Announcement

Collapse
No announcement yet.

PIX506e :

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX506e :

    (Edit) Sorry about the title I was going back to it and hit post in error.

    Hi All

    This is my first venture into Cisco and I apologise in advance as I'm an utter Noob


    We have a Cisco PIX 506E 1x ethernet in 1x Ethernet out, 1 USB and 1 Console
    The only post not in use is the USB.

    Ok what I'm trying to achive is a single PC to have unrestricted access to the internet ie no ports blocked etc. Is there a way to maintain current levels of security on the my network but allow just this one PC unrestricted traffic to and from it's IP?

    Thanks in advance
    Last edited by AndyUK; 29th November 2006, 17:38. Reason: I didnot compleate the title correctly
    The Univurse is still winning!

    W2K AD, WSUS, RIS 2003. ISA also AVG Server
    ** If contributors help you, recognise them and give reputation points where appropriate **

  • #2
    Re: PIX506e :

    Hi Andy

    Thanks for your post. I am sure we can help out.

    Let me start just by saying that on a PIX you need a NAT and an ACL for access.

    These look something like this-

    PIX(config)# nat (inside) 1 192.0.0.0 255.0.0.0
    PIX(config)# global (outside) 1 12.12.12.12
    PIX(config)# access-list outbound permit tcp 192.0.0.0 255.0.0.0 any
    PIX(config)# access-group outbound in interface inside

    Do you have any entries like this now? Perhaps you could post what you have without any passwords.

    Thanks,
    David
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment


    • #3
      Re: PIX506e :

      Ok David I've had a look at the current config. We only have access through a telnet session, the pix was setup by an outsoursing company so I cant get details as they have gone out of business.

      As I said I'm a noob with routers and I'm picking this up as I go along. Here's the main bit from sh config
      We do allow VPN inbound.

      nnn = part of our external IP


      mtu inside 1500
      ip address outside 217.46.nnn.nnn 255.255.255.248
      ip address inside 192.168.71.226 255.255.255.0
      ip audit info action alarm
      ip audit attack action alarm
      pdm logging informational 100
      pdm history enable
      arp timeout 14400
      global (outside) 1 interface
      nat (inside) 1 0.0.0.0 0.0.0.0 0 0
      static (inside,outside) 217.46.nnn.nnn 192.168.71.221 netmask 255.255.255.255 0
      0
      conduit permit icmp any any
      conduit permit tcp host 217.46.nnn.nnn eq pptp any
      conduit permit gre host 217.46.nnn.nnn any
      route outside 0.0.0.0 0.0.0.0 217.46.nnn.nnn 1

      Hope this is what you wanted or did you want the lot?
      Last edited by AndyUK; 19th December 2006, 09:14. Reason: edit external IPs
      The Univurse is still winning!

      W2K AD, WSUS, RIS 2003. ISA also AVG Server
      ** If contributors help you, recognise them and give reputation points where appropriate **

      Comment


      • #4
        Re: PIX506e :

        Hello Andy,

        David's already helping you on this one, but if no-one minds I'll but in

        (BTW- here's a link to a post I made recently that may clarify the PIX and how it thinks of the world- http://forums.petri.com/showthread.php?t=11619

        So: heres your config: I've deleted the 'unnecessary' parts from this.

        ----------------------------------------------------------------------------------------------


        ip address outside 217.46.nnn.nnn 255.255.255.248
        ip address inside 192.168.71.226 255.255.255.0

        global (outside) 1 interface
        nat (inside) 1 0.0.0.0 0.0.0.0 0 0
        static (inside,outside) 217.46.nnn.nnn 192.168.71.221 netmask 255.255.255.255 0 0

        route outside 0.0.0.0 0.0.0.0 217.46.nnn.nnn 1

        ----------------------------------------------------------------------------------------------

        As said (by David also!) the PIX by default wants to allow all traffic from its 'more trusted' interfaces to its 'less trusted' interfaces. A simple example of this is your 'inside' network- your local LAN, and the 'outside' network- the internet. By default- if the right initial rules are in place- the PIX will allow every host hanging off your LAN unrestricted internet access, because (as said) this meets the criteria of traffic flowing from 'more trusted' to 'less trusted'. Cleverly, to prevent unwanted traffic coming in, it tracks what went out, makes an entry in a table, and , when the traffic returns, allows it back in.

