Recommended Posts

I am looking for some configuration help with a Cisco PIX 501 version 6.3(3). It is currently set up with IP 192.168.1.1 and a subnet mask of 255.255.255.0, and all clients are have IP addresses in the 192.168.1.xxx range. All clients are connecting via an unmanaged switch to the PIX, which in turn connects to the internet.

I am trying to accomplish two things. FIRST, I am trying to add an internal client with an IP address of 192.168.10.10, and allow that client to access everything (both internal and external). I also want to be able to RDP to this client from the internet. SECOND, once I accomplish this, I would like to prohibit the new client from accessing the server at 192.168.1.10 (and vice verse).

I have made an attempt to do this, but so far, no luck. So far, I have done the following:

- added (via the PDM) an inside host/network of 192.168.10.0 255.255.255.0

- added (via the PDM) an Access Rule allowing port 3389 to make it through to the client at 192.168.10.10

- changed (via the PDM) the inside interface to a subnet of 255.255.0.0 (was 255.255.255.0)

- added (via telnet) route inside 192.168.10.0 255.255.255.0 192.168.1.1 1.

Finally, I changed the IP on this client to 192.168.10.10, but left the gateway as 192.168.1.1. (I didn't start to try to limit access for this client to the server at 192.168.1.10, as I still haven't accomplished my first goal.) The current PIX config is detailed below.

I cannot RDP to this client, nor can I ping this client from any other computer on the 192.168.1.xxx subnet. I must have configured something wrong, just not sure what it is. Thanks for your help.

void# wr t

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password [omitted] encrypted

passwd [omitted] encrypted

hostname void

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.11 Server2010

access-list outside-in permit tcp any interface outside eq 3389

access-list outside-in permit tcp any interface outside eq 5900

access-list outside-in permit tcp any interface outside eq smtp

access-list outside-in permit tcp any interface outside eq www

access-list outside-in permit tcp any interface outside eq https

access-list outside-in permit tcp any interface outside eq pop3

access-list outside-in permit tcp any interface outside eq ftp

access-list outside-in permit icmp any any echo

access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.240

access-list splittunnel permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.162 255.255.255.0

ip address inside 192.168.1.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.1.50-192.168.1.60

pdm location 192.168.1.100 255.255.255.255 inside

pdm location 192.168.1.200 255.255.255.255 inside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.1.111 255.255.255.255 inside

pdm location 192.168.1.10 255.255.255.255 inside

pdm location 192.168.10.0 255.255.255.0 inside

pdm location 192.168.10.10 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 5900 192.168.1.200 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.1.10 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255 0 0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.253 1

route outside xxx.xxx.0.0 255.255.0.0 66.166.39.221 1

route inside 192.168.10.0 255.255.255.0 192.168.1.1 1

route outside xxx.xxx.104.0 255.255.254.0 66.166.39.221 1

route outside xxx.xxx.176.0 255.255.248.0 66.166.39.221 1

route outside xxx.xxx.246.0 255.255.255.0 66.166.39.221 1

route outside xxx.xxx.161.0 255.255.255.0 66.166.39.221 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup vpngroup idle-time 1800

vpngroup aravpn address-pool vpnpool

vpngroup aravpn dns-server 192.168.1.10 206.141.192.60

vpngroup aravpn wins-server 192.168.1.10

vpngroup aravpn default-domain mydomain.local

vpngroup aravpn split-tunnel splittunnel

vpngroup aravpn idle-time 1800

vpngroup aravpn password ********

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.101-192.168.1.109 inside

dhcpd dns 192.168.1.10 64.105.189.26

dhcpd wins 192.168.1.10

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain mydomain.local

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:

: end

[OK]

void#

Off the top, I don't believe the 501 supports vlans -- I do believe vlan support was added on the pix line with 6.3, so your IOS is ok -- but I don't believe you can actually do vlans on the 501??

Its been a while since I have played with a 501, but I don't think it can do what you want.. I don't believe you can even route with it like that with a 501.

I would think a easier solution with the hardware you have on hand would be to just put the this new client on the same network as every thing else -- you stated you wanted it to be able to access everything on the network except the server at .10 -- so on the .10 firewall just prevent this client.

On the pix just setup a rule to allow the RDP access to this client.

1st don't use the pdm, you can mess up your config pretty good with that.

2nd you will have to create vlans (please do not use the pdm for this), I am not sure that the 501 is capable, but this is what is needed.

interface ethernet2 auto

nameif ethernet2 secure_vlan security100

ip address secure_vlan 192.168.10.1

---------------------

With this secuity level on the ethernet2 port being at the same security level as ethernet1 this should deny access between the two.

