Announcement

Collapse
No announcement yet.

desperate help needed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • desperate help needed

    Folks,

    I have been struggling with a PIX 506E for days now. I just can;t seem to get it to connect to the internet. yet I am able to ping yahoo's website. So I know the router is passing. I have attaached my config. please please can someone review and see what i have done wrong and/or not added to my config.

    Thank you in advance.

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd ta.qizy4R//ChqQH encrypted
    hostname TR
    domain-name domain.COM
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list acl_in permit tcp host 192.168.10.103 any eq www
    access-list acl_in permit tcp host 192.168.10.103 any eq smtp
    access-list acl_in permit tcp host 192.168.10.103 any eq pop3
    access-list acl_in permit tcp host 192.168.10.103 any eq telnet
    access-list acl_in permit tcp host 192.168.10.103 any eq 135
    access-list acl_in permit tcp host 192.168.10.103 any eq domain
    access-list acl_in permit tcp host 192.168.10.103 any eq https
    access-list acl_in permit tcp host 192.168.10.103 any eq 3389
    access-list acl_in permit tcp host 192.168.10.104 any eq www
    access-list acl_in permit tcp host 192.168.10.104 any eq 135
    access-list acl_in permit tcp host 192.168.10.104 any eq domain
    access-list acl_in permit tcp host 192.168.10.104 any eq 3389
    access-list acl_in permit tcp host 192.168.10.109 any eq www
    access-list acl_in permit tcp host 192.168.10.109 any eq smtp
    access-list acl_in permit tcp host 192.168.10.109 any eq pop3
    access-list acl_in permit tcp host 192.168.10.109 any eq domain
    access-list acl_in permit tcp host 192.168.10.109 any eq 135
    access-list acl_in permit tcp host 192.168.10.109 any eq 3389
    access-list acl_in permit tcp host 192.168.10.109 any eq telnet
    access-list acl_in permit tcp host 192.168.10.109 any eq https
    access-list acl_out permit tcp any any eq 3389
    access-list acl_out permit tcp any any eq smtp
    access-list acl_out permit tcp any any eq telnet
    access-list acl_out permit tcp any any eq https
    access-list acl_out permit tcp any any eq domain
    access-list acl_out permit tcp any any eq pop3
    access-list acl_out permit tcp any any eq ldap
    access-list acl_out permit tcp any any eq 993
    access-list acl_out permit tcp any any eq 1433
    access-list acl_out permit tcp any any eq 135
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.x.225 255.255.255.240
    ip address inside 192.168.10.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.10.0 255.255.255.0 0 0
    static (inside,outside) 192.168.10.104 192.168.10.104 netmask 255.255.255.255 0
    0
    static (inside,outside) 192.168.10.103 192.168.10.103 netmask 255.255.255.255 0
    0
    access-group acl_out in interface outside
    access-group acl_in in interface inside
    route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.10.109 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:066abcf5b6ba20aaf01209a4eb1be879
    : end

  • #2
    Re: desperate help needed

    see the ACL:
    I just miss www

    You should add:

    Code:
    access-list acl_out permit tcp any any eq 3389
    access-list acl_out permit tcp any any eq smtp
    access-list acl_out permit tcp any any eq telnet
    access-list acl_out permit tcp any any eq https
    access-list acl_out permit tcp any any eq domain
    access-list acl_out permit tcp any any eq pop3
    access-list acl_out permit tcp any any eq ldap
    access-list acl_out permit tcp any any eq 993
    access-list acl_out permit tcp any any eq 1433
    access-list acl_out permit tcp any any eq 135
    Code:
    access-list acl_out permit tcp any any eq www
    Also i should harden it up that only internal may go to any, and not any any.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: desperate help needed

      And also change your title to something more informative as per rules:

      3) Give your post a good topic (or subject line), reflecting the question's intentions

      Bad examples:
      For example, if you use a topic like
      Quote:
      PLEASE HELP, I NEED HELP N O W !!!
      or a stupid subject line like
      Quote:
      Windows 2000 help
      I will personally kick you out of here. So is using idioting topic titles such as per the rules:

      http://forums.petri.com/announcement.php?f=26

      Quote:
      Hi!
      or
      Quote:
      I hate Microsoft
      I don't care about your love relations with Bill, I do care for my forums. Other people need to know what the thread is about, and using stupid titles like these won't help.
      Bad subject lines usually tell us it's a poorly written question. We don't like that.

      Good example:
      On the contrary, using a topic like this one
      Quote:
      Help in recovering local admin pwd on WinXP SP2 floppyless laptop
      Will actually bring people in, the ones that know the answer, and also those who do not, but would like to find what the answer is.
      Michael Armstrong
      www.m80arm.co.uk
      MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      Comment


      • #4
        Re: Help needed to config PIX 506E

        Sorry about the last heading. Think of it as an act of lunacy, as I was going crazy.

        I have tried to add the permit tcp any any www

        Still no access to the internet.

        Comment


        • #5
          Re: desperate help needed

          Originally posted by Mjaggi View Post
          access-group acl_out in interface outside
          access-group acl_in in interface inside
          Now I've never actually used any Cisco equipment but is seems to me that these commands should really be
          Code:
          access-group acl_out in interface inside
          access-group acl_in in interface outside
          Looking at the acl_out entries it's obvious that they were intended to allow for internal computers to access the Internet. And looking at the access list assignment, acl_out is assigned to interface outside which is the external/WAN link. My thinking is that it needs to be assigned to the inside interface which is where your internal computer will be connecting through the router.

          Same goes for the acl_in list. It looks like you're trying to allow traffic from the outside to access certain resources on the internal network. They need to go through the outside interface for that.

          BTW - if I'm right then of course port forwarding is working fine because all traffic from everywhere is permitted to pass through the interface.
          Last edited by JeremyW; 13th April 2007, 23:21. Reason: add everything after the code block
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: desperate help needed

            Tommorow i will have a closer look.
            Jeremy it looks fine to mee what you say

            It's 1 am here so i'm going to my bed. Tommorow back to school.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: desperate help needed

              OK, it seems David has already given a simple example of how to apply the access lists. http://forums.petri.com/showthread.p...age=2&goto=#16
              I'm now pretty positive that what I posted above is the issue.

              Mjaggi, please reply and let us know if that worked or not. It would also be courteous if you would reply to the other thread where you had a question (the link above).
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment

              Working...
              X