RE: PIX Config Problem

["Noonan, Wesley" <Wesley_Noonan () bmc com>]

Couple of things.

1) You ACLs need to point to legit addresses, not your internal addresses.
i.e. access-list 100 permit tcp host <real source ip> host <real external
destination IP> eq 3389
2) I have never used the static command with the "interface" variable. I
always map the real external IP from the ACL to the internal IP address of
the server. i.e. static (inside,outside) tcp <real external IP> ftp
10.1.1.200 ftp netmask 255.255.255.255 0 0

HTH

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan () bmc com
http://www.bmc.com


> -----Original Message-----
> From: Paul Stewart [mailto:pauls () nexicom net]
> Sent: Tuesday, April 22, 2003 12:31
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] PIX Config Problem
>
> Hi there...
>
> I'm trying to get a PIX 501 to allow two inbound connections to an inside
> server... Terminal services and ftp to a Windows 2000 box.  I want an
> access
> list that only allows certain IP's through as well.  The PIX works great
> currently but now a consultant needs access remotely to a Win2k machine
> inside the network.
>
> Here's my config... I can't figure out what's wrong...
>
> Thanks in advance for any help.
>
> Paul
>
>
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password XXXXXXXXXX encrypted
> passwd XXXXXXXXXXXXXXXXX encrypted
> hostname fw
> domain-name XXXXXX.net
> clock timezone EST -5
> clock summer-time EDT recurring
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list 100 permit icmp any any echo-reply
> access-list 100 permit icmp any any time-exceeded
> access-list 100 permit icmp any any unreachable
> access-list 100 permit tcp host 123.123.123.123 host 10.1.1.200 eq 3389
> access-list 100 permit tcp host 123.123.123.123 host 10.1.1.200 eq ftp
> pager lines 24
> logging on
> logging trap warnings
> logging facility 23
> logging queue 0
> logging host outside 123.123.123.123
> interface ethernet0 10baset
> interface ethernet1 10full
> mtu outside 1492
> mtu inside 1500
> ip address outside 123.123.123.123 255.255.255.0
> ip address inside 10.1.1.1 255.255.255.0
> ip verify reverse-path interface outside
> ip verify reverse-path interface inside
> ip audit info action alarm
> ip audit attack action alarm
> pdm location 123.123.123.123 255.255.255.255 outside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 10.1.1.0 255.255.255.0 dns 0 0
> static (inside,outside) tcp interface 3389 10.1.1.200 3389 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface ftp 10.1.1.200 ftp netmask
> 255.255.255.255 0 0
> access-group 100 in interface outside
> route outside 0.0.0.0 0.0.0.0 123.123.123.123 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa authentication telnet console LOCAL
> aaa authentication ssh console LOCAL
> ntp server 130.126.24.44 source outside
> http server enable
> http 123.123.123.123 255.255.255.255 outside
> http 10.1.1.0 255.255.255.0 inside
> snmp-server host outside 123.123.123.123
> snmp-server location blahblahblah
> snmp-server contact Paul Stewart
> snmp-server community blahblahblah
> no snmp-server enable traps
> floodguard enable
> sysopt noproxyarp outside
> sysopt noproxyarp inside
> no sysopt route dnat
> telnet timeout 5
> ssh 123.123.123.123 255.255.255.255 outside
> ssh timeout 10
> dhcpd address 10.1.1.100-10.1.1.120 inside
> dhcpd dns 216.168.96.10 216.168.96.13
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> username admin password XXXXXXXXXXXXXXXX encrypted privilege 15
> username nrtco password XXXXXXXXXXXXXXXX encrypted privilege 5
> terminal width 80
> Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards