Options
Telnet PIX 515
Hello Everyone,
What I'm trying to do is set up my home lab to study for the CCNP. I'm in need of some assistance in setting up my PIX 515 to forward telnet request to router1. I have tried a few things but no luck as of yet:
Trying to reach Router1
Cable Modem <--> PIX <--> Switch <--> Router1
I have the following configuration:
PIX Version 7.2(2)
!
hostname Stealth
domain-name default.domain.invalid
enable password xxxxxxxxxxxx encrypted
names
!
interface Ethernet0
nameif Outtra
security-level 0
ip address dhcp setroute
!
interface Ethernet1
speed 100
duplex full
nameif Intra
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
dns domain-lookup Outtra
dns server-group DefaultDNS
name-server 68.6.16.30
name-server 68.6.16.25
domain-name default.domain.invalid
access-list outside extended permit tcp any gt 1023 any eq 8080
access-list outside extended permit tcp any any eq 3389
access-list outside extended permit tcp any any eq 81
access-list outside extended permit tcp any gt 1023 any eq ssh
access-list outside extended permit tcp any any eq ftp
access-list outside extended permit tcp any gt 1023 any eq telnet
access-list ping_acl extended permit ip any any
pager lines 24
mtu Outtra 1500
mtu Intra 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outtra) 1 interface
nat (Intra) 1 192.168.2.0 255.255.255.0
static (Intra,Outtra) tcp interface 3389 192.168.2.3 3389 netmask 255.255.255.255
static (Intra,Outtra) tcp interface 8080 192.168.2.6 8080 netmask 255.255.255.255
static (Intra,Outtra) tcp interface 81 192.168.2.5 www netmask 255.255.255.255
static (Intra,Outtra) tcp interface ssh 192.168.2.5 ssh netmask 255.255.255.255
static (Intra,Outtra) tcp interface ftp 192.168.2.5 ftp netmask 255.255.255.255
static (Intra,Outtra) tcp interface telnet 192.168.2.5 telnet netmask 255.255.255.255
access-group ping_acl in interface Outtra
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username xxxxxxxx password xxxxxxxxxx encrypted
aaa authentication http console LOCAL
http server enable
http 192.168.3.12 255.255.255.255 Intra
http 192.168.3.0 255.255.255.0 Intra
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 Intra
ssh timeout 5
console timeout 0
dhcpd dns 68.6.16.30 68.6.16.25
!
dhcpd address 192.168.3.12-192.1683.254 Intra
dhcpd enable Intra
!
!
class-map class_http2
match port tcp eq 81
class-map class_http
match port tcp eq 81
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map telnet
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
class class_http
inspect http
class class_http2
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b4ba8517ebfbb79cfdc269aee3c71a8c
: end
Any Suggestion !!!!!
What I'm trying to do is set up my home lab to study for the CCNP. I'm in need of some assistance in setting up my PIX 515 to forward telnet request to router1. I have tried a few things but no luck as of yet:
Trying to reach Router1
Cable Modem <--> PIX <--> Switch <--> Router1
I have the following configuration:
PIX Version 7.2(2)
!
hostname Stealth
domain-name default.domain.invalid
enable password xxxxxxxxxxxx encrypted
names
!
interface Ethernet0
nameif Outtra
security-level 0
ip address dhcp setroute
!
interface Ethernet1
speed 100
duplex full
nameif Intra
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
dns domain-lookup Outtra
dns server-group DefaultDNS
name-server 68.6.16.30
name-server 68.6.16.25
domain-name default.domain.invalid
access-list outside extended permit tcp any gt 1023 any eq 8080
access-list outside extended permit tcp any any eq 3389
access-list outside extended permit tcp any any eq 81
access-list outside extended permit tcp any gt 1023 any eq ssh
access-list outside extended permit tcp any any eq ftp
access-list outside extended permit tcp any gt 1023 any eq telnet
access-list ping_acl extended permit ip any any
pager lines 24
mtu Outtra 1500
mtu Intra 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outtra) 1 interface
nat (Intra) 1 192.168.2.0 255.255.255.0
static (Intra,Outtra) tcp interface 3389 192.168.2.3 3389 netmask 255.255.255.255
static (Intra,Outtra) tcp interface 8080 192.168.2.6 8080 netmask 255.255.255.255
static (Intra,Outtra) tcp interface 81 192.168.2.5 www netmask 255.255.255.255
static (Intra,Outtra) tcp interface ssh 192.168.2.5 ssh netmask 255.255.255.255
static (Intra,Outtra) tcp interface ftp 192.168.2.5 ftp netmask 255.255.255.255
static (Intra,Outtra) tcp interface telnet 192.168.2.5 telnet netmask 255.255.255.255
access-group ping_acl in interface Outtra
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username xxxxxxxx password xxxxxxxxxx encrypted
aaa authentication http console LOCAL
http server enable
http 192.168.3.12 255.255.255.255 Intra
http 192.168.3.0 255.255.255.0 Intra
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 Intra
ssh timeout 5
console timeout 0
dhcpd dns 68.6.16.30 68.6.16.25
!
dhcpd address 192.168.3.12-192.1683.254 Intra
dhcpd enable Intra
!
!
class-map class_http2
match port tcp eq 81
class-map class_http
match port tcp eq 81
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map telnet
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
class class_http
inspect http
class class_http2
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b4ba8517ebfbb79cfdc269aee3c71a8c
: end
Any Suggestion !!!!!
Comments
-
Options
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
The ACL line you hghlighted is part of ACL "outside" that is not applied to an interface, the ACL "ping_acl" is applied to the interface "Outtra" which is allowing all traffic. Your static command looks ok, does Router1 have a default route set to the inside address of the PIX?The only easy day was yesterday! -
Options
Stealth
Member Posts: 13 ■□□□□□□□□□
No at this time don't have a direct route to the inside interface of the PIX. Didn't think I needed one because itS not a problem reaching other host behind the PIX using PAT. Do i need to add a static route.
PIX inside Interface:
Router:
192.168.3.1
192.168.5.1
so on router:
ip route 0.0.0.0 0.0.0.0 192.168.3.1 -
Optionsdtlokee
Member Posts: 2,378 ■■■■□□□□□□
The router will need to know how to get back to the Internet, you will need a static route on the router to the IP address of the inside interface of the PIXThe only easy day was yesterday!
-
OptionsStealth
Member Posts: 13 ■□□□□□□□□□
Sorry, I have posted the incorrect info. Here is the corect info:
PIX inside Interface:
Router1:
192.168.3.1
192.168.3.10
I can ping from router1 to PIX and from PIX to router1
Sorry, for incorrect posting. -
Optionsdtlokee
Member Posts: 2,378 ■■■■□□□□□□
Stealth wrote:Sorry, I have posted the incorrect info. Here is the corect info:
PIX inside Interface:
Router1:
192.168.3.1
192.168.3.10
I can ping from router1 to PIX and from PIX to router1
Sorry, for incorrect posting.
Then you'll need to fix your static command to reflect the correct address of Router1, and add a default route on Router1 to the pix (ip route 0.0.0.0 0.0.0. 192.168.3.1)
HTHThe only easy day was yesterday! -
OptionsStealth
Member Posts: 13 ■□□□□□□□□□
Thanks dtlokee,
Its Working Now..............
Hummmmmm did realize need a direct route.....
