Cisco PIX 515 configuration help
sintral
to connect via hyperterminal and luckily guess the password. I'm
attaching the output below of the "show config" command. I'm very new
to Cisco equipment, but my needs are very small at the moment and I'm
sure it's probably and handful of trivial commands to get me going.
Right now, (and I'm speaking in terms of what I see company wise not
in terms of the firewall configuration) the only Internet traffic
being specifically routed to a machine is 10.6.18.179. This is our Web/
email server, and to my knowledge the only server accessible to the
outside world. The mail server supports IMAP and POP from withing our
private netowrk. The mail server is only accessible outside the office
through webmail. IMAP and POP support from a mail client like
Thunderbird isn't working.
The goal(s):
1. I've setup and FTP server on 10.6.18.10 and need to have all
traffic on port 21 sent to that machine (internally and externally).
The DNS server is already setup to resolve the name, so that shouldn't
be an issue.
2. I'd like to get IMAP and POP support working outside the office
(ports 143 and 110 I assume).
3. Very soon our website is going to be outsourced. I assume this will
mean two changes on our part: change the DNS entry to point to the
third party hosting server and remove the firewall entry that routes
traffic to 10.6.18.179.
I hope I've been clear on what I need help with. I appreciate your
expertise and patience.
BTW, and not to sound like a jerk, but actual specific commands for
accomplishing these 3 tasks in hyperterminal would be more beneficial
to me than a vague overview of Cisco theory, broad statements, or
hyperbole.
Here's my configuration:
: Saved
: Written by enable_15 at 09:13:06.454 UTC Mon Mar 19 2007
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
hostname xxxxxxxxx
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol http 80
names
access-list 101 permit ip 10.6.18.0 255.255.255.0 172.6.18.0
255.255.255.0
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 68.16.146.90 255.255.255.248
ip address inside 10.6.18.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.6.18.1-172.6.18.25
pdm location 10.6.18.2 255.255.255.255 inside
pdm location 10.6.18.179 255.255.255.255 inside
pdm location 67.77.12.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 68.16.146.92-68.16.146.93 netmask 255.255.255.248
global (outside) 1 68.16.146.94 netmask 255.255.255.248
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 68.16.146.91 10.6.18.179 netmask
255.255.255.255 0 0
conduit permit tcp host 68.16.146.91 eq www any
conduit permit tcp host 68.16.146.91 eq 444 any
conduit permit tcp host 68.16.146.91 eq 81 any
conduit permit tcp host 68.16.146.91 eq https any
conduit permit tcp host 68.16.146.91 eq ssh any
conduit permit tcp host 68.16.146.91 eq telnet any
conduit permit tcp host 68.16.146.91 eq ftp any
conduit permit tcp host 68.16.146.91 eq smtp any
conduit permit tcp host 68.16.146.91 eq pop3 any
conduit permit tcp host 68.16.146.91 eq 32000 any
route outside 0.0.0.0 0.0.0.0 68.16.146.89 1
route inside 192.168.0.0 255.255.255.0 10.6.18.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http 10.6.18.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set remote esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set remote
crypto map remote 10 ipsec-isakmp dynamic dynmap
crypto map remote interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote address-pool ippool
vpngroup remote dns-server 10.6.18.2
vpngroup remote wins-server 10.6.18.2
vpngroup remote default-domain xxxxxxxxxxxx.com
vpngroup remote idle-time 5000
vpngroup remote password ********
telnet timeout 5
ssh timeout 5
terminal width 80
Thanks,
Paul
Artie Lange
The below statements are what you have in place
> conduit permit tcp host 68.16.146.91 eq www any
> conduit permit tcp host 68.16.146.91 eq 444 any
> conduit permit tcp host 68.16.146.91 eq 81 any
> conduit permit tcp host 68.16.146.91 eq https any
> conduit permit tcp host 68.16.146.91 eq ssh any
> conduit permit tcp host 68.16.146.91 eq telnet any
> conduit permit tcp host 68.16.146.91 eq ftp any
> conduit permit tcp host 68.16.146.91 eq smtp any
> conduit permit tcp host 68.16.146.91 eq pop3 any
> conduit permit tcp host 68.16.146.91 eq 32000 any
You already have POP access:
+OK mail.fergusoncopeland.com IceWarp 9.1.0 POP3 Fri, 25 Jul 2008
15:41:35 -04
<2008072...@mail.fergusoncopeland.com>
and ftp
U:\>ftp
ftp> open
To 68.16.146.91
Connected to 68.16.146.91.