Your gateway is going to be 192.168.10.1 for the pc, not 192.168.1.1

you mentioned the subnets you have applied to the PIX but what about the client

If you changed the ip to "Finally, I changed the IP on this client to 192.168.10.10, but left the gateway as 192.168.1.1" but the subnet is 255.255.255.0 then it probably cannot see the PIX at 192.168.1.1

it is usually something I forget to overlook, change the subnet to 255.255.0.0 and it will spring to life

this could cause you problems with preventing it from performing the other things you want to do.

I would say best thing to do would be to set a secondary ip on the internal interface (if you can) to give you a gateway of something like 192.168.10.1

But I really don't know much about a cisco PIX and am probably completely going down the wrong path with this advice

**Edit** ohh look beaten by sc302 while posting :D lol, said my advice was probably wrong :D

Thanks for the replies. Looks like I need to track down whether the 501 supports vlans.

One other thing: I mis-stated one fact in my summary above (although if the 501 doesn't support vlans, it probably won't matter). The outside port on the PIX does not connect directly to the internet, it connects to another internal router over which I have no control. The PIX has an outside IP of 192.168.2.162. No machines on the 192.168.1.xxx network (or 192.168.10.xxx) need to access any resources on the 192.168.2.xxx network. When data leaves the outbound port on the PIX, it is destined for the internet. Don't know if that changes anyone's thoughts.

well you are going to have to see the 2.x network. they can limit you if they want on their end. being that you are double natting (192.168.2.x----->192.168.1.x & 10.x) I highly doubt that you are going to be able to give rdp access from the internet to your pc's, unless they have it configured that their equipment passess all port traffic to you and the 2.x network is nothing but a pass through.

that changes things quite a bit from doable, to impossible.

According to this site, the 501 does not support any logical interfaces. So I'm down to one option now.

If I put the new client back on the 192.168.1.xxx domain (with an IP of 192.168.1.11 and a subnet mask of 255.255.255.0), what do I need to do in order to allow that client access to only the outside port, but nothing on the inside network?

  On 22/04/2010 at 16:24, gurs said:

According to this site, the 501 does not support any logical interfaces. So I'm down to one option now.

If I put the new client back on the 192.168.1.xxx domain (with an IP of 192.168.1.11 and a subnet mask of 255.255.255.0), what do I need to do in order to allow that client access to only the outside port, but nothing on the inside network?

nothing. your config should be set that no one from the outside will access the inside, but the inside will access the outside.

If you edited your config with a console cable or through telnet just put a no in front of the lines i put here to remove them.

example

no ip address secure_vlan 192.168.10.1 255.255.255.0

You can't with your current hardware.. For starters your connected to some dumb switch are you not? It has not support for ACLs - so the only way from preventing access would be with firewalls on the other machines on the same segment to prevent the access.. Or a firewall on the pc in question preventing access to everything but the pix.. I thought you said you wanted to allow access to everything other than some server on .10?

Also if your behind a double nat like you say, with no access to that 1st router -- unless they have put your PIXs wan IP into a dmz or something were all traffic is forwarded to it.. which I doubt - then it would be impossible for you to setup RDP to anything behind the double nat.

