Announcement

Collapse
No announcement yet.

PIX 515E initial config problems

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX 515E initial config problems

    Hi all,
    I am tryin for first time to configure Cisco PIX 515E, and somehow I 've got stuck.
    I have "inside" on 192.168.1.0 and "outside" on 192.168.0.0; configured DNS; Have route to my Internet router(192.168.0.1); In console have ping to yahoo.com, for example. But from inside dont have internet.
    The all config is:
    ip address inside 192.168.1.200 255.255.255.0
    ip address outside 192.168.0.200 255.255.255.0

    route outside 0 0 192.168.0.1
    nat (inside) 1 192.168.1.0 255.255.255.0
    global (outside) 1 192.168.0.0

    access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq 80
    access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq 53
    access-group outbound in interface inside

    When i trace packet with the Packet tracer, i got stuck on implicit rules "any-to-any deny". I cant remove the rule, I added additional rules "TCP any-to-any", but nothing...

  • #2
    Re: PIX 515E initial config problems

    I would put the ACL on the outside interface and reverse the ACL source & destination (remove it from the inside interface).
    You need an ACL to allow communication between the outside and the inside.
    Unlike a router, the PIX has security levels for these interfaces (called the ASA)
    Let us know how it goes
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment


    • #3
      Re: PIX 515E initial config problems

      Since I am newbie to this I dont know that if got you right... I added the following commands:

      access-list inbound permit tcp 192.168.1.0 255.255.255.0 any eq www
      access-list inbound permit tcp 192.168.1.0 255.255.255.0 any eq domain

      access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
      access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq domain


      access-list inbound permit tcp 192.168.0.0 255.255.255.0 any eq www
      access-list inbound permit tcp 192.168.0.0 255.255.255.0 any eq domain

      access-list outbound permit tcp 192.168.0.0 255.255.255.0 any eq www
      access-list outbound permit tcp 192.168.0.0 255.255.255.0 any eq domain

      access-group outbound in interface outside
      access-group inbound in interface outside

      But still no luck...

      Comment


      • #4
        Re: PIX 515E initial config problems

        I attached screenshow how my ACL's look like and exactly where I got stuck
        Attached Files

        Comment


        • #5
          Re: PIX 515E initial config problems

          HI again, since my config is confusing I decided to flush the PIX to the following basic config. So what should I do now to have inrestricted Internet traffic?

          ===================================
          interface Ethernet0 nameif outside security-level 100 ip address 192.168.0.200 255.255.255.0
          interface Ethernet1 nameif inside security-level 0 ip address 192.168.1.200 255.255.255.0

          dns domain-lookup outside
          dns server-group DefaultDNS
          name-server 192.168.0.1
          nat (inside) 1 192.168.1.0 255.255.255.0
          global (outside) 1 192.168.0.1
          route outside 0.0.0.0 0.0.0.0 192.168.0.1 1


          Regards venio

          Comment


          • #6
            Re: PIX 515E initial config problems

            Hi Venio,
            Here is a sample basic config for a PIX:

            ! add IP addresse
            PIX1(config)# ip address inside 10.1.1.1 255.0.0.0
            PIX1(config)# ip address outside 1.1.1.1 255.255.255.0
            ! enable interfaces
            PIX1(config)# interface ethernet0 10baset
            PIX1(config)# interface ethernet1 100full
            ! create the default route
            PIX1(config)# route outside 0 0 1.1.1.254
            ! configure PAT (NAT) for all inside IP addresses to get outside
            PIX1(config)# nat (inside) 1 10.0.0.0 255.0.0.0
            PIX1(config)# global (outside) 1 1.1.1.2
            Global 1.1.1.2 will be Port Address Translated
            PIX1(config)#
            ! add ACL
            ! To make a rule to allow these clients port 80 (Web browsing), you would type this:
            PIX1(config)# access-list outbound permit tcp 10.0.0.0 255.0.0.0 any eq 80
            PIX1(config)# access-group outbound in interface inside

            Then, you still need DNS! Or you could just open it all up like this-

            PIX1(config)# access-list outbound permit tcp 10.0.0.0 255.0.0.0 any

            I believe that the DNS configs you are putting on the PIX are just for the PIX, they don't help the clients on the inside LAN.
            David Davis - Petri Forums Moderator & Video Training Author
            Train Signal - The Global Leader in IT Video Training
            TrainSignalTraining.com - Free IT Training Products
            Personal Websites: HappyRouter.com & VMwareVideos.com

            Comment


            • #7
              Re: PIX 515E initial config problems

              Venio,
              I would double check the last ACLs you posted.
              Remember, on an ACL is goes
              SOURCE -- DESTINATION

              Then when you apply it, the direction AND the interface are also crucial.
              Say that I applied
              SOURCE ANY -- DESTINATION 192.168.1.0
              APPLIED INBOUND on the OUTSIDE interface

              That means that traffic coming from ANYWHERE on the Internet can come INBOUND to your firewall and go to the 192.168.1.0 network.

              That sounds like what you want but then you want to add some port restrictions.

              So it would be
              SOURCE ANY -- DESTINATION 192.168.1.0 PORT NUMBER WWW/80

              And remember that DNS can be UDP or TCP (usually UDP) and comes FROM SOURCE (IP of name server) gt 1023 going to 53
              (because you are applying your access list inbound, you want to filter the RESPONSE/REPLY, not the request going outbound)

              Also, start with only ONE ACL, inbound and get things working. That inbound ACl will provide some protection from the Internet and also serve as a restriction on internal hosts because they can request all they want but wont get the replies back. Later, you can add more ACLs but one ACL is enough to worry about troubleshooting at a time.
              David Davis - Petri Forums Moderator & Video Training Author
              Train Signal - The Global Leader in IT Video Training
              TrainSignalTraining.com - Free IT Training Products
              Personal Websites: HappyRouter.com & VMwareVideos.com

              Comment


              • #8
                Re: PIX 515E initial config problems

                Everything with the PIX is OK, the problem was that as I dont know exactly how this box is working I was thinking of it as a router, but it is NOT A ROUTER )) When on the PC that is inside I put my DNS not to be the PIX LAN but the router 192.168.0.1 on the PIX WAN everything started. However I had to add the access-list rules for TCP and UDP. THanks a lot !

                Comment

                Working...
                X