530 Connection refused, unknown IP address.
User (68.16.146.91:(none)):
To get IMAP add:
conduit permit tcp host 68.16.146.91 eq 143 any
> 3. Very soon our website is going to be outsourced. I assume this will
> mean two changes on our part: change the DNS entry to point to the
> third party hosting server and remove the firewall entry that routes
> traffic to 10.6.18.179.
No, you only want to remove the conduit entries that equal http/https
sintral
> sintral wrote:
>
> The below statements are what you have in place
>
> > conduit permit tcp host 68.16.146.91 eq www any
> > conduit permit tcp host 68.16.146.91 eq 444 any
> > conduit permit tcp host 68.16.146.91 eq 81 any
> > conduit permit tcp host 68.16.146.91 eq https any
> > conduit permit tcp host 68.16.146.91 eq ssh any
> > conduit permit tcp host 68.16.146.91 eq telnet any
> > conduit permit tcp host 68.16.146.91 eq ftp any
> > conduit permit tcp host 68.16.146.91 eq smtp any
> > conduit permit tcp host 68.16.146.91 eq pop3 any
> > conduit permit tcp host 68.16.146.91 eq 32000 any
>
> You already have POP access:
>
> +OK mail.fergusoncopeland.com IceWarp 9.1.0 POP3 Fri, 25 Jul 2008
> 15:41:35 -04
>
> and ftp
>
> U:\>ftp
> ftp> open
> To 68.16.146.91
> Connected to 68.16.146.91.
> 530 Connection refused, unknown IP address.
> User (68.16.146.91:(none)):
>
> To get IMAP add:
>
> conduit permit tcp host 68.16.146.91 eq 143 any
>
> > 3. Very soon our website is going to be outsourced. I assume this will
> > mean two changes on our part: change the DNS entry to point to the
> > third party hosting server and remove the firewall entry that routes
> > traffic to 10.6.18.179.
>
> No, you only want to remove the conduit entries that equal http/https
With FTP, I'm getting the same error message that you do:
ftp 68.16.146.91
Connected to 68.16.146.91.
530 Connection refused, unknown IP address.
I've added port 22, (though I think SSH was already enabled) and I get
this message when trying to connect from outside the office:
ssh: connect to host 68.16.146.91 port 22: Connection refused
I haven't tried IMAP connections yet since adding the entry suggested
above, but telnet (which has a conduit entry) is also giving an error:
telnet: Unable to connect to remote host: Connection refused
Thanks,
Paul
Artie Lange
>
> With FTP, I'm getting the same error message that you do:
> ftp 68.16.146.91
> Connected to 68.16.146.91.
> 530 Connection refused, unknown IP address.
Sounds to me you have an IP access list setup on the FTP server, you are
listening on that port and it is being publish through your firewall
>
> I've added port 22, (though I think SSH was already enabled) and I get
> this message when trying to connect from outside the office:
> ssh: connect to host 68.16.146.91 port 22: Connection refused
Can you tell me what SSH server you use and what SSH protocol is being
used? Version of SSH?
>
> I haven't tried IMAP connections yet since adding the entry suggested
> above, but telnet (which has a conduit entry) is also giving an error:
> telnet: Unable to connect to remote host: Connection refused
Is telnet running on the server?
