Security Basics mailing list archives

RE: Some Cisco PIX newbie questions

From: Glenn English <ghe () slsware com>
Date: 23 Jul 2003 09:52:06 -0600

On Tue, 2003-07-22 at 18:48, Bradley S. Jonas wrote:

You have a static NAT mapping, but do you have the appropriate access list
specified to allow the traffic in?


I think so. It's very small as yet. I'm trying to allow in all tcp.

Can you provide us with some more details
(i.e. a sanitized config and what you're trying to let in)?


Here's what I think are the relevant lines from the file put to tftp by
'write net' (same order); most of this was generated by the GUI. That
first access-list command looks very suspicious to me. But when I enter
it on the command line with the second "incoming-static" replaced by
"ssl", a connect attempt from 172.16.0.179 to ftp is logged:

Deny tcp src outside:172.16.0.179/57736 dst inside:incoming-static/21 by
access-group "outside_access_in"

Connecting to ssh says the same thing, except 21 is now 22.

What I'm trying to do at this point is allow everything through the box.
At first I tried setting the protocol to IP; when that didn't work I
changed to just tcp. That doesn't work either. 


name 192.168.82.42 ssl
name 192.168.82.40 dmz
name 172.16.0.176 lan
name 172.16.0.189 incoming-static
access-list acl_in permit icmp any any

access-list outside_access_in permit tcp host incoming-static host
incoming-static

interface ethernet0 10full
interface ethernet1 10full
ip address outside 172.16.0.190 255.255.255.240
ip address inside 192.168.82.41 255.255.255.248
pdm location ssl 255.255.255.255 inside
pdm location incoming-static 255.255.255.255 outside
                                                                                                                        
                       
global (outside) 2 172.16.0.187-172.16.0.188 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 1 ssl 255.255.255.255 0 0

static (inside,outside) incoming-static ssl netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.0.177 1

As far as why it's not blocking returning packets, it's most likely the
"statefulness". If you've allowed an outbound connection, the PIX maintains
a state table for each connection, and will allow the appropriate traffic
related to that connection (the reply) back in. This sometimes needs a
little help depending on the protocol with a fixup command.


I've tried going in with ping, ftp, ssh, and http.

With some more details, I could probably be of more help.


The whole 'write net' (less passwords):

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname cisco
domain-name slsware.dmz
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.82.42 ssl
name 192.168.82.40 dmz
name 172.16.0.176 lan
name 172.16.0.189 incoming-static
access-list acl_in permit icmp any any
access-list outside_access_in permit tcp host incoming-static host
incoming-static
pager lines 24
logging on
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 172.16.0.190 255.255.255.240
ip address inside 192.168.82.41 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm location ssl 255.255.255.255 inside
pdm location incoming-static 255.255.255.255 outside
pdm logging notifications 200
pdm history enable
arp timeout 14400
global (outside) 2 172.16.0.187-172.16.0.188 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 1 ssl 255.255.255.255 0 0
static (inside,outside) incoming-static ssl netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http ssl 255.255.255.255 inside
http dmz 255.255.255.248 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside ssl /usr/local/tftp/fwconfig
floodguard enable
no sysopt route dnat
telnet ssl 255.255.255.255 inside
telnet dmz 255.255.255.248 inside
telnet timeout 25
ssh ssl 255.255.255.255 inside
ssh timeout 5
terminal width 80

-- 
Glenn English
ghe () slsware com


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Some Cisco PIX newbie questions ALLEN, DONALD S (AIT) (Jul 23)
- <Possible follow-ups>
- RE: Some Cisco PIX newbie questions Glenn English (Jul 23)
- RE: Some Cisco PIX newbie questions ALLEN, DONALD S (AIT) (Jul 23)