        In your current config, all devices on your LAN are allowed out. To tie this up, you can do the following (btw- there's more than one way to do this- I'm showing you a very basic way.) I've changed the line which needs amended into bold, and I've assumed that the PC you want to have unrestricted access has IP address 192.168.71.10.

        ----------------------------------------------------------------------------------------------
        ip address outside 217.46.nnn.nnn 255.255.255.248
        ip address inside 192.168.71.226 255.255.255.0

        global (outside) 1 interface
        nat (inside) 1 192.168.71.10 255.255.255.255 0 0
        static (inside,outside) 217.46.nnn.nnn 192.168.71.221 netmask 255.255.255.255 0 0

        route outside 0.0.0.0 0.0.0.0 217.46.nnn.nnn 1
        ----------------------------------------------------------------------------------------------

        See what we did there? The original line read:
        nat (inside) 1 0.0.0.0 0.0.0.0 0 0

        Which means:

        'nat traffic originating on the inside, using pool 1 (your global statement) according to traffic which can be described as 0.0.0.0 0.0.0.0'

        This particular 0.0.0.0 0.0.0.0 is shorthand for EVERTHING, which is why all your inside hosts can currently get internet access.

        The changed line reads:
        nat (inside) 1 192.168.71.10 255.255.255.255 0 0

        'nat traffic originating on the inside, using pool 1 (your global statement) according to traffic which corresponds to 192.168.71.10 255.255.255.255 '

        Try this and see how you get on.

        regards

        theterranaut

        Comment


        • #5
          Re: PIX506e :

          Thanks very much I appriciate the plain english
          I'll try this after Christams as we're off for a week from tomorrow.

          I'll post back either way

          Thanks again
          The Univurse is still winning!

          W2K AD, WSUS, RIS 2003. ISA also AVG Server
          ** If contributors help you, recognise them and give reputation points where appropriate **

          Comment


          • #6
            Re: PIX506e :

            Hi Terranaut,
            Thanks for your excellent post! You explained it very well! I am going to just throw in my two cents as well.
            -David

            Hi Andy,

            Yes, ths is very helpful.

            So, currently, you are using PIX "conduits". This is the old way of doing access-lists. Don't worry about that, both work fine. Now, Cisco just recommends using ACL's instead of conduits. However, you don't want to mix them.

            To allow all inbound access to a particular server, you need 2 things:
            1. A NAT
            2. conduit (or ACL)

            You have a static NAT already here:

            Originally posted by AndyUK View Post
            static (inside,outside) 217.46.nnn.nnn 192.168.71.221 netmask 255.255.255.255 0 0
            And you have some conduits, here:
            Originally posted by AndyUK View Post
            conduit permit icmp any any
            conduit permit tcp host 217.46.nnn.nnn eq pptp any
            conduit permit gre host 217.46.nnn.nnn any
            What is the IP address of the INTERNAL host that you want to allow access to? Is it this host that already has a NAT, the 192.168.71.221? If so, then you have #1 covered.

            Then you need a conduit. Currently, your conduits allow ping, PPTP, and GRE. To open it up completely, it would be:
            conduit permit ip host 217.46.nnn.nnn any

            Here is the command reference for the PIX conduit command:
            http://www.cisco.com/en/US/products/...31.html#wp4961

            Let us know how it goes,
            David
            Last edited by daviddavis; 20th December 2006, 12:24.
            David Davis - Petri Forums Moderator & Video Training Author
            Train Signal - The Global Leader in IT Video Training
            TrainSignalTraining.com - Free IT Training Products
            Personal Websites: HappyRouter.com & VMwareVideos.com

            Comment


            • #7
              Re: PIX506e :

              A big Thank You to you both for the replies.
              That solved my quandary and I'm cracking on with the project now.. Just a pity I had to return to work this Wednesday and not next


              Thanks Again
              Andy
              The Univurse is still winning!

              W2K AD, WSUS, RIS 2003. ISA also AVG Server
              ** If contributors help you, recognise them and give reputation points where appropriate **

              Comment


              • #8
                Re: PIX506e :

                You and me both, Andy, you and me both...

                theterranaut

                Comment

                Working...
                X