You would have to use something like teamviewer or something where an outside source is the go between for the connection.. Where the pc makes an outbound connection, etc.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Kdenlive 25.04.2 by Razvan Serea Kdenlive is an acronym for KDE Non-Linear Video Editor. It works on GNU/Linux, Windows and BSD. Through the MLT framework, Kdenlive integrates many plugin effects for video and sound processing or creation. Furthermore Kdenlive brings a powerful titling tool, a DVD authoring (menus) solution, and can then be used as a complete studio for video creation. Kdenlive supports all of the formats supported by FFmpeg or libav (such as QuickTime, AVI, WMV, MPEG, and Flash Video, among others), and also supports 4:3 and 16:9 aspect ratios for both PAL, NTSC and various HD standards, including HDV and AVCHD. Video can also be exported to DV devices, or written to a DVD with chapters and a simple menu. Video editing features: Multi-track editing with a timeline and supports an unlimited number of video and audio tracks. A built-in title editor and tools to create, move, crop and delete video clips, audio clips, text clips and image clips. Ability to add custom effects and transitions. A wide range of effects and transitions. Audio signal processing capabilities include normalization, phase and pitch shifting, limiting, volume adjustment, reverb and equalization filters as well as others. Visual effects include options for masking, blue-screen, distortions, rotations, colour tools, blurring, obscuring and others. Configurable keyboard shortcuts and interface layouts. Rendering is done using a separate non-blocking process so it can be stopped, paused and restarted. Kdenlive also provides a script called the Kdenlive Builder Wizard (KBW) that compiles the latest developer version of the software and its main dependencies from source, to allow users to try to test new features and report problems on the bug tracker. Project files are stored in XML format. An archiving feature allows exporting a project among all assets into a single folder or compressed archive. Built-in audio mixer Highlights from the Kdenlive 25.04.2 update: Remember title editor window width Fix audio thumbnails have an offset in long files Fix OTIO import path on Windows Better feedback when auto mask fails Fix OTIO export tracks order and ensure .otio file extension is correctly added Full Changelog Fix moving subtitle with grab. Fix empty gradient in config causes crash. Snapcraft: Give more permissions for microphone access. Backport missing effects xml. Fix quick markers not taking clip crop into account in timeline. Fix marker dialog not allowing to add marker if only 1 category exists. Fix merge error causing freeze on exit. Fix crash in HistogramGenerator when running on a white color clip. Fix Whisper model directory not being created if asked to do so. Fix canceling quit on rendering leaves kdenlive in unstable state. Only clear undo stack when we delete a timeline sequence, not a standard bin clip. Fix misalignment of monitor tools CCBUG: 498337 CCBUG:461219. Fix OTIO path issue on import, related to #1998. Fix bin clip effects disappear after disabling a timeline clip. Fix keyframe in monitor not correctly reported on clip selection. Fix monitor scene not correcty activated on clip selection. Fix small error causing offset in long audio thumbnails. Fix guides list buttons not working on app opening. Fix built-in effects disabled state changes on cut. Fix render widget target file can have no extension or incorrect path. SAM2: show message and full log if the python script crashes, try to auto reinstall if the venv python exe is missing. Save and restore title editor window width. Download: Kdenlive 25.04.2 | 116.0 MB (Open Source) Download: Standalone Executable Links: Kdenlive Home page | Other Operating Systems Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • I use Edge on my Mac. Edge is lightning fast and does everything. Never had an issue with it. It alsoi allows the use of the original uBlock Origin extension, which Chrome does not allow anymore. I hate ads.
    • AIMP 5.40 Build 2682 by Razvan Serea AIMP is a powerful audio player that allows you to listen to your favorite music with an outstanding sound quality. Its appearance resembles that of another classical audio player (Winamp). The program includes a 20-band equalizer, a visualization window to display rhythmic visual effects and a playlist editor to organize your audio files. A nice fading effect makes your list of songs look like an endless music loop and a handy volume normalizing feature avoids drastic volume changes between tracks. Also, the players main functions can be conveniently controlled by global hotkeys. Besides playing music, AIMP features three extra utilities which also enable you to record any sound on your computer, convert audio files from one format to another and view or edit tags. AIMP is based on the well-known audio engine BASS, so its easy to connect new plug-ins (from the plug-in library included in the program) and expand the players functionality. Main Features and Functions: Multi-Format Playback: Supports numerous audio formats, including CDA, AAC, AC3, APE, DTS, FLAC, IT, MIDI, MO3, MOD, M4A, M4B, MP1, MP2, MP3, MPC, MTM, OFR, OGG, OPUS, RMI, S3M, SPX, TAK, TTA, UMX, WAV, WMA, WV, XM, DSF, DFF, MKA, AA3, AT3, OMA, WebM, MDZ, ITZ, S3Z, XMZ, AIFF, and MPEG-DASH (YouTube). CUE Sheet Support: Enables the use of CUE sheets for managing audio tracks. Output Support: Compatible with DirectSound, ASIO, WASAPI, and WASAPI Exclusive output methods. 32-Bit Audio Processing: Utilizes 32-bit audio processing for optimal sound quality. Internet Radio: Allows listening to internet radio stations in OGG, WAV, MP3, AAC, and AAC+ formats, with the capability to capture streams in various formats. Bookmarks and Playback Queue: Facilitates creating bookmarks and managing a playback queue. Rating and Auto-Marks: Collects statistics on track listening and automatically calculates ratings and marks for listened tracks. Plugin Support: Allows the addition of new utilities or extensions to existing features through plugins. Built-in Scrobbler: Supports Last.fm, Libre.fm, and ListenBrainz services for scrobbling. Cloud Integration: Supports OneDrive, Google Drive, DropBox, Облако@mail.ru, Яндекс.Диск, and custom WebDAV clouds. Podcasts: Offers podcast support for subscribing and listening. Hotkeys: Allows configuration of local and global hotkeys. Multi-User Mode Support: Supports multiple users working on one computer. Multi-Language Interface: Provides a multi-language interface. 