Sign in with
Sign up | Sign in
Your question

PIX 501 QUESTIONS...what am I doing wrong here?

Last response: in Networking
Share
Anonymous
April 3, 2004 3:29:10 PM

Archived from groups: comp.security.firewalls (More info?)

All,
hey, I wouldn't normally post here but I am dead stuck. First of all,
let me tell you that I am a software developer and in no way a cisco or pix
expert. So, I apologize in advance if the questions are too simple here.
But, I have no where else to turn! Ok, so here goes. We got a PIX 501 to
go in our co-location facility. I spent all day trying to set it up down
there but was unsuccessful. So, I brought it home and decided to mess with
it here. I have a Cox Cable Modem connection using DHCP. Also, since I
have no desire to truly learn the CLI, I wanted to setup everything in the
PDM. Ok, get this>

I went through the simple setup wizard. I setup two interfaces:

outside: DHCP
inside: 192.168.1.1

Pretty simple right. Now, all I wanted to do was now get the bare minimum
working from the outside in. This is where I began to run into problems.
No matter what I do, no access is allowed in. Here is what I tried:

1) Just get ICMP working.
I went to the ICMP screen under administration in the PDM and added one
stinking rule. I allowed all ICMP from any outside inferface IP. Pretty
simple right. Well, guess what, you couldn't ping the damn DHCP retrieved
IP address. So, figuring that maybe Cox blocked ICMP on home networks, I
decided to use the web port of 8080.

2) Get any traffic working through 8080
I have a Pix firewall book in which I followed these instructions word
for word. If you like, the PDM can display the commands that are given on
each action, so I could go down there and copy and pasted the CLI commands
that are created. Anyway, here's what I did:
First of all, I setup my laptop on 192.168.1.2 and setup IIS to run
on port 8080. I verified that this worked by opening a browser to
http://192.168.1.2:8080. This did give me the default web site. And, I
know 100% that Cox doesn't block ports 8080. My book told me to first to
create a simple address translation rule:
Original Host/Network:
Interface: inside
IP: 192.168.1.2
Mask: 255.255.255.255
Translate address on less secured interface: outside
Translate address to: Static
IP Address: Interface IP (uses the DHCP address)
Redirect Port: yes
TCP: Original: 8080, Translated: 8080

Then, as my book discusses, I created a simple address rule:
Permit
Source: Outside
Destination: 192.168.1.2
Protocol: TCP port 8080 (for both source and destination)

I saved the configuration as described.

Guess what, you get no access then from the outside IP address which was
http://68.104.185.40:8080. No go. Now, I know I'm not stupid, but my
inability to either get ICMP working or traffic on 8080 befuddles me. I
even installed VNC and tried the same things on port 5800.

Does anyone see what is wrong here? I've set 100 low tech routers for home
use, but for some reason, I can't get any Inbound access working! I'm
stuck!

All Help is greatly appreciated. Sorry to bother you guys with such a
simple question, but if you go to google and type in Pix 501, you get little
help in the way of a simple setup. And, the Cisco documentation mentions
nothing of this.

Thanks.
Scott
Anonymous
April 3, 2004 5:43:53 PM

Archived from groups: comp.security.firewalls (More info?)

Guys,
I figured it out based on a cisco forum reply on dslreports.com. You
won't believe it. As it turns out, everything WAS working. I guess, when
you set up PAT and port forwarding in this way.... you can't access the
inside services FROM the INSIDE by going out to the internet. I confirmed
this by remoting to another server and attempting to open up the web site IP
and it worked. Any idea why you can type the public IP in from the inside?
http://publicIP:8080 wasn't working from the inside, but you can access it
from outside the firewall just fine. Also, if it is setup on 1 IP using
port forwarding in this way, do VPN's work ok? The real reason we got this
thing is b/c we are trying to setup a site to site VPN from a remote
location. Any problems there?
Thanks everyone
Scott


"Scott (blndspt)" <scott@dontreplyhere.com> wrote in message
news:VnDbc.147581$cx5.10485@fed1read04...
> All,
> hey, I wouldn't normally post here but I am dead stuck. First of all,
> let me tell you that I am a software developer and in no way a cisco or
pix
> expert. So, I apologize in advance if the questions are too simple here.
> But, I have no where else to turn! Ok, so here goes. We got a PIX 501 to
> go in our co-location facility. I spent all day trying to set it up down
> there but was unsuccessful. So, I brought it home and decided to mess
with
> it here. I have a Cox Cable Modem connection using DHCP. Also, since I
> have no desire to truly learn the CLI, I wanted to setup everything in the
> PDM. Ok, get this>
>
> I went through the simple setup wizard. I setup two interfaces:
>
> outside: DHCP
> inside: 192.168.1.1
>
> Pretty simple right. Now, all I wanted to do was now get the bare minimum
> working from the outside in. This is where I began to run into problems.
> No matter what I do, no access is allowed in. Here is what I tried:
>
> 1) Just get ICMP working.
> I went to the ICMP screen under administration in the PDM and added
one
> stinking rule. I allowed all ICMP from any outside inferface IP. Pretty
> simple right. Well, guess what, you couldn't ping the damn DHCP retrieved
> IP address. So, figuring that maybe Cox blocked ICMP on home networks, I
> decided to use the web port of 8080.
>
> 2) Get any traffic working through 8080
> I have a Pix firewall book in which I followed these instructions word
> for word. If you like, the PDM can display the commands that are given on
> each action, so I could go down there and copy and pasted the CLI commands
> that are created. Anyway, here's what I did:
> First of all, I setup my laptop on 192.168.1.2 and setup IIS to
run
> on port 8080. I verified that this worked by opening a browser to
> http://192.168.1.2:8080. This did give me the default web site. And, I
> know 100% that Cox doesn't block ports 8080. My book told me to first to
> create a simple address translation rule:
> Original Host/Network:
> Interface: inside
> IP: 192.168.1.2
> Mask: 255.255.255.255
> Translate address on less secured interface: outside
> Translate address to: Static
> IP Address: Interface IP (uses the DHCP address)
> Redirect Port: yes
> TCP: Original: 8080, Translated: 8080
>
> Then, as my book discusses, I created a simple address rule:
> Permit
> Source: Outside
> Destination: 192.168.1.2
> Protocol: TCP port 8080 (for both source and destination)
>
> I saved the configuration as described.
>
> Guess what, you get no access then from the outside IP address which was
> http://68.104.185.40:8080. No go. Now, I know I'm not stupid, but my
> inability to either get ICMP working or traffic on 8080 befuddles me. I
> even installed VNC and tried the same things on port 5800.
>
> Does anyone see what is wrong here? I've set 100 low tech routers for
home
> use, but for some reason, I can't get any Inbound access working! I'm
> stuck!
>
> All Help is greatly appreciated. Sorry to bother you guys with such a
> simple question, but if you go to google and type in Pix 501, you get
little
> help in the way of a simple setup. And, the Cisco documentation mentions
> nothing of this.
>
> Thanks.
> Scott
>
>
>
>
>
Anonymous
April 3, 2004 10:44:46 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 3 Apr 2004 11:29:10 -0700, Scott (blndspt) spoketh


>
>Then, as my book discusses, I created a simple address rule:
> Permit
> Source: Outside
> Destination: 192.168.1.2
> Protocol: TCP port 8080 (for both source and destination)
>

This is wrong. Only destination should be 8080, source should be "any".

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
!