.e. dir) we are immediately disconnected. The fixup line is correctly entered. Any help?
 
Upvote 0 Downvote
HI!

Post your full PIX config.

Check again with a workstation connected to "outside".

It might be that some other router or firewall is permitting port 21, but blocking port 20 or not supporting FTP in some way.

Try different ftp clients-
Is it working from Windows command line FTP?
Is it working from the web browser?
(Some web browsers use PASSIVE mode FTP).
Use a 3rd party client, try STANDARD and PASSIVE mode FTP.

Read the PIX documentation about the FIXUP command. It will help you.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
290
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
247
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
209
Nitta84
Nitta84
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top