4K and High DPI Support: Supports scale factors of 125%, 150%, 175%, and 200% for high-resolution displays. Flexible Program Options: Offers customizable program settings. Flexible UI: Charm UI: A modern flat-style skin with 4K and High DPI support. Bliss 4K: A skin-transformer from AIMP4 included in the installation package. Pandemic: The classic skin from AIMP3 included in the installation package. User Skins: Access to a catalog of user-created skins. Sound Effects: 20-Band Equalizer and Built-in Sound Effects: Includes Reverb, Flanger, Chorus, Pitch, Tempo, Echo, Speed, Bass, Enhancer, and Voice Remover effects with flexible settings. Volume Normalization: Features peak-based normalization and Replay Gain, along with logarithmic and loudness-compensated volume control. Mixing Options: Offers Fade In/Fade Out, cross-mixing, and pause between tracks. Silence Remover: Removes silence from tracks for a seamless listening experience. Music Library: Music Library: Organizes music files, allows setting marks for listened tracks, and keeps playback statistics. Smart Playlist: Creates playlists based on content from the Music Library database, with filtering and grouping capabilities. Playlists: Multiple Playlists: Supports working with multiple playlists simultaneously. Powerful View Settings: Allows data display customization, track grouping, and separate settings for each playlist. Content Protection: Provides the ability to block content from changes. File Search: Enables searching files across all opened playlists. AIMP 5.40 Build 2682 changelog: Audio converter: support for relative paths Plugins: analog meter - installing skins using general approach to install addons Sound engine: resampler algorithm has been improved Player: AB part repeat - an ability to change milliseconds via dialog Skin engine: compatibility with the Start11 app Skin engine: memory consumption during skin loading has been reduced Fixed: Tags editor - data in tags with multiple values ​​​​may be duplicated in certain cases Fixed: tag editor - ID3v2.4 - multiple genre values ​​cannot be loaded Fixed: skin engine - minor issues has been fixed Fixed: issues from incoming crash-reports Download: AIMP 64-bit | AIMP 32-bit ~20.0 MB (Freeware) View: AIMP Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Can you point out where his walkthrough of Mozilla's finances are lies?
    • Advanced Renamer 4.12 by Razvan Serea Advanced Renamer is a program for renaming multiple files and folders at once. By configuring renaming methods the names can be manipulated in various ways. It is easy to set up a batch job using multiple methods on a large amount of files. The 14 different methods enables you to change the names, attributes, and timestamps of files in one go. Free for personal use. You can download and use Advanced Renamer for FREE for any personal use. If you use Advanced Renamer for a business you can download and try it out for free. To continue using it, you need to buy a life time license. Image files This mass file renamer is a great utility for organising digital pictures for both professionals and beginners. The thumbnail mode lets you display thumbnails directly in the file list giving you maximum control of the renaming process. With this program you can rename all your photos in a snap. GPS data If your image files contain GPS data you can add the name of the city and the country where the picture was taken. Coordinates are used to lookup city, country, and state names from a database containing more than 100,000 cities around the globe. Music files MP3 and other music files often have messed up names and contain weird characters. With Advanced Renamer you can change the names of your favourite music files to more suitable names using the built-in ID3 functions. Video files Ever wanted to add the codec or the resolution of a video to the filename? With the video tags you can add various information about video and audio content to the names. TV shows Add episode title or airdate to video files containing TV Shows after importing show information from the tvmaze.com website. Advanced Renamer 4.12 changelog: Upgraded regular expression engine for use in renaming methods Replace method: Named group substitution is now supported in regular expressions (e.g., (?.*) and ${name}) Program is now less likely to crash when config file is corrupted Fixed an edge case bug in List Replace method Fixed large file support in ExifTool integration Improved reading XMP metadata from MP4 files ExifTool field names sometimes showed up in lists where they were not supported Will no longer show error "Extension changed" when new name is blank Disc and DiscCount metadata now correctly recognized for MP3 files Item details would sometimes show the same fields multiple times Additional metadata fields is now supported for MP4 files: AudioFormat, AudioChannels, AudioSampleType, AudioSampleRate, CompressionID, CompressionName, BitDepth, XResolution, YResolution More robust handling of MP4 files with corrupted data Added support for extracting metadata from some older QuickTime .mov files Fixed an issue reading GPS metadata from image and video files, when formattet in a certain way Improved MKV file metadata support Added support for metadata fields AudioFormat, AudioChannels, and AudioSampleRate for AVI files Import from CSV did not remember the last used column index for original filename Fixed name collision rule "Append image sub second" When using name collision rule "Append image sub second", the rule will now be applied to all items in the list with the same name Improved performance for JPEG files containing long XMP Extended metadata MacOS: Item preview panel will now use embedded thumbnails for JPEGs for better performance Download: Advanced Renamer 4.12 | Portable ~12.0 MB (Free for personal use) Link: Advanced Renamer Home Page | Advanced Renamer Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Reacting Well
      Alan- earned a badge
      Reacting Well
    • Week One Done
      IAMFLUXX earned a badge
      Week One Done
    • One Month Later
      Æhund earned a badge
      One Month Later
    • One Month Later
      CoolRaoul earned a badge
      One Month Later
    • First Post
      Kurotama earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      494
    2. 2
      ATLien_0
      267
    3. 3
      +FloatingFatMan
      223
    4. 4
      +Edouard
      199
    5. 5
      snowy owl
      141
  • Tell a friend

    Love Neowin? Tell a friend!