>
> Thanks,
> Paul
Artie Lange
>
> I haven't tried IMAP connections yet since adding the entry suggested
> above, but telnet (which has a conduit entry) is also giving an error:
> telnet: Unable to connect to remote host: Connection refused
>
> Thanks,
> Paul
IMAP is working
sintral
>
> The below statements are what you have in place
>
> > conduit permit tcp host 68.16.146.91 eq www any
> > conduit permit tcp host 68.16.146.91 eq 444 any
> > conduit permit tcp host 68.16.146.91 eq 81 any
> > conduit permit tcp host 68.16.146.91 eq https any
> > conduit permit tcp host 68.16.146.91 eq ssh any
> > conduit permit tcp host 68.16.146.91 eq telnet any
> > conduit permit tcp host 68.16.146.91 eq ftp any
> > conduit permit tcp host 68.16.146.91 eq smtp any
> > conduit permit tcp host 68.16.146.91 eq pop3 any
> > conduit permit tcp host 68.16.146.91 eq 32000 any
>
> You already have POP access:
>
> +OK mail.fergusoncopeland.com IceWarp 9.1.0 POP3 Fri, 25 Jul 2008
> 15:41:35 -04
>
> and ftp
>
> U:\>ftp
> ftp> open
> To 68.16.146.91
> Connected to 68.16.146.91.
> 530 Connection refused, unknown IP address.
> User (68.16.146.91:(none)):
>
> To get IMAP add:
>
> conduit permit tcp host 68.16.146.91 eq 143 any
>
> > 3. Very soon our website is going to be outsourced. I assume this will
> > mean two changes on our part: change the DNS entry to point to the
> > third party hosting server and remove the firewall entry that routes
> > traffic to 10.6.18.179.
>
> No, you only want to remove the conduit entries that equal http/https
Also, it seems like somewhere in my firewall configuration there would
need to be rules saying "accept traffic on port 21 and send it to
10.6.18.10" and "accept traffic on port 143 and send it to
10.6.18.179".
sintral
I'm using ProFTP on 10.6.18.10. To my knowledge I don't have an access
restriction list in place. It is pretty much setup with default
options. I know it is off topic, but do you know how to check and see
if an access list in in use?
I'm using OpenSSH_4.7 on that same machine.
Scott Perry
a lot of research or have your company contract a consultant. Learning all
there is to know in order to manage your firewall yourself is what would
make us all proud.
First, get rid of those conduits and replace them with access-lists. Most
of what it is permitting is not mentioned in this e-mail.
no conduit permit tcp host 68.16.146.91 eq www any
no conduit permit tcp host 68.16.146.91 eq 444 any
no conduit permit tcp host 68.16.146.91 eq 81 any
no conduit permit tcp host 68.16.146.91 eq https any
no conduit permit tcp host 68.16.146.91 eq ssh any
no conduit permit tcp host 68.16.146.91 eq telnet any
no conduit permit tcp host 68.16.146.91 eq ftp any
no conduit permit tcp host 68.16.146.91 eq smtp any
no conduit permit tcp host 68.16.146.91 eq pop3 any
no conduit permit tcp host 68.16.146.91 eq 32000 any
!
access-list inbound remark *
access-list inbound remark * Outside Internet Inbound
access-list inbound remark *
access-list inbound extended permit tcp any host 68.16.146.91 eq ftp
access-list inbound extended permit tcp any host 68.16.146.91 eq ssh
access-list inbound extended permit tcp any host 68.16.146.91 eq telnet
access-list inbound extended permit tcp any host 68.16.146.91 eq smtp
access-list inbound extended permit tcp any host 68.16.146.91 eq www
access-list inbound extended permit tcp any host 68.16.146.91 eq 81
access-list inbound extended permit tcp any host 68.16.146.91 eq pop3
access-list inbound extended permit tcp any host 68.16.146.91 eq imap4
access-list inbound extended permit tcp any host 68.16.146.91 eq https
access-list inbound extended permit tcp any host 68.16.146.91 eq 444
access-list inbound extended permit tcp any host 68.16.146.91 eq 32000
!
access-list inbound remark *
access-list inbound remark * Inside LAN Outbound
access-list inbound remark *
access-list inbound extended permit ip any any
!
access-group inbound in interface outside
access-group outbound in interface inside
> 1. I've setup and FTP server on 10.6.18.10 and need to have all
> traffic on port 21 sent to that machine (internally and externally).
> The DNS server is already setup to resolve the name, so that shouldn't
> be an issue.
> 2. I'd like to get IMAP and POP support working outside the office
> (ports 143 and 110 I assume).
