Place a server behind a PIX firewall production
Hi all
We currently have a web server that is connected to the Internet directly (multiple addressable IPs belonging to 5 different ranges of class C, with a soft firewall).
There are several Web sites, some of them with their own IP addresses, some of them sharing IPs with other sites.
We intend to put a server behind a PIX firewall and convert addressable IP addresses to private IPs with the static mapping on the PIX.
We plan use a PIX with two (2) interfaces.
You think it of feasible or are there things that I'm on?
Some things I'm not sure about:
Since there are several C class IPs assigned to the server and therefore 5 gateways defined on a NIC, one for each class, how that is defined on the PIX? 5 separate roads or...?
We need to use a kind of "virtual interfaces", one for each class C subnet?
This is an example of a "final product":
Web request to the 204.xxx.85.10 IP addressable would be directed to the private IP address: 10.xxx.85.10.
Web request to the 204.xxx.86.10 IP addressable would go to 10.xxx.86.10 etc etc.
Any help you could provide in this regard will be GREATLY apprechiated!
Hello
Please provide a topology (plain text would work). I can't tell from your description, if you have a perimeter router in front of the Pix. In addition, when you write statements of static road on the Pix, you must include an interface as follows
Route if_name IPAddress netmask gateway_ip
Once you post this information, I'll take another reading to better understand your situation.
Thank you
Tags: Cisco Security
Similar Questions
-
Enable syslog server behind the PIX
Could someone tell me a config that allows a server syslog (Kiwi syslog) to get behind the PIX syslogs. I have a 2K with the KIWI syslog server behind a PIX 501.
I have the static command, the access group and the access-list:
public static 192.104.109.92 (Interior, exterior) 192.168.15.200 netmask 255.255.255.255 0 0
Access-group local_server in external interface
local_server list access permit udp any host 192.104.109.92 eq syslog
Man, I can't understand it.
Thanks for any help
You could:
1. make a capture of port syslog traffic directed to the syslog server.
2 Terminal monitor - deny traffic showed clearly when I had not set up the firewall to forward the traffic. (Note: attention on busy firewall)
3 netstat - a on the syslog server
4. If you allow, you should be able to portscan the server on port of syslog by your firewall.
5. is your syslog capture created file? It is not created if the service never started.
6 - is the service running in the system context or perhaps another account that doesn't have the correct rights?
The answers seem to indicate a service not started that seemed likely. What you describe happened to me when I had the demon also version; I went to service version and the problem has been resolved (once I opened the port.)
I love the kiwi syslog. I use with Snare and BacklogIIS and receive alerts within 60 seconds to my mailbox when something bad happens. It always fools of my end users out when I call them with the problem solved when they seek always my number report the problem.
-
How to configure to allow users in my web server behind a PIX 501
I have 1 web server, 4 web hosting sites. IP addresses are like:
the area of the web server itself: 192.168.111.11
1 web site on this box has IP 192.168.111.101
2nd ............................................ 192.168.111.102
3rd ............................................. 192.168.111.103
4th ............................................. 192.168.111.104
My OUTSIDE interface (say) 205.200.20.5
My INSIDE interface has 192.168.111.1
I want to leave the outside web traffic in my web server box that hosts 4 sites. I only let people with HTTP and HTTPS.
How should I do and for purposes of flexibility, say also tomorrow I want to host my site on a different web server #3 but always with the same IP address, can I selectively route certain web traffic to the boxes in different web server?
Also, I want to open another port, say, 8080 for administrative purposes. Can I route HTTP or HTTPS, addressed to some port # to the Web server also?
You will need to create static port mapped, but if you have only the external IP address a people can connect to, they will need to connect to a specific port in the URL to differentiate which internal web server, they really want to go.
For example:
> static (inside, outside) tcp 205.200.20.5 80 192.168.111.101 80 netmask 255.255.255.255
> static (inside, outside) tcp 205.200.20.5 81 192.168.111.102 80 netmask 255.255.255.255
> static (inside, outside) tcp 205.200.20.5 82 192.168.111.103 80 netmask 255.255.255.255
> static (inside, outside) tcp 205.200.20.5 80 83 192.168.111.104 netmask 255.255.255.255
maps of connections to 205.200.20.5 on port 80 through to port 80 on 192.168.111.101. Connections inbound to port 81 will be mapped through to port 80 on 192.168.111.102. Connections incoming on port 82 will be mapped through to port 80 on 192.168.111.103 and so on.
