Hi there, i already have like 2 days with these problem, the thing is:
I have 3 sets of Public Ip's addresses provided by my ips, i need to protect one of those sets with a Pix 515 that i have with version 4.4
The set of ips i need to protect is 196.40.7.72 - 196.40.7.79 with mask 255.255.255.248
My router is a cisco 1610 with 1 ethernet card, i assigned the ethernet card a "dumb" ip address 10.1.1.1 255.255.255.248 to connect to the pix and to my other Phoenix Adaptive Firewall box which is working great with the other 2 sets of ip's.
To the pix eth0 i assigned it the ip 10.1.1.3 to communicate with the eth0 of the router.
On the router i added the following extra route:
ip route 196.40.7.72 255.255.255.248 10.1.1.3
The router is sending all the traffic for network 196.40.7.72 to the eth0 of the pix firewall ,
then i assigned to the eth1 of the pix the following address:
196.40.7.73 (255.255.255.248)
I am not using Nat or Pat cause i need the public addresses to be visible in some specific ports from the outside, that is all i need !
So i disable Nat with the following command:
nat (inside) 0 196.40.7.0 255.255.255.0 0 0
which supposedely will disable nat for all that network which includes my small 8 ip address network.
I added the followind static command:
static (inside,outside) 196.40.7.0 196.40.7.0 netmask 255.255.255.0 0 0
That's the way it supposed to be done after reading a lot of Cisco's documentation, please remember i dont want to use NAT or PAT, i have my public ip addresses which NEED to be visible from the outside.
Just for testing i added the following conduits:
conduit permit tcp any any
conduit permit icmp any any
conduit permit udp any any
That supposedely opens all the tcp, icmp and udp ports on the pix, i even tried manual conduits like for ex
conduit permit tcp host 196.40.7.75 eq or
conduit permit tcp host 196.40.7.75 eq 80 any
The thing is i can ping from the inside to the outside with no problem, i can even browse the internet from my servers, but my severs are NOT visible in any way, all the ports are closed, i have tried in all possible ways to workaround this and im clueless...
Please remember i have version 4.4 which has only static and conduit commands ... all the new fancy commands like access-list are missing.
Please help me !
im copying my conf file on the pix in case you need it
pixfirewall(config)# sh conf
: Saved
:
PIX Version 4.4(7)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxx encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
no pager
logging on
no logging timestamp
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 10.1.1.3 255.255.255.248
ip address inside 196.40.7.73 255.255.255.248
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
nat (inside) 0 196.40.7.0 255.255.255.0 0 0
static (inside,outside) 196.40.7.75 196.40.7.75 netmask 255.255.255.255 0 0
static (inside,outside) 196.40.7.0 196.40.7.0 netmask 255.255.255.0 0 0
conduit permit tcp any any
conduit permit icmp any any
conduit permit udp any any
rip outside passive
rip outside default
rip inside passive
rip inside default
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
route inside 0.0.0.0 0.0.0.0 196.40.7.73 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxx
pixfirewall(config)#
Please help me my friends !!! .... im in trouble !!!
I have 3 sets of Public Ip's addresses provided by my ips, i need to protect one of those sets with a Pix 515 that i have with version 4.4
The set of ips i need to protect is 196.40.7.72 - 196.40.7.79 with mask 255.255.255.248
My router is a cisco 1610 with 1 ethernet card, i assigned the ethernet card a "dumb" ip address 10.1.1.1 255.255.255.248 to connect to the pix and to my other Phoenix Adaptive Firewall box which is working great with the other 2 sets of ip's.
To the pix eth0 i assigned it the ip 10.1.1.3 to communicate with the eth0 of the router.
On the router i added the following extra route:
ip route 196.40.7.72 255.255.255.248 10.1.1.3
The router is sending all the traffic for network 196.40.7.72 to the eth0 of the pix firewall ,
then i assigned to the eth1 of the pix the following address:
196.40.7.73 (255.255.255.248)
I am not using Nat or Pat cause i need the public addresses to be visible in some specific ports from the outside, that is all i need !
So i disable Nat with the following command:
nat (inside) 0 196.40.7.0 255.255.255.0 0 0
which supposedely will disable nat for all that network which includes my small 8 ip address network.
I added the followind static command:
static (inside,outside) 196.40.7.0 196.40.7.0 netmask 255.255.255.0 0 0
That's the way it supposed to be done after reading a lot of Cisco's documentation, please remember i dont want to use NAT or PAT, i have my public ip addresses which NEED to be visible from the outside.
Just for testing i added the following conduits:
conduit permit tcp any any
conduit permit icmp any any
conduit permit udp any any
That supposedely opens all the tcp, icmp and udp ports on the pix, i even tried manual conduits like for ex
conduit permit tcp host 196.40.7.75 eq or
conduit permit tcp host 196.40.7.75 eq 80 any
The thing is i can ping from the inside to the outside with no problem, i can even browse the internet from my servers, but my severs are NOT visible in any way, all the ports are closed, i have tried in all possible ways to workaround this and im clueless...
Please remember i have version 4.4 which has only static and conduit commands ... all the new fancy commands like access-list are missing.
Please help me !
im copying my conf file on the pix in case you need it
pixfirewall(config)# sh conf
: Saved
:
PIX Version 4.4(7)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxx encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
no pager
logging on
no logging timestamp
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 10.1.1.3 255.255.255.248
ip address inside 196.40.7.73 255.255.255.248
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
nat (inside) 0 196.40.7.0 255.255.255.0 0 0
static (inside,outside) 196.40.7.75 196.40.7.75 netmask 255.255.255.255 0 0
static (inside,outside) 196.40.7.0 196.40.7.0 netmask 255.255.255.0 0 0
conduit permit tcp any any
conduit permit icmp any any
conduit permit udp any any
rip outside passive
rip outside default
rip inside passive
rip inside default
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
route inside 0.0.0.0 0.0.0.0 196.40.7.73 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxx
pixfirewall(config)#
Please help me my friends !!! .... im in trouble !!!