Recommended Posts

I am looking for some configuration help with a Cisco PIX 501 version 6.3(3). It is currently set up with IP 192.168.1.1 and a subnet mask of 255.255.255.0, and all clients are have IP addresses in the 192.168.1.xxx range. All clients are connecting via an unmanaged switch to the PIX, which in turn connects to the internet.

I am trying to accomplish two things. FIRST, I am trying to add an internal client with an IP address of 192.168.10.10, and allow that client to access everything (both internal and external). I also want to be able to RDP to this client from the internet. SECOND, once I accomplish this, I would like to prohibit the new client from accessing the server at 192.168.1.10 (and vice verse).

I have made an attempt to do this, but so far, no luck. So far, I have done the following:

- added (via the PDM) an inside host/network of 192.168.10.0 255.255.255.0

- added (via the PDM) an Access Rule allowing port 3389 to make it through to the client at 192.168.10.10

- changed (via the PDM) the inside interface to a subnet of 255.255.0.0 (was 255.255.255.0)

- added (via telnet) route inside 192.168.10.0 255.255.255.0 192.168.1.1 1.

Finally, I changed the IP on this client to 192.168.10.10, but left the gateway as 192.168.1.1. (I didn't start to try to limit access for this client to the server at 192.168.1.10, as I still haven't accomplished my first goal.) The current PIX config is detailed below.

I cannot RDP to this client, nor can I ping this client from any other computer on the 192.168.1.xxx subnet. I must have configured something wrong, just not sure what it is. Thanks for your help.

void# wr t

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password [omitted] encrypted

passwd [omitted] encrypted

hostname void

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.11 Server2010

access-list outside-in permit tcp any interface outside eq 3389

access-list outside-in permit tcp any interface outside eq 5900

access-list outside-in permit tcp any interface outside eq smtp

access-list outside-in permit tcp any interface outside eq www

access-list outside-in permit tcp any interface outside eq https

access-list outside-in permit tcp any interface outside eq pop3

access-list outside-in permit tcp any interface outside eq ftp

access-list outside-in permit icmp any any echo

access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.240

access-list splittunnel permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.162 255.255.255.0

ip address inside 192.168.1.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.1.50-192.168.1.60

pdm location 192.168.1.100 255.255.255.255 inside

pdm location 192.168.1.200 255.255.255.255 inside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.1.111 255.255.255.255 inside

pdm location 192.168.1.10 255.255.255.255 inside

pdm location 192.168.10.0 255.255.255.0 inside

pdm location 192.168.10.10 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 5900 192.168.1.200 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.1.10 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255 0 0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.253 1

route outside xxx.xxx.0.0 255.255.0.0 66.166.39.221 1

route inside 192.168.10.0 255.255.255.0 192.168.1.1 1

route outside xxx.xxx.104.0 255.255.254.0 66.166.39.221 1

route outside xxx.xxx.176.0 255.255.248.0 66.166.39.221 1

route outside xxx.xxx.246.0 255.255.255.0 66.166.39.221 1

route outside xxx.xxx.161.0 255.255.255.0 66.166.39.221 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup vpngroup idle-time 1800

vpngroup aravpn address-pool vpnpool

vpngroup aravpn dns-server 192.168.1.10 206.141.192.60

vpngroup aravpn wins-server 192.168.1.10

vpngroup aravpn default-domain mydomain.local

vpngroup aravpn split-tunnel splittunnel

vpngroup aravpn idle-time 1800

vpngroup aravpn password ********

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.101-192.168.1.109 inside

dhcpd dns 192.168.1.10 64.105.189.26

dhcpd wins 192.168.1.10

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain mydomain.local

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:

: end

[OK]

void#

Off the top, I don't believe the 501 supports vlans -- I do believe vlan support was added on the pix line with 6.3, so your IOS is ok -- but I don't believe you can actually do vlans on the 501??

Its been a while since I have played with a 501, but I don't think it can do what you want.. I don't believe you can even route with it like that with a 501.

I would think a easier solution with the hardware you have on hand would be to just put the this new client on the same network as every thing else -- you stated you wanted it to be able to access everything on the network except the server at .10 -- so on the .10 firewall just prevent this client.

On the pix just setup a rule to allow the RDP access to this client.

1st don't use the pdm, you can mess up your config pretty good with that.

2nd you will have to create vlans (please do not use the pdm for this), I am not sure that the 501 is capable, but this is what is needed.

interface ethernet2 auto

nameif ethernet2 secure_vlan security100

ip address secure_vlan 192.168.10.1

---------------------

With this secuity level on the ethernet2 port being at the same security level as ethernet1 this should deny access between the two.

Your gateway is going to be 192.168.10.1 for the pc, not 192.168.1.1

you mentioned the subnets you have applied to the PIX but what about the client

If you changed the ip to "Finally, I changed the IP on this client to 192.168.10.10, but left the gateway as 192.168.1.1" but the subnet is 255.255.255.0 then it probably cannot see the PIX at 192.168.1.1

it is usually something I forget to overlook, change the subnet to 255.255.0.0 and it will spring to life

this could cause you problems with preventing it from performing the other things you want to do.

I would say best thing to do would be to set a secondary ip on the internal interface (if you can) to give you a gateway of something like 192.168.10.1

But I really don't know much about a cisco PIX and am probably completely going down the wrong path with this advice

**Edit** ohh look beaten by sc302 while posting :D lol, said my advice was probably wrong :D

Thanks for the replies. Looks like I need to track down whether the 501 supports vlans.