You cannot map just all incoming traffic on port 80 to 4 different internal web servers, cause how the PIX will know which send traffic to.
To allow access, as well as the static shown bove, you must:
> list of allowed inbound tcp access any host 205.200.20.5 eq 80
> list of allowed inbound tcp access any host 205.200.20.5 eq 81
> list of allowed inbound tcp access any host 205.200.20.5 eq 82
> list of allowed inbound tcp access any host 205.200.20.5 eq 83
> list of allowed inbound tcp access any host 205.200.20.5 eq 443
> interface entering outside acess group
HTTPS is also going to be a problem, to do the same on HTTP, you need to use different ports to differentiate what specific internal web server that you want to that they go (and allow these ports in your "incoming" ACL above).
To port 8080, just follow these steps:
> static (inside, outside) 205.200.20.5 tcp 8080 192.168.111.10x 8080 netmask 255.255.255.255
> list of allowed inbound tcp access any host 205.200.20.5 port 8080
As you can probably guess, this won't work very well if you have only one external IP address, because users will not know to specify a specific port number so that they get through an internal host specific. You may have a single external address for each web server internal to this work in reality.
-
Allowing L2TP to pass through PIX Firewall
Hi all
Can someone help me on how to allow inbound l2tp connection on a pix? Behind the pix firewall, there is an ISA server as a vpn l2tp server. I can't allow l2tp on the pix.
Thank you very much!
Please use this doc as a guide-
Jon
-
Ports from Site to site behind another PIX
Have a client who we are going to set up a site to site VPN. The remote site is behind another PIX firewall that has private inside IP addresses. Next to the static nat, which ports must be open in order to make a site to site?
If the VPN tunnel ends on PIX - B, then PIX - A must be opened for the following ports (in two senses - incoming and outgoing).
-The ESP protocol (that's the protocol 50)
-Port UDP 500
-UDP 4500 port
Thus, orders ACLs on PIX - A will be:
outside_ACL udp IP_of_SiteA-PIX IP_of_PIX-B eq 500 allowed access list
outside_ACL list of permitted access eq of IP_of_PIX from IP_of_SiteA-PIX-B udp 4500
outside_ACL list of permitted access esp IP_of_SiteA-PIX-IP_of_PIX-B
That should do the trick.
-
Cannot access the VPN server located behind the corporate firewall.
The VPN server was created by myself, in my Department. I can access the server from anywhere when I am in my business network. When I'm at home, I can't even ping the VPN server WAN interface. When I try to connect via the cisco VPN client, I get the message ' reason 412: peer remote not responding. "
The main my company firewall blocks external traffic?
Should I change anything in the VPN server?
I heard about port forwarding, but have no knowledge about this. Port forwarding is done on the VPN server or the main firewall?
Also should I go and ask the company system administrator to enable certain ports for the public IP address that I use for my server?
I hope you can help
Concerning
Yes, quite correct. Please open ESP protocol UDP/500 and UDP/4500 for IPSec VPN.
-
The VPN client VPN connection behind other PIX PIX
I have the following problem:
I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).
So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5
I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.
Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.
If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:
305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x
194.x.x.x is our customer s address IP PIX
I understand that somewhere access list is missing, but I can not understand.
Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.
Can you please help me?
Thank you in advan
The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.
I've cut and pasted here for you to read, I think that the problem mentioned below:
Question:
Hi Glenn,.
Following is possible?
I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.
The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?
My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.
Thank you very much for any help provided in advance.
Response from Glenn:
First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:
fixup protocol esp-ike
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.
If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:
ISAKMP nat-traversal
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.
NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.
ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.
A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.
NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.
Hope that helps.
-
Hello
I'm without a firewall PIX 7.0 to 6.3 decommissioning. I faced the problem during the restart of the PIX.
The error given below,
Start the first image in flash
Image must be at least 7-0-0-0 error in the flash file: / pix635.bin
No bootable Flash image. Please download an image from a network server
in monitor mode
CISCO PIX FIREWALL SYSTEMS
BIOS version shipped 4.3.207 01/02/02 16:12:22.73
Compiled by Manu
128 MB OF RAM
Did you follow the exact downgrade procedure indicated on this link... you point the image as shown 6.3.x
downgrade tftp://tftpserverip/pix63x.bin
PIX downgrade procedure 7.x to 6.3.x
http://www.Cisco.com/en/us/docs/security/ASA/asa70/pix_upgrade/upgrade/guide/pixupgrd.html#wp1810347
in any case, you can always redownload the 6.3.5 new code in monitor mode.
