Recommended Posts

I am looking for some configuration help with a Cisco PIX 501 version 6.3(3). It is currently set up with IP 192.168.1.1 and a subnet mask of 255.255.255.0, and all clients are have IP addresses in the 192.168.1.xxx range. All clients are connecting via an unmanaged switch to the PIX, which in turn connects to the internet.

I am trying to accomplish two things. FIRST, I am trying to add an internal client with an IP address of 192.168.10.10, and allow that client to access everything (both internal and external). I also want to be able to RDP to this client from the internet. SECOND, once I accomplish this, I would like to prohibit the new client from accessing the server at 192.168.1.10 (and vice verse).

I have made an attempt to do this, but so far, no luck. So far, I have done the following:

- added (via the PDM) an inside host/network of 192.168.10.0 255.255.255.0

- added (via the PDM) an Access Rule allowing port 3389 to make it through to the client at 192.168.10.10

- changed (via the PDM) the inside interface to a subnet of 255.255.0.0 (was 255.255.255.0)

- added (via telnet) route inside 192.168.10.0 255.255.255.0 192.168.1.1 1.

Finally, I changed the IP on this client to 192.168.10.10, but left the gateway as 192.168.1.1. (I didn't start to try to limit access for this client to the server at 192.168.1.10, as I still haven't accomplished my first goal.) The current PIX config is detailed below.

I cannot RDP to this client, nor can I ping this client from any other computer on the 192.168.1.xxx subnet. I must have configured something wrong, just not sure what it is. Thanks for your help.

void# wr t

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password [omitted] encrypted

passwd [omitted] encrypted

hostname void

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.11 Server2010

access-list outside-in permit tcp any interface outside eq 3389

access-list outside-in permit tcp any interface outside eq 5900

access-list outside-in permit tcp any interface outside eq smtp

access-list outside-in permit tcp any interface outside eq www

access-list outside-in permit tcp any interface outside eq https

access-list outside-in permit tcp any interface outside eq pop3

access-list outside-in permit tcp any interface outside eq ftp

access-list outside-in permit icmp any any echo

access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.240

access-list splittunnel permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.162 255.255.255.0

ip address inside 192.168.1.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.1.50-192.168.1.60

pdm location 192.168.1.100 255.255.255.255 inside

pdm location 192.168.1.200 255.255.255.255 inside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.1.111 255.255.255.255 inside

pdm location 192.168.1.10 255.255.255.255 inside

pdm location 192.168.10.0 255.255.255.0 inside

pdm location 192.168.10.10 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 5900 192.168.1.200 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.1.10 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255 0 0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.253 1

route outside xxx.xxx.0.0 255.255.0.0 66.166.39.221 1

route inside 192.168.10.0 255.255.255.0 192.168.1.1 1

route outside xxx.xxx.104.0 255.255.254.0 66.166.39.221 1

route outside xxx.xxx.176.0 255.255.248.0 66.166.39.221 1

route outside xxx.xxx.246.0 255.255.255.0 66.166.39.221 1

route outside xxx.xxx.161.0 255.255.255.0 66.166.39.221 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup vpngroup idle-time 1800

vpngroup aravpn address-pool vpnpool

vpngroup aravpn dns-server 192.168.1.10 206.141.192.60

vpngroup aravpn wins-server 192.168.1.10

vpngroup aravpn default-domain mydomain.local

vpngroup aravpn split-tunnel splittunnel

vpngroup aravpn idle-time 1800

vpngroup aravpn password ********

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.101-192.168.1.109 inside

dhcpd dns 192.168.1.10 64.105.189.26

dhcpd wins 192.168.1.10

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain mydomain.local

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:

: end

[OK]

void#

Off the top, I don't believe the 501 supports vlans -- I do believe vlan support was added on the pix line with 6.3, so your IOS is ok -- but I don't believe you can actually do vlans on the 501??

Its been a while since I have played with a 501, but I don't think it can do what you want.. I don't believe you can even route with it like that with a 501.

I would think a easier solution with the hardware you have on hand would be to just put the this new client on the same network as every thing else -- you stated you wanted it to be able to access everything on the network except the server at .10 -- so on the .10 firewall just prevent this client.

On the pix just setup a rule to allow the RDP access to this client.

1st don't use the pdm, you can mess up your config pretty good with that.

2nd you will have to create vlans (please do not use the pdm for this), I am not sure that the 501 is capable, but this is what is needed.

interface ethernet2 auto

nameif ethernet2 secure_vlan security100

ip address secure_vlan 192.168.10.1

---------------------

With this secuity level on the ethernet2 port being at the same security level as ethernet1 this should deny access between the two.

Your gateway is going to be 192.168.10.1 for the pc, not 192.168.1.1

you mentioned the subnets you have applied to the PIX but what about the client

If you changed the ip to "Finally, I changed the IP on this client to 192.168.10.10, but left the gateway as 192.168.1.1" but the subnet is 255.255.255.0 then it probably cannot see the PIX at 192.168.1.1

it is usually something I forget to overlook, change the subnet to 255.255.0.0 and it will spring to life

this could cause you problems with preventing it from performing the other things you want to do.

I would say best thing to do would be to set a secondary ip on the internal interface (if you can) to give you a gateway of something like 192.168.10.1

But I really don't know much about a cisco PIX and am probably completely going down the wrong path with this advice

**Edit** ohh look beaten by sc302 while posting :D lol, said my advice was probably wrong :D

Thanks for the replies. Looks like I need to track down whether the 501 supports vlans.

