Security Basics mailing list archives
RE: Some Cisco PIX newbie questions
From: Glenn English <ghe () slsware com>
Date: 23 Jul 2003 09:52:06 -0600
On Tue, 2003-07-22 at 18:48, Bradley S. Jonas wrote:
You have a static NAT mapping, but do you have the appropriate access list specified to allow the traffic in?
I think so. It's very small as yet. I'm trying to allow in all tcp.
Can you provide us with some more details (i.e. a sanitized config and what you're trying to let in)?
Here's what I think are the relevant lines from the file put to tftp by 'write net' (same order); most of this was generated by the GUI. That first access-list command looks very suspicious to me. But when I enter it on the command line with the second "incoming-static" replaced by "ssl", a connect attempt from 172.16.0.179 to ftp is logged: Deny tcp src outside:172.16.0.179/57736 dst inside:incoming-static/21 by access-group "outside_access_in" Connecting to ssh says the same thing, except 21 is now 22. What I'm trying to do at this point is allow everything through the box. At first I tried setting the protocol to IP; when that didn't work I changed to just tcp. That doesn't work either. name 192.168.82.42 ssl name 192.168.82.40 dmz name 172.16.0.176 lan name 172.16.0.189 incoming-static access-list acl_in permit icmp any any access-list outside_access_in permit tcp host incoming-static host incoming-static interface ethernet0 10full interface ethernet1 10full ip address outside 172.16.0.190 255.255.255.240 ip address inside 192.168.82.41 255.255.255.248 pdm location ssl 255.255.255.255 inside pdm location incoming-static 255.255.255.255 outside global (outside) 2 172.16.0.187-172.16.0.188 netmask 255.255.255.240 global (outside) 1 interface nat (inside) 1 ssl 255.255.255.255 0 0 static (inside,outside) incoming-static ssl netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 172.16.0.177 1
As far as why it's not blocking returning packets, it's most likely the "statefulness". If you've allowed an outbound connection, the PIX maintains a state table for each connection, and will allow the appropriate traffic related to that connection (the reply) back in. This sometimes needs a little help depending on the protocol with a fixup command.
I've tried going in with ping, ftp, ssh, and http.
With some more details, I could probably be of more help.
The whole 'write net' (less passwords): PIX Version 6.1(4) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname cisco domain-name slsware.dmz fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 192.168.82.42 ssl name 192.168.82.40 dmz name 172.16.0.176 lan name 172.16.0.189 incoming-static access-list acl_in permit icmp any any access-list outside_access_in permit tcp host incoming-static host incoming-static pager lines 24 logging on interface ethernet0 10full interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside 172.16.0.190 255.255.255.240 ip address inside 192.168.82.41 255.255.255.248 ip audit info action alarm ip audit attack action alarm pdm location ssl 255.255.255.255 inside pdm location incoming-static 255.255.255.255 outside pdm logging notifications 200 pdm history enable arp timeout 14400 global (outside) 2 172.16.0.187-172.16.0.188 netmask 255.255.255.240 global (outside) 1 interface nat (inside) 1 ssl 255.255.255.255 0 0 static (inside,outside) incoming-static ssl netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 172.16.0.177 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http ssl 255.255.255.255 inside http dmz 255.255.255.248 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside ssl /usr/local/tftp/fwconfig floodguard enable no sysopt route dnat telnet ssl 255.255.255.255 inside telnet dmz 255.255.255.248 inside telnet timeout 25 ssh ssl 255.255.255.255 inside ssh timeout 5 terminal width 80 -- Glenn English ghe () slsware com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Some Cisco PIX newbie questions ALLEN, DONALD S (AIT) (Jul 23)
- <Possible follow-ups>
- RE: Some Cisco PIX newbie questions Glenn English (Jul 23)
- RE: Some Cisco PIX newbie questions ALLEN, DONALD S (AIT) (Jul 23)