PIX Problems, cant ping gateway

rakemrakem Member Posts: 800
im having some problems with my PIX 506. Config is as shown below:

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Nw8MznM5H/gvNcd3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname bevpix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inbound permit tcp any host 10.1.20.21 eq 24742
access-list inbound permit tcp any any eq 1723
access-list inbound permit tcp any any eq domain
access-list inbound permit udp any any eq domain
access-list inbound permit tcp any host 10.1.20.39 eq smtp
access-list inbound permit udp host 10.1.20.39 host 195.56.193.1 eq ntp
access-list inbound permit tcp host 10.1.20.39 host 10.1.20.10 eq smtp
access-list inbound permit tcp 10.1.0.0 255.255.0.0 host 10.1.20.39 eq 443
access-list inbound permit tcp 10.1.0.0 255.255.0.0 host 10.1.20.39 eq 18080
access-list inbound permit tcp 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0 eq 3389

access-list inbound permit tcp any any eq 8
access-list inbound deny tcp any any
access-list outbound permit tcp host 10.1.20.21 any eq 24742
access-list outbound permit tcp any any eq 1723
access-list outbound permit tcp any any eq domain
access-list outbound permit udp any any eq domain
access-list outbound permit tcp any any eq 135
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq 443
access-list outbound permit tcp host 10.1.20.39 any eq smtp
access-list outbound permit tcp host 10.1.20.39 any eq 22
access-list outbound permit tcp 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0 eq 338
9
access-list outbound deny tcp any any
access-list allow-all permit tcp any any
access-list allow_all permit ip any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 125.7.34.145 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group allow-all in interface outside
access-group allow-all in interface inside
route inside 0.0.0.0 0.0.0.0 125.7.34.158 1
route outside 0.0.0.0 0.0.0.0 192.168.1.2 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
vpngroup admins idle-time 1800
telnet 125.7.0.144 255.255.0.240 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn enable outside
terminal width 80
Cryptochecksum:4425d2d00620693b28570aa5c92c8fb5


the problem is i cant ping out from the pix. the outside address is 125.7.34.145 and from there i have a straight through cable connected to a patch pannel which should then go to the 125.7.34.158 address. However i cannot ping that last address. the inside network is working ok, i can ping the 192.168.1.2 address but its the outside one i really need working..... can anyone see anything wrong with the config?

thanks
CCIE# 38186
showroute.net

Comments

  • forbeslforbesl Member Posts: 454
    Your defalt "route outside" statement is wrong, it should be pointing to your next outside hop (which I am assuming is 125.7.34.15icon_cool.gif. You've also got a default route pointing to your inside network. Get rid of it and place individual network routes in that statement. For example:

    route inside 10.1.0.0 255.255.0.0 <ip of next inside hop> 1

    There's some confusion going on in your config....

    access-list outbound permit tcp 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0 eq 3389

    You're permitting the network on the inside to the same network on the outside? icon_confused.gif Don't make sense, man:

    access-list inbound permit tcp host 10.1.20.39 host 10.1.20.10 eq smtp

    These two hosts should be on different subnets, yet the previous access-list outbound statement doesn't reflect that.
  • garv221garv221 Member Posts: 1,914
    Are you using this PIX to firewall from another subnet/network? If not, I would suggest using the inside/outside function to map external IPs to internal and get better use of your ACLs. For example how does this work without static mapping?

    access-list inbound permit tcp any host 10.1.20.39 eq smtp
  • forbeslforbesl Member Posts: 454
    I had the time, so I looked further at your config:

    1) You don't have your access-list inbound OR access-list outbound applied to any interfaces

    2) You have the following access-lists created
    access-list allow-all permit tcp any any (note the hyphen "-")
    access-list allow_all permit ip any any (note the underscore "_")

    But then they are applied to the interfaces like this:

    access-group allow-all in interface outside
    access-group allow-all in interface inside

    If you have access-group "allow-all" (the hyphenated list) applied the inside interface, you won't be able to ping anything from the inside....you're not allowing icmp, only tcp. Suggest you apply "access-group allow_all" (the underscored list) to the inside interface. You don't have "access-group allow_all" on ANY interface for that matter.

    I'd suggest renaming your access lists. The difference between the underscored list (access-list allow_all) and the hyphenated list (access-list allow-all) can be very confusing.

    Also, if this is for a live connection, you need to remove "snmp-server community public". That is a BIG security no-no. If you're going to use snmp monitoring, rename the "public" string to something stronger...like, I don't know..maybe "Tdce#@601L!w".....LOL

    This and the other stuff garv221 pointed out should help you immensely. Also, make sure you read that PIX OS 6.0 configuration guide link that I posted earlier. Believe me, it's got everything you need in it for a simple firewall configuration like you're attempting.
  • darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
    owwww ..... icon_rolleyes.gif

    two default routes hurt my brain .....
    who wins .... the more "defaulty" ?????? icon_idea.gif
    rm -rf /
  • forbeslforbesl Member Posts: 454
    My brain hurt, too.....precisely why I told him to get rid of that default inside route and change his outside default route to the correct IP. The PIX was havin' a fit!
  • rakemrakem Member Posts: 800
    ok thanks for all that. The pix is sitting in front of an ISA server, eventually they will have pretty much the same rules for permitting / allowing traffic.

    What i want to happen at the moment is that any traffic that comes into the pix should be forwarded to the ISA server, and any traffic leaving the pix should be forwarded to the gateway which is the 125.7.34.158 address.