One other thing: I mis-stated one fact in my summary above (although if the 501 doesn't support vlans, it probably won't matter). The outside port on the PIX does not connect directly to the internet, it connects to another internal router over which I have no control. The PIX has an outside IP of 192.168.2.162. No machines on the 192.168.1.xxx network (or 192.168.10.xxx) need to access any resources on the 192.168.2.xxx network. When data leaves the outbound port on the PIX, it is destined for the internet. Don't know if that changes anyone's thoughts.

well you are going to have to see the 2.x network. they can limit you if they want on their end. being that you are double natting (192.168.2.x----->192.168.1.x & 10.x) I highly doubt that you are going to be able to give rdp access from the internet to your pc's, unless they have it configured that their equipment passess all port traffic to you and the 2.x network is nothing but a pass through.

that changes things quite a bit from doable, to impossible.

According to this site, the 501 does not support any logical interfaces. So I'm down to one option now.

If I put the new client back on the 192.168.1.xxx domain (with an IP of 192.168.1.11 and a subnet mask of 255.255.255.0), what do I need to do in order to allow that client access to only the outside port, but nothing on the inside network?

  On 22/04/2010 at 16:24, gurs said:

According to this site, the 501 does not support any logical interfaces. So I'm down to one option now.

If I put the new client back on the 192.168.1.xxx domain (with an IP of 192.168.1.11 and a subnet mask of 255.255.255.0), what do I need to do in order to allow that client access to only the outside port, but nothing on the inside network?

nothing. your config should be set that no one from the outside will access the inside, but the inside will access the outside.

If you edited your config with a console cable or through telnet just put a no in front of the lines i put here to remove them.

example

no ip address secure_vlan 192.168.10.1 255.255.255.0

You can't with your current hardware.. For starters your connected to some dumb switch are you not? It has not support for ACLs - so the only way from preventing access would be with firewalls on the other machines on the same segment to prevent the access.. Or a firewall on the pc in question preventing access to everything but the pix.. I thought you said you wanted to allow access to everything other than some server on .10?

Also if your behind a double nat like you say, with no access to that 1st router -- unless they have put your PIXs wan IP into a dmz or something were all traffic is forwarded to it.. which I doubt - then it would be impossible for you to setup RDP to anything behind the double nat.

You would have to use something like teamviewer or something where an outside source is the go between for the connection.. Where the pc makes an outbound connection, etc.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Supply and demand. Competition is a good thing.
    • For the cost of popping Linux on a minipc and attaching it to the back of a monitor, it essentially is a Mac, but 1/10th of the cost. My aunt and uncle were just in town seeing her and they couldn't believe they weren't using Windows. I've ordered them the same setup my mom has and they couldn't be happier. My aunt runs a really old Windows 7 laptop that was upgraded to Windows 10 that is giving out, so a replacement cost of $389 total vs $600 or more and she was sold.
    • BurnAware 18.7 by Razvan Serea Free burning software to create CDs, DVDs, and Blu-ray discs of all types. BurnAware is a full-fledged, easy-to-use burning software which allows users to write all types of files such as digital photos, archives, documents, music and videos to CDs, DVDs and Blu-ray Discs, including BDXL and M-Disc. With BurnAware, you also be able to create boot or multisession discs, high-quality Audio CDs and Video DVDs, make and burn ISO images, copy and backup discs, extract audio tracks, verify and recover data from multisession or unreadable discs. BurnAware is available in three editions - Free, Premium and Professional. Compare and pick edition which is suitable for you. Features Burn files and folders to CD, DVD or Blu-ray Discs. Append or update multisession discs. Burn standard or boot disc images. Burn ISO files to multiple recorders simultaneously. Create boot CDs or DVDs. Create Audio CDs. Create DVD-Video discs. Create MP3 CD / DVD / Blu-ray Discs. Make standard or boot disc images. Copy CD, DVD or Blu-ray Discs to ISO images. Copy from discs to discs. Verify discs byte by byte. Recover files from damaged discs or different sessions. Extract audio tracks from Audio CDs. Erase and format re-writable discs. View detailed disc and drive information. Supports All media types (CD/DVD/Blu-ray Disc) including Double Layer All current hardware interfaces (IDE/SCSI/USB/1394/SATA) including AHCI UDF/ISO9660/Joliet file systems (any combination) On-the-fly writing (no staging to hard drive first) Verification of written files Multisession DVD-RW/DVD+RW Unicode CD-Text (tracks and disc) Compatible with Windows Vista 7, 8, 10, 11 (32-bit or 64-bit) BurnAware 18.7 changelog: Updated translations. Updated disc burning SDK. Improved indirect disc copying (CD <-> DVD). Optimized overall performance on 64-bit systems. Download: BurnAware Free 18.7 | 11.8 MB (Freeware) View: BurnAware Free Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Yeah, as a general rule I prefer standard XBox-like controllers that work like usual out-of-the-box. additional software tends to be overkill. p.s. even my 8BitDo Ultimate 2C wired, while I had to tweak something (setup a udev rule) on Linux for it to work 'out-of-the-box' (which is required for Xinput mode to work in kernels prior to 6.12), I can slightly tweak a small amount of additional buttons/features on the controller itself, no software needed.
  • Recent Achievements

    • Apprentice
      Adrian Williams went up a rank
      Apprentice
    • Reacting Well
      BashOrgRu earned a badge
      Reacting Well
    • Collaborator
      CHUNWEI earned a badge
      Collaborator
    • Apprentice
      Cole Multipass went up a rank
      Apprentice
    • Posting Machine
      David Uzondu earned a badge
      Posting Machine
  • Popular Contributors

    1. 1
      +primortal
      535
    2. 2
      ATLien_0
      265
    3. 3
      +Edouard
      193
    4. 4
      +FloatingFatMan
      182
    5. 5
      snowy owl
      135
  • Tell a friend

    Love Neowin? Tell a friend!