Help me setting Cisco PIX

p3mul4p3mul4 Registered Users Posts: 6 ■□□□□□□□□□
Hi,

I'm just new in setting CISCO PIX. My problem that my pix can't communicate between outside dan inside. I don't what's wrong with the setting.

Please help me icon_sad.gif

Here's my setting :

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list acl-out permit tcp any interface outside
access-list acl-out permit tcp any any
access-list acl-out permit icmp any any
access-list acl-out2 permit tcp any any
access-list acl-out2 permit tcp any interface inside
access-list acl-out2 permit icmp any any
access-list acl-out2 permit tcp host 10.112.1.94 host 202.202.202.56
pager lines 24
icmp permit 200.201.202.0 255.255.255.0 unreachable outside
mtu outside 1500
mtu inside 1500
ip address outside 172.27.6.230 255.255.255.248
ip address inside 200.201.202.56 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
static (inside,outside) 172.27.6.230 200.201.202.56 netmask 255.255.255.255 0 0


access-group acl-out2 in interface outside
route inside 0.0.0.0 0.0.0.0 172.27.6.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:5a47fed21e14e7bc5231b10d875fc1ae
: end

Comments

  • wayniacwayniac Member Posts: 6 ■□□□□□□□□□
    Here is the basic config i used for pix's. Hopefully this helps, If you have any questions ask

    Basic Config 501
    interface ethernet0 auto
    interface ethernet1 100full
    enable password password
    passwd password
    hostname hostname
    ip address inside 172.27.6.230 255.255.255.248
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    ip address outside 200.201.202.56 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 200.201.202.1 1
    telnet 172.27.6.224 255.255.255.248 inside
    wr me
    !

    Remote Management
    domain-name test.com
    ca generate rsa key 512
    ca save all

    ssh 172.27.6.224 255.255.255.248 inside
    ssh xxx.xxx.xxx.xxx outside
    wr me


    DHCP
    dhcpd address 172.27.6.225-172.27.6.229 inside
    dhcpd dns 8.8.8.8
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain test.com
    dhcpd enable inside
    wr me

    ICMP ACCESS-LIST
    access-list acl_out permit icmp any any echo-reply
    access-list acl_out permit icmp any any traceroute
    access-list acl_out permit icmp any any time-exceeded
    access-group acl_out in interface outside
    wr me
  • joehalford01joehalford01 Member Posts: 364 ■■■□□□□□□□
    Can you ping the outside interface from outside your network? You can turn on debug with

    debug icmp trace

    Turn that on and then watch the console while you ping, at that point you can least see if your pings are even making it to the firewall.
  • p3mul4p3mul4 Registered Users Posts: 6 ■□□□□□□□□□
    Thanks for the respons guys ..

    yes i can ping from the outside(e0) to outside IP and i also can ping from inside(e1) to host/workstation.
    But it can't communicate between outside and inside.
    The outside interface (e0) is 172.27.6.230 it connected to switch catalyst with ip address 172.27.6.225 255.255.255.248
    The inside interface (e1) is 200.201.202.56 it connected to local lan.

    Is there somethings missing with my setting ?

    Thanks for the help guys
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Looks like you have your static default route on the inside interface where the subnet is 200.201.202.0:
    route inside 0.0.0.0 0.0.0.0 172.27.6.230 1

    Also you only have the one static listed so that would be the only host that I would expect to work through the PIX (6.x enforces NAT control) You may need to add a overloaded nat statement for the other hosts as well.
    The only easy day was yesterday!
  • p3mul4p3mul4 Registered Users Posts: 6 ■□□□□□□□□□
    Hi dtlokee,

    Can you explain more about these, i'm trial and error in setting the firewall.

    Thanks
    dtlokee wrote: »
    Looks like you have your static default route on the inside interface where the subnet is 200.201.202.0:


    Also you only have the one static listed so that would be the only host that I would expect to work through the PIX (6.x enforces NAT control) You may need to add a overloaded nat statement for the other hosts as well.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Your static default route generally points to your ISP router which I would expect to see on the "outside" interface (the one with the lowest security level of 0)

    The command for the static default route is "route [interface] 0.0.0.0 0.0.0.0 [next hop router]" so this would be something like "route outside 0.0.0.0 0.0.0.0 172.27.6.225"

    As for NAT, the firewall will require you to have a NAT rule for packets to pass through this, the easiest way is to translate the inside hosts to the IP address of the outside interface:

    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    The only easy day was yesterday!
  • p3mul4p3mul4 Registered Users Posts: 6 ■□□□□□□□□□
    Thanks for the help, it works right now. :)

    Well the firts time I implement it to local network. Something wrong happened, workstations which's have different segment IP (192.168.50.X) can't connected to server. Physically, CISCO PIX not connected to switch where are these segment be.
    These error occured 2 times. These make me wondering where's the wrong ?
    Is there's any wrong cable plug to these switch ? I check the switch physically and nothing's wrong.

    Then I turn on the CISCO PIX again. And it working until know :)

    Well i had one question more. Can the e1 ping to the e0 ?

    Thanks for the answer :)
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    p3mul4 wrote: »
    Thanks for the help, it works right now. :)

    Well the firts time I implement it to local network. Something wrong happened, workstations which's have different segment IP (192.168.50.X) can't connected to server. Physically, CISCO PIX not connected to switch where are these segment be.
    These error occured 2 times. These make me wondering where's the wrong ?
    Is there's any wrong cable plug to these switch ? I check the switch physically and nothing's wrong.

    Then I turn on the CISCO PIX again. And it working until know :)

    Well i had one question more. Can the e1 ping to the e0 ?

    Thanks for the answer :)

    The first part I can't really answer well without seeing a diagram of how it's connected at L3.

    The PIX enforces rules that prohibit traffic that is received on one interface from being forwarded to another interface, so no you can not ping E1 from E0 or the other way around.
    The only easy day was yesterday!
  • p3mul4p3mul4 Registered Users Posts: 6 ■□□□□□□□□□
    Thanks for the answer dtlokee icon_thumright.gif:) ...

    I still have a lot of question about CISCO PIX 501, should i make new thread or continue in these thread ?
    Well after success with setting the PIX 501, i have 3 empty port. Can I add more outside interface to PIX ?
    So the plan would be like these :

    e0 = outside
    e1 = inside
    e2 = outside (different IP segment with e0)
    e3 = dmz (have same IP segment with e2)

    Regards icon_study.gif
  • instant000instant000 Member Posts: 1,745
    p3mul4 wrote: »
    Thanks for the answer dtlokee icon_thumright.gif:) ...

    I still have a lot of question about CISCO PIX 501, should i make new thread or continue in these thread ?
    Well after success with setting the PIX 501, i have 3 empty port. Can I add more outside interface to PIX ?
    So the plan would be like these :

    e0 = outside
    e1 = inside
    e2 = outside (different IP segment with e0)
    e3 = dmz (have same IP segment with e2)

    Regards icon_study.gif

    There's an older book that might suite you:
    Cisco Pix Firewalls, by Richard Deal

    It seems that right now, you're asking about DMZs.

    Please read this: (it's at least free)
    http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/63_confg.pdf

    I'd recommend Richard Deal's book on Pix firewalls, if you have to work on PIX 6.3 for now.

    Of course, some commands and default behaviors have changed since 6.3, but you should still be able to work with what you have here to get the premise of how the Pix firewall works. At least one good thing is that if you truly understand how 6.3 works, the newer OS's will be a lot easier to use.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • p3mul4p3mul4 Registered Users Posts: 6 ■□□□□□□□□□
    thanks for the advice, I will immediately download it. :)
Sign In or Register to comment.