Each of these (except for the one being taken out) should correspond with
entries in the inbound access-list.
no static (inside,outside) 68.16.146.91 10.6.18.179 netmask
255.255.255.255
static (inside,outside) tcp 68.16.146.91 21 10.6.18.10 21 netmask
255.255.255.255 0 0
static (inside,outside) tcp 68.16.146.91 80 10.6.18.179 80 netmask
255.255.255.255 0 0
static (inside,outside) tcp 68.16.146.91 110 10.6.18.179 110 netmask
255.255.255.255 0 0
static (inside,outside) tcp 68.16.146.91 143 10.6.18.179 143 netmask
255.255.255.255 0 0
Hosts inside the firewall cannot access the FTP server by the global IP
address; they must use the 10.6.18.10 IP address. Hosts one side of a
firewall cannot reach the firewall's own IP address on the other side.
Cisco firewalls will deny that action.
> 3. Very soon our website is going to be outsourced. I assume this will
> mean two changes on our part: change the DNS entry to point to the
> third party hosting server and remove the firewall entry that routes
> traffic to 10.6.18.179.
no static (inside,outside) tcp 68.16.146.91 80 10.6.18.179 80 netmask
255.255.255.255 0 0
!
no access-list inbound extended permit tcp any host 68.16.146.91 eq www
no access-list inbound extended permit tcp any host 68.16.146.91 eq
https
-----
Scott Perry
Indianapolis, IN
-----
Artie Lange
> You inherited a Cisco PIX 515 firewall at work and now you need to either do
> a lot of research or have your company contract a consultant. Learning all
> there is to know in order to manage your firewall yourself is what would
> make us all proud.
>
> First, get rid of those conduits and replace them with access-lists. Most
> of what it is permitting is not mentioned in this e-mail.
>
Thanks Scott, great post, I was going to explain to him that the
conduits need to go, but I did not want to ruin his Friday!
sintral
Hey guys thanks a lot for the info and advice.
Scott, I get this error when I input the commands you posted:
FergCopePIX(config)# access-list inbound remark *
ERROR: missing command argument(s)
Usage: [no] access-list compiled
[no] access-list <id> compiled
[no] access-list <id> deny|permit <protocol>|object-group
<protocol_obj_grp_id>
<sip> <smask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
<dip> <dmask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
[no] access-list <id> deny|permit icmp
<sip> <smask> | object-group <network_obj_grp_id>
<dip> <dmask> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
I've tried putting and <id> with it such as this:
access-list 102 inbound remark *
but it tells me I'm missing command arguments.
I may be using an older version of software that doesn't accept this
syntax exactly or something. I'm sure you guys know better than me if
that possible.
Adding a number to the access-list statement for FTP gives a slightly
different error:
FergCopePIX(config)# access-list 102 inbound extended permit tcp any
host 68.1$
ERROR:<inbound> not a valid permission
Usage: [no] access-list compiled
[no] access-list <id> compiled
[no] access-list <id> deny|permit <protocol>|object-group
<protocol_obj_grp_id>
<sip> <smask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
<dip> <dmask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
[no] access-list <id> deny|permit icmp
<sip> <smask> | object-group <network_obj_grp_id>
<dip> <dmask> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
One other question, it appears that these attempted changes aren't
saved unless I enter a 'wr mem' command, correct? For example I ran
all of the 'no conduit...' commands but they still show up in 'show
config'. I'll need to make sure the access-list commands are excepted
before writing the changes for the conduit entries so that everyone
isn't cutoff.
Thanks, Scott, for the complete config settings.
Artie Lange
>
> One other question, it appears that these attempted changes aren't
> saved unless I enter a 'wr mem' command, correct? For example I ran
> all of the 'no conduit...' commands but they still show up in 'show
> config'. I'll need to make sure the access-list commands are excepted
> before writing the changes for the conduit entries so that everyone
> isn't cutoff.
>
Yes, you must write memory to save the config, it is also wise to
perform a 'clear xlate'
Scott Perry
access-lists, you do not need to have them. From the help dialog which you
included in your post, I see that there is not an option for remarks in your
version of the PIX OS.
-----
Scott Perry
Indianapolis, IN
-----
"sintral" <sin...@gmail.com> wrote in message
news:259974c4-d662-457e...@l64g2000hse.googlegroups.com...