Let us know how it works.
Rgds
Jorge
-
How to limit the ICMP on the PIX firewall.
Guys good day!
I have a dilemma with regard to limiting ICMP users browsing to other networks such as other demilitarized interns.
I know that, to allow ICMP to pass through interfaces, you will need to create an ACL such as below:
access-list DMZACL allow icmp a whole
Users require this config ping a server on the DMZ, but it is a security risk.
To minimize, I have a group of objects created in order to identify hosts and networks is allowed to have access to the echo-replies.
Again, this is a problem since many host who extended pings just to monitor the connectivity server and its application.
Do you have other ideas guys?
As to limiting the echo answers on the PIX. As first 5 echo request succeed with 5 echo-replies and the rest would be removed.
This could be done?
Thank you
Chris
Hello.. I don't think you can do this by using an ACL on the PIX, however, you might be able to stop the ICMP sweeps by activating CODES signatures using the check ip command you... For more information see the link below
Guidelines of use Cisco Intrusion Detection System (IDS Cisco) provides the following for IP-based systems:
? Audit of traffic. The application of signatures will be audited only as part of an active session.
? Apply to the verification of an interface.
? Supports different auditing policies. Traffic that matches a signature triggers a range of configurable
actions.
? Disables signature verification.
? Always turns the shares of a class of signature and allows IDS (information, attack).
The audit is performed by looking at IP packets to their arrival at an input interface, if a packet triggers
a signature and the action configured does not have the package, and then the same package may trigger another
signatures.
Firewall PIX supports inbound and outbound audit.
For a complete list signatures of Cisco IDS supported, their wording and whether they are attacking or
informational messages, see Messages in Log System Cisco PIX Firewall.
See the User Guide for the Cisco Secure Intrusion Detection System Version 2.2.1 for more information
on each signature. You can view the? NSDB and Signatures? Chapter of this guide at the following
website:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids1/csidsug/SIGs.htm
-
I have configured the aaa authentication in the pix firewall to see the ACS RADIUS Server for verification of the user. If the ACS server becomes unavailable, then I could not connet the pix firewall.
In the router, I have the configuration option
AAA authentication login default group Ganymede + local
that tells the router first looking for a radius server and if is not available connect through the local database.
Is there an option in the Cisco pix firewall to connect using local information if ACS is not available?
Thanks in advance
Hello
PIX back up method to entered the unit in the event of server failure aaa works on 6.3.4 code and above. In the codes plus late 6.3.4 If the RADIUS server fails it is impossible to get in unless password recovery. "However if we have not configured for console aaa authentication than user name: pix and password: cisco" works by default.
Kind regards
Mahmoud Singh
-
I have two servers, one in pix inside and the other in the demilitarized zone. I wanted to set them up so that they can communicate with routers and switches
Located outside the pix firewall.
My inner Server works fine, able to go Internet and able to comminicate with all devices located outside the Pix Firewall. Here is reference configuration
of insideserver.
outside_acl list extended access allowed host x.223.188.0 255.255.255.0 172.28.32.50 ip
outside_acl list extended access permit ip host host x.219.212.217 172.28.32.50
access-list extended sheep permit ip host 172.28.32.50 host x.219.212.217
access-list extended sheep permit ip host 172.28.32.50 x.223.188.0 255.255.255.0
inside_acl list extended access permit ip host 172.28.32.50 all
But my DMZ server does not work. However, I made the same configuration with respect to the server on the inside. Not able to communicate with outside DMZ server
network.
outside_acl list extended access allowed host x.223.188.0 255.255.255.0 172.28.92.72 ip
outside_acl list extended access permit ip host host x.219.212.217 172.28.92.72
access-list extended sheep permit ip host 172.28.92.72 host x.219.212.217
access-list extended sheep permit ip host 172.28.92.72 x.223.188.0 255.255.255.0
dmz_acl list extended access permit ip host 172.28.92.72 all
If I create a static entry for your DMZ SNMP server.
static (edn, external) 172.28.92.72 172.28.92.72 netmask 255.255.255.255
He starts to communicate with external devices, but stops Internet run on this server. same configuration
works with the server on the inside, but not with dmz server.