    Now i have got the following config:

    PIX Version 6.0(1)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password Nw8MznM5H/gvNcd3 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname bevpix
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list allow-all permit tcp any any
    access-list allow-all permit ip any any
    access-list allow-all permit icmp any any
    pager lines 24
    interface ethernet0 10baset
    interface ethernet1 10baset
    mtu outside 1500
    ip address outside 125.7.34.145 255.255.255.240
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    access-group allow-all in interface outside
    access-group allow-all in interface inside
    route inside 0.0.0.0 0.0.0.0 125.7.34.158 1
    route outside 10.1.20.0 255.255.255.0 192.168.1.2 1
    route outside 10.1.21.0 255.255.255.0 192.168.1.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http 125.7.34.144 255.255.255.240 outside
    no snmp-server location
    no snmp-server contact

    so the way that the routes are set now, anything that comes into the inside interface gets sent to the 125.7.34.158 address

    and from my two other networks (10.1.20.0 & 10.1.21.0) that traffic should be sent to the 192.168.1.2 address which is the directly connected ISA server. So is that starting to look any better?

    One thing im not quite understanding with the static routes where you define the interface, for example,

    route inside 0.0.0.0 0.0.0.0 125.7.34.158 1

    does this mean that if traffic comes into the inside interface send to that address of if traffic comes out of the inside interface send to that address, why cant these be more like router static routes!!
    CCIE# 38186
    showroute.net
  • forbeslforbesl Member Posts: 454
    You still got your route statements wrong (reversed). You REALLY need to read that PIX 6.0 configuration guide. I'm done.....

    Here's the link (again)

    Cisco PIX Firewall Configuration Guide, Version 6.0
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I may be wrong here, and I'm still working on my coffee, but if you want the ISA server to be inline with the Pix and to avoid any traffic leakage you'd need to have a 3rd subnet just between the 2. Routing only works between networks so if you want all incoming traffic to head to the ISA then the PIX needs to believe it is not on the same subnet as the clients behind the ISA server and that the ISA server is in itself the one and only gateway to those clients. Thats just off the top of my head and someone else likely has better info.
    Then again (I haven't worked with ISA at all) if the ISA is your DG on the clients and they are using it exclusively and it is acting as their proxy server then the PIX will automatically be returning traffic to it and not the clients, you could then apply an inside ACL to stop all client IPs bar the ISA from any access. In this way it's not so much that you are telling the PIX to route traffic to the ISA server but relying on the simple fact it will return traffic to the originator, and the ISA in turn returns it to the clients using it as a proxy. This would not be workable for traffic that originates on the outside though (but then do you have any outside-inside traffic to worry about?) unless you added another public IP, translated it statically to the ISA and had your external sources send to that IP instead of the PIX public.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • garv221garv221 Member Posts: 1,914
    Honestly, you should really read that guide and ask a friend onsite for assistance. I'm sorry but you need to figure this out on your own. Its very hard for us to assist you when you do not have a basic understanding of PIX's.

    I can also suggest Richard A. Deal's "Cisco PIX Firewalls" very straight foward book. I keep one in my office for quick review.
  • rakemrakem Member Posts: 800
    its cool guys thanks for your help, i have just been thrown into the deep end by my boss who suddenly wants the 506 firewall setup even though i told him it only supports 10baseT half duplex!

    he thinks cause i have a CCNA that im now the cisco guru, but anyway i have convinced him that if he wants a firewall we need to upgrade to a better one, maybe a PIX 515E.

    While he is deciding i will do some more study.. thanks
    CCIE# 38186
    showroute.net
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I can see where the folks here are coming from but I was in the same position as yourself a few months back, I know it's not exactly fun (well the challenge part is the boss breathing down your neck part isn't).
    The 506 external interface will be 100baseT full Duplex if you upgrade the image (I think it was introduced in 6.3?). Do you have the PDM (Gui) installed? If not get it on there as it makes your life a lot easier.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • rakemrakem Member Posts: 800
    no i dont have any GUI installed at all, is that built into the current IOS or would i need an upgrade for that?
    CCIE# 38186
    showroute.net
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Upgrade to 6.3 if you can then install PDM 3.04, you'll likely have to install the latest Java runtime if you haven't already on the machine you're monitoring from. PDM versions are analogous to the 6.x version (ie. PDM 1.x runs on 6.1, PDm 2.x runs on 6.2). Its a lifesaver while you're learning the CLI side.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • garv221garv221 Member Posts: 1,914
    I maintain a PIX 506, 515e & 525. I really like the 506, its great for a smaller company that needs a few VPN connections and roaming users. The 506 does have 100 full duplex. I currently have mine running 6.3 with PDM(never use) and it is rock solid and never needs a reboot. How many users are behind your PIX, do you have any roaming users, do you have any vpn connections? A need for the 515 requires alot of users, the 525 even more. The key to understanding PIX's is just knowing what you want the firewall to do & researching the commands. All firewalls achieve the same goal, theyjust have different methods of getting there &PIXs happen the be very complex on different levels.

    I was looking at your config again, you only need 1 route outside. You only need to grant ACL on incoming traffic that is mapped to the outside world. Repost your updated config & if I have time Friday, I will hook it up
  • thisisalex02thisisalex02 Member Posts: 136
    its good to know the config, but if your just starting out you should really use pdm. Make changes to the GUI and see how it affects the config. Look for some pix configs online and just go through each line and see what it does. At first pix is intimidating, but after a while you get the hang of it.
    Switches are bridges on steroids!
Sign In or Register to comment.