PIX506e :

This topic contains 7 replies, has 3 voices, and was last updated by Avatar theterranaut 12 years, 6 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • Avatar
    AndyUK
    Member
    #118147

    (Edit) Sorry about the title I was going back to it and hit post in error.

    Hi All

    This is my first venture into Cisco and I apologise in advance as I’m an utter Noob:confused:

    We have a Cisco PIX 506E 1x ethernet in 1x Ethernet out, 1 USB and 1 Console
    The only post not in use is the USB.

    Ok what I’m trying to achive is a single PC to have unrestricted access to the internet ie no ports blocked etc. Is there a way to maintain current levels of security on the my network but allow just this one PC unrestricted traffic to and from it’s IP?

    Thanks in advance

    Avatar
    daviddavis
    Member
    #263679

    Re: PIX506e :

    Hi Andy

    Thanks for your post. I am sure we can help out.

    Let me start just by saying that on a PIX you need a NAT and an ACL for access.

    These look something like this-

    PIX(config)# nat (inside) 1 192.0.0.0 255.0.0.0
    PIX(config)# global (outside) 1 12.12.12.12
    PIX(config)# access-list outbound permit tcp 192.0.0.0 255.0.0.0 any
    PIX(config)# access-group outbound in interface inside

    Do you have any entries like this now? Perhaps you could post what you have without any passwords.

    Thanks,
    David

    Avatar
    AndyUK
    Member
    #261624

    Re: PIX506e :

    Ok David I’ve had a look at the current config. We only have access through a telnet session, the pix was setup by an outsoursing company so I cant get details as they have gone out of business.

    As I said I’m a noob with routers and I’m picking this up as I go along. Here’s the main bit from sh config
    We do allow VPN inbound.

    nnn = part of our external IP

    mtu inside 1500
    ip address outside 217.46.nnn.nnn 255.255.255.248
    ip address inside 192.168.71.226 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 217.46.nnn.nnn 192.168.71.221 netmask 255.255.255.255 0
    0
    conduit permit icmp any any
    conduit permit tcp host 217.46.nnn.nnn eq pptp any
    conduit permit gre host 217.46.nnn.nnn any
    route outside 0.0.0.0 0.0.0.0 217.46.nnn.nnn 1

    Hope this is what you wanted or did you want the lot?

    Avatar
    theterranaut
    Member
    #285869

    Re: PIX506e :

    Hello Andy,

    David’s already helping you on this one, but if no-one minds I’ll but in :o

    (BTW- here’s a link to a post I made recently that may clarify the PIX and how it thinks of the world- http://forums.petri.com/showthread.php?t=11619

    So: heres your config: I’ve deleted the ‘unnecessary’ parts from this.


    ip address outside 217.46.nnn.nnn 255.255.255.248
    ip address inside 192.168.71.226 255.255.255.0

    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 217.46.nnn.nnn 192.168.71.221 netmask 255.255.255.255 0 0

    route outside 0.0.0.0 0.0.0.0 217.46.nnn.nnn 1



    As said (by David also!) the PIX by default wants to allow all traffic from its ‘more trusted’ interfaces to its ‘less trusted’ interfaces. A simple example of this is your ‘inside’ network- your local LAN, and the ‘outside’ network- the internet. By default- if the right initial rules are in place- the PIX will allow every host hanging off your LAN unrestricted internet access, because (as said) this meets the criteria of traffic flowing from ‘more trusted’ to ‘less trusted’. Cleverly, to prevent unwanted traffic coming in, it tracks what went out, makes an entry in a table, and , when the traffic returns, allows it back in.

    In your current config, all devices on your LAN are allowed out. To tie this up, you can do the following (btw- there’s more than one way to do this- I’m showing you a very basic way.) I’ve changed the line which needs amended into bold, and I’ve assumed that the PC you want to have unrestricted access has IP address 192.168.71.10.


    ip address outside 217.46.nnn.nnn 255.255.255.248
    ip address inside 192.168.71.226 255.255.255.0

    global (outside) 1 interface
    nat (inside) 1 192.168.71.10 255.255.255.255 0 0
    static (inside,outside) 217.46.nnn.nnn 192.168.71.221 netmask 255.255.255.255 0 0

    route outside 0.0.0.0 0.0.0.0 217.46.nnn.nnn 1



    See what we did there? The original line read:
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    Which means:

    ‘nat traffic originating on the inside, using pool 1 (your global statement) according to traffic which can be described as 0.0.0.0 0.0.0.0’

    This particular 0.0.0.0 0.0.0.0 is shorthand for EVERTHING, which is why all your inside hosts can currently get internet access.

    The changed line reads:
    nat (inside) 1 192.168.71.10 255.255.255.255 0 0

    ‘nat traffic originating on the inside, using pool 1 (your global statement) according to traffic which corresponds to 192.168.71.10 255.255.255.255 ‘

    Try this and see how you get on.

    regards

    theterranaut

    Avatar
    AndyUK
    Member
    #261627

    Re: PIX506e :

    Thanks very much I appriciate the plain english
    I’ll try this after Christams as we’re off for a week from tomorrow.

    I’ll post back either way

    Thanks again

    Avatar
    daviddavis
    Member
    #263693

    Re: PIX506e :

    Hi Terranaut,
    Thanks for your excellent post! You explained it very well! I am going to just throw in my two cents as well.
    -David

    Hi Andy,

    Yes, ths is very helpful.

    So, currently, you are using PIX “conduits”. This is the old way of doing access-lists. Don’t worry about that, both work fine. Now, Cisco just recommends using ACL’s instead of conduits. However, you don’t want to mix them.

    To allow all inbound access to a particular server, you need 2 things:
    1. A NAT
    2. conduit (or ACL)

    You have a static NAT already here:

    AndyUK;49740 wrote:
    static (inside,outside) 217.46.nnn.nnn 192.168.71.221 netmask 255.255.255.255 0 0

    And you have some conduits, here:

    AndyUK;49740 wrote:
    conduit permit icmp any any
    conduit permit tcp host 217.46.nnn.nnn eq pptp any
    conduit permit gre host 217.46.nnn.nnn any

    What is the IP address of the INTERNAL host that you want to allow access to? Is it this host that already has a NAT, the 192.168.71.221? If so, then you have #1 covered.

    Then you need a conduit. Currently, your conduits allow ping, PPTP, and GRE. To open it up completely, it would be:
    conduit permit ip host 217.46.nnn.nnn any

    Here is the command reference for the PIX conduit command:
    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080670231.html#wp4961

    Let us know how it goes,
    David

    Avatar
    AndyUK
    Member
    #261628

    Re: PIX506e :

    A big Thank You to you both for the replies. :D
    That solved my quandary and I’m cracking on with the project now.. Just a pity I had to return to work this Wednesday and not next :(

    Thanks Again
    Andy

    Avatar
    theterranaut
    Member
    #285884

    Re: PIX506e :

    You and me both, Andy, you and me both…:(

    theterranaut

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.