PIX 501: Odd Traffic Flow - Rule Issues

emgey007 · 05-30-2009, 10:33 AM

Hello,

(IPs have been adjust to represent a testing environment)

I have been spending a lot of time trying to configure my pix 501 firewall to allow full traffic and then later add rules to secure it. I have it mostly working, however I am having issues getting the outside network to talk to the inside network freely. I cannot get any icmp packets through or telnet to any ports (not including port 80 on the inside interface - yes odd).

Network setup: DSL modem (network: 192.168.0.0 gw .1) sits at the front, followed by a netgear router (network: 192.168.1.0 gw .1) then the pix 501 firewall (network: 192.168.2.0 gw .1). The netgear has been given a static route to push traffic wanting to go to 192.168.2.0 to go to 192.168.1.254 pix outside interface.

Outside traffic (192.168.1.0) can reach the outside interface and can do so when pointing to an inside address. The inside can see all networks and can ping. The odd part is if i telnet from a box behind the Pix 501, of course succeeding, i can then access the inside network from the outside network. But untill that happens the outside cannot see the inside.

any idea?

Thank you

Sincerely

~Emgey007

(config posted - keep in mind the address have change to represent a test environment - as well their are a number of access rules in my attempts to succeed)
MGVPNR001# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8G74C7mbN2bQHtnO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MGVPNR001
domain-name gaet0010.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
object-group icmp-type ICMP_MANAGEMENT
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit tcp 192.168.1.0 255.255.255.0 eq ssh any eq ssh
access-list montclair_splitTunnelAcl permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.2.192 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.192 255.255.255.192
pager lines 24
icmp permit 192.168.1.0 255.255.255.0 outside
icmp permit any outside
icmp permit 192.168.2.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.254 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool montclair 192.168.2.200-192.168.2.254 mask 255.255.255.0
pdm location 192.168.2.192 255.255.255.192 outside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 outside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup montclair address-pool montclair
vpngroup montclair default-domain gaet0010.com
vpngroup montclair split-tunnel montclair_splitTunnelAcl
vpngroup montclair idle-time 1800
vpngroup montclair password ********
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 10
console timeout 0
username mgaetano password qfm2QFgX6VwvLryD encrypted privilege 15
terminal width 80
Cryptochecksum:6dba7e49f7fd4e52391e664d03d96b7e
: end
MGVPNR001#

05-30-2009, 10:33 AM	#1 (permalink)
emgey007 Registered User Join Date: May 2009 Posts: 1 OS: WinXP, Vista, Multiple flavors of Linux, SunOS	PIX 501: Odd Traffic Flow - Rule Issues Hello, (IPs have been adjust to represent a testing environment) I have been spending a lot of time trying to configure my pix 501 firewall to allow full traffic and then later add rules to secure it. I have it mostly working, however I am having issues getting the outside network to talk to the inside network freely. I cannot get any icmp packets through or telnet to any ports (not including port 80 on the inside interface - yes odd). Network setup: DSL modem (network: 192.168.0.0 gw .1) sits at the front, followed by a netgear router (network: 192.168.1.0 gw .1) then the pix 501 firewall (network: 192.168.2.0 gw .1). The netgear has been given a static route to push traffic wanting to go to 192.168.2.0 to go to 192.168.1.254 pix outside interface. Outside traffic (192.168.1.0) can reach the outside interface and can do so when pointing to an inside address. The inside can see all networks and can ping. The odd part is if i telnet from a box behind the Pix 501, of course succeeding, i can then access the inside network from the outside network. But untill that happens the outside cannot see the inside. any idea? Thank you Sincerely ~Emgey007 (config posted - keep in mind the address have change to represent a test environment - as well their are a number of access rules in my attempts to succeed) MGVPNR001# show run : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8G74C7mbN2bQHtnO encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname MGVPNR001 domain-name gaet0010.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 no names object-group icmp-type ICMP_MANAGEMENT icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_access_in permit tcp 192.168.1.0 255.255.255.0 eq ssh any eq ssh access-list montclair_splitTunnelAcl permit ip any any access-list inside_outbound_nat0_acl permit ip any 192.168.2.192 255.255.255.192 access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.192 255.255.255.192 pager lines 24 icmp permit 192.168.1.0 255.255.255.0 outside icmp permit any outside icmp permit 192.168.2.0 255.255.255.0 inside mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.254 255.255.255.0 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool montclair 192.168.2.200-192.168.2.254 mask 255.255.255.0 pdm location 192.168.2.192 255.255.255.192 outside pdm location 192.168.1.0 255.255.255.0 inside pdm location 192.168.2.0 255.255.255.0 outside pdm history enable arp timeout 14400 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 0 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 outside http 192.168.2.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside isakmp enable outside isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup montclair address-pool montclair vpngroup montclair default-domain gaet0010.com vpngroup montclair split-tunnel montclair_splitTunnelAcl vpngroup montclair idle-time 1800 vpngroup montclair password ******** telnet timeout 5 ssh 192.168.1.0 255.255.255.0 outside ssh 192.168.2.0 255.255.255.0 outside ssh 192.168.2.0 255.255.255.0 inside ssh 192.168.1.0 255.255.255.0 inside ssh timeout 10 console timeout 0 username mgaetano password qfm2QFgX6VwvLryD encrypted privilege 15 terminal width 80 Cryptochecksum:6dba7e49f7fd4e52391e664d03d96b7e : end MGVPNR001#