One other thing: I mis-stated one fact in my summary above (although if the 501 doesn't support vlans, it probably won't matter). The outside port on the PIX does not connect directly to the internet, it connects to another internal router over which I have no control. The PIX has an outside IP of 192.168.2.162. No machines on the 192.168.1.xxx network (or 192.168.10.xxx) need to access any resources on the 192.168.2.xxx network. When data leaves the outbound port on the PIX, it is destined for the internet. Don't know if that changes anyone's thoughts.

well you are going to have to see the 2.x network. they can limit you if they want on their end. being that you are double natting (192.168.2.x----->192.168.1.x & 10.x) I highly doubt that you are going to be able to give rdp access from the internet to your pc's, unless they have it configured that their equipment passess all port traffic to you and the 2.x network is nothing but a pass through.

that changes things quite a bit from doable, to impossible.

According to this site, the 501 does not support any logical interfaces. So I'm down to one option now.

If I put the new client back on the 192.168.1.xxx domain (with an IP of 192.168.1.11 and a subnet mask of 255.255.255.0), what do I need to do in order to allow that client access to only the outside port, but nothing on the inside network?

  On 22/04/2010 at 16:24, gurs said:

According to this site, the 501 does not support any logical interfaces. So I'm down to one option now.

If I put the new client back on the 192.168.1.xxx domain (with an IP of 192.168.1.11 and a subnet mask of 255.255.255.0), what do I need to do in order to allow that client access to only the outside port, but nothing on the inside network?

nothing. your config should be set that no one from the outside will access the inside, but the inside will access the outside.

If you edited your config with a console cable or through telnet just put a no in front of the lines i put here to remove them.

example

no ip address secure_vlan 192.168.10.1 255.255.255.0

You can't with your current hardware.. For starters your connected to some dumb switch are you not? It has not support for ACLs - so the only way from preventing access would be with firewalls on the other machines on the same segment to prevent the access.. Or a firewall on the pc in question preventing access to everything but the pix.. I thought you said you wanted to allow access to everything other than some server on .10?

Also if your behind a double nat like you say, with no access to that 1st router -- unless they have put your PIXs wan IP into a dmz or something were all traffic is forwarded to it.. which I doubt - then it would be impossible for you to setup RDP to anything behind the double nat.

You would have to use something like teamviewer or something where an outside source is the go between for the connection.. Where the pc makes an outbound connection, etc.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Going to quote myself from a comment I made to a related article: It's not about the OS, it's about the workflow. OS fans consistently miss this. People have work to do and they've invested a lot of time, effort and even money building their workflows. It's expensive to change, so that change has to offer real benefits that compensate for the cost of updating workflow and sorry, Win 11 just doesn't. Win 11 breaks workflow in weird and pointless ways seemingly either to dumb down the OS (with the same results as we saw when MSFT tried to dumb down Office's menuing system with "SmartMenus") or make it look more like macOS. MSFT seems to have completely lost the basics of UI/UX like FITS and muscle memory in Win 11. If they had made these optional - then sure, but they aren't. That's the same reason most users won't just jump to an entirely new OS - which has an even bigger workflow cost - until there's just no other option. Not only is there the core workflow cost, but the cost of finding new parallel software for the new OS, transferring and possible converting files and dealing with incompatibilities and then redeveloping workflows. It's just not as simple as "switch". And now there IS another option, stay on Win 10 for another year and pray for Win 12 (much as Win 7 users did with Win 8 - which happened when Win 10 came out).
    • At least that album was really good. I don't know if F1 was $200 million well spent yet...
    • PC manufacturers used to trick BIOS copyright strings to get full editions of trial software by Usama Jawad You may have noticed that when you purchase a new PC, it comes with certain software pre-installed. Sometimes, when you open this software, it activates, and you receive the full version of it without paying any additional cost. This is because that PC's manufacturer is a licensee of that software and the fact that a customer gets the full version of a trial software for free serves as a perk for potential buyers. However, many PC manufacturers tried to trick this process in its infancy. During the days of Windows 95, when the Plug and Play specification was still in development, the OS' engineering team was trying to figure out ways through which it could identify PCs that existed prior to the inception of this specification. To that end, one of the methods they tried was searching for copyright strings and firmware dates in the BIOS. Through the course of this investigation, they discovered a rather oddly named copyright string "Not Copyright Fabrikam Computer" in a PC that was actually manufactured by Contoso. In this case, both Fabrikam and Contoso are fictional names that are used to describe this scenario without revealing the actual identity of the OEMs involved. Microsoft engineer Raymond Chen explains in a blog post that these odd copyright strings were actually appearing because Contoso PCs contained a trial version of a software and the company wanted the full version to be activated for customers even though it was not an official licensee. In order to bypass the costly licensing process, what the firm did was that it added the following text to its copyright string: "Copyright Contoso Not Copyright Fabrikam Computer". The trial version of said software would search for the string "Copyright Fabrikam Computer" and end up finding it within the substring of the convoluted copyright string mentioned above, accidentally activating the software's full version. While more robust ways were adopted later to avoid this problem, it's certainly interesting to see that OEMs would go to this length in order to distribute software that they are not officially allowed to. Well, as they say, the past stays in the past.
  • Recent Achievements

    • First Post
      Myriachan earned a badge
      First Post
    • Week One Done
      DrRonSr earned a badge
      Week One Done
    • Week One Done
      Sharon dixon earned a badge
      Week One Done
    • Dedicated
      Parallax Abstraction earned a badge
      Dedicated
    • First Post
      956400 earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      615
    2. 2
      ATLien_0
      227
    3. 3
      +FloatingFatMan
      170
    4. 4
      Michael Scrip
      166
    5. 5
      Som
      148
  • Tell a friend

    Love Neowin? Tell a friend!