NAT (inside) 0 access-list sheep
NAT (inside) 3 172.28.32.0 255.255.255.0
NAT (dmz) 3 172.28.92.0 255.255.255.0
Global interface 3 (external)
Your static entry is bypassing your nat (dmz) 3 entry. You can do NAT exemption instead, as you do to your home
1. remove the static entry (followed by clear xlate)
Add - nat 0 access-list sheep (dmz)
I suggest to use two acl different sheep, one for each interface.
Ex: nonat_inside
nonat_dmz
-
Hi guys, I noticed that there is a document on the setting of the Cisco routers on cisco.com
Is there than a best practices similar document type for Secure PIX firewall? or even a general firewall best practices guides?
I searched, but did not really find anything. Any help would be great!
Hi Nathan,
So far, there is no specific doc, but you can get the idea of documentation PIX / ASA itself. This is probably due to the nature 'trust' of the firewall itself (everybody knows that it was not 100% sure).
Anyway, there is a document on "Best practices of firewall" at http://www.principlelogic.com.
Others are:
http://www.Security.FSU.edu/firewall.cfm
http://SearchSecurity.TechTarget.com/originalContent/0, 289142, sid14_gci838230, 00.html
Personally, I think the recommendations are very good and can be applied generally to fix most of the firewall products.
I hope this helps.
Rgds,
AK
WARNING: -.
The post above is not intended to promote the services/tools/products on behalf of a person or organizations. This is simply about & information sharing.
-
HELP: Activation server determined that the specified product key has been blocked
I did a complete reset of my ENVY 17 laptop and now whenever I try to re-activate Windows 8 Pro that I reinstalled using the USB recovery, I get error:
Code: 0xC004C003
Description: The activation server determined that the specified product key has been blocked.
I have Microsoft Suppot had called and were told to contact HP (manufacturer of my pc. Someone at - he met sam and how wa it is resolved?
Thank you
Rico.
Solved! HP technical support took care of me Thank you so much.
-
the activation server determined that the specified product key cannot be used to 0xC004C008
Hello
I'm running a server KMS on Windows server 2012 R2 and I have enabled more than 300 PC and servers.
But for some reason, can no longer trigger the new PCs and servers. They get 0xc004c008 the activation server determined that the specified product key cannot be used.
Nothing has changed on the KMS server and I do not see where the KMS host key could be used outside of the host itself.
All ideas
Hello
Post your question in the TechNet Server Forums, as your question kindly is beyond the scope of these Forums.
http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
See you soon.
-
Access list ID # on a PIX firewall
Is anyone know what of the identifier access list on a pix firewall?
Standard IOS = 1-99
Extended IOS is 100-199.
SW = PIX?
There is no "limit" by Word to say in the Pix. These limits are in IOS because they define what 'type' of acl, it's IE APPLETALK, IPX, IP etc etc. Pix IP is therefore not necessary for this type of identification.
access-list 100000000000000; 1 items
allow line of the access list 1 100000000000000 ip any a (hitcnt = 0)
Jason
Maybe you are looking for
-
list of bookmarks in the toolbar "" on the left
I had to reset firefox due to a pop message – persistent up requires me to connect to Yahoo every time. In the process, my favorite sidebar has disappeared. My Favorites are still there, but I can't find any way to display permanently in a sidebar. I
-
I can't have my admin since Firefox Panel
http://www.easy2resolve.com/ , it comes to my web site, I can not connect to its Board of Directors of mozilla, when I enter my password and user name, show, as its not valid. But I can log in the Admin Panel with the same user name and password of c
-
write the size of measurement files
Hello I save a lot of data in my controller and you want to write to a file measure tdms format. the problem is that the files are very large, if I use the "write to file measure" - on purpose - vi. If I use the 'writing TDMS' - function instead, the
-
password necessary to restart computer.dont know the password
need password to restart my computer. Help
-
whenever I start my pc it automatically opens the disc clean up, I don't want that. How to stop this scheduled task? Ive tried to delete, but I don't think that it wrks. It appears again on the performance of the tasks. I actually put it to daily nd