Mailing List Archive

Pix config help
Hi there,

I'm struggling with a Pix configuration issue which has really got me
scratching my head.

It seems quite basic, but I've so far got to the end of my troubleshooting.

The Inside interface of the Pix has the network 192.168.70.0/24. The
outside interface has the network 192.168.70.0/24. The next hop from the
Pix on the outside is 192.168.71.1 (the Pix is at 192.168.71.2). The
next hop is a 2811.
On the 2811, I have ACLs set up to allow connection to a machine on the
inside interface of the Pix (192.168.71.5). If I attempt to connect from
a machine allowed through on the ACL, this works.

I've also allowed some machines from another internal network (but
beyond the outside interface on the Pix) (for instance, 192.168.50.3)
via an ACL to connect to 192.168.71.5. To the best of my problem solving
skills, these are being allowed but aren't actually connecting. And this
is the bit I'm struggling with. If, for instance, I attempt to RDP
through, then it's logged at both the 2811 and the Pix as being allowed
(so far as I can see):

From the Pix:
302013: Built inbound TCP connection 7972 for outside:192.168.50.3/4992
(192.168.50.3/4992) to inside:192.168.70.5/3389 (192.168.71.5/3389)
From the 2811:
Apr 14 15:16:58 62.49.229.217 568: 000564: Apr 14 15:16:57:
%SEC-6-IPACCESSLOGP: list 122 permitted tcp 192.168.50.3(4995) ->
192.168.71.5(3389), 1 packet

For what it's worth, though, the Pix, immediately after logging the
connection being built doesn't show it in the show conn output. With the
static output listed in the config below, it's always got the relevant
info in the xlate.

So, to my understanding, this should work. I think I've ruled out the
machine as I can connect in from beyond the outside interface of the
2811. Similarly, the config rules which allow that connection exactly
mirror that which I'm attempting to use for 192.168.50.3. So what am I
doing wrong? I've put the relevant bits of the config here:


Pix bits:
access-list serverout permit tcp host [machine beyond the outside
interface of 2811] host 192.168.71.5
access-list serverout permit tcp host 192.168.50.3 host 192.168.71.5
ip address outside 192.168.71.1 255.255.255.0
ip address inside 192.168.70.1 255.255.255.0
static (inside,outside) 192.168.71.5 192.168.70.5 netmask
255.255.255.255 0 0
access-group serverout in interface outside

Bits from the 2811:
Extended IP access list 122
25 permit ip host 192.168.50.3 host 192.168.71.5 log (6 matches)
30 permit ip host [machine beyond outside interface of the 2811]
host 192.168.71.5 log (1029 matches)
310 deny ip any any log (69 matches)

So - any thoughts anyone?

Gary

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: Pix config help [ In reply to ]
--- On Sat, 4/14/12, Gary Smith <lists@l33t-d00d.co.uk> wrote:

> From: Gary Smith <lists@l33t-d00d.co.uk>
> Subject: [c-nsp] Pix config help
> To: cisco-nsp@puck.nether.net
> Date: Saturday, April 14, 2012, 8:22 AM
> Hi there,
>
> I'm struggling with a Pix configuration issue which has
> really got me scratching my head.
>
> It seems quite basic, but I've so far got to the end of my
> troubleshooting.
>
> The Inside interface of the Pix has the network
> 192.168.70.0/24. The outside interface has the network
> 192.168.70.0/24. The next hop from the Pix on the outside is
> 192.168.71.1 (the Pix is at 192.168.71.2). The next hop is a
> 2811.
> On the 2811, I have ACLs set up to allow connection to a
> machine on the inside interface of the Pix (192.168.71.5).
> If I attempt to connect from a machine allowed through on
> the ACL, this works.
>
> I've also allowed some machines from another internal
> network (but beyond the outside interface on the Pix) (for
> instance, 192.168.50.3) via an ACL to connect to
> 192.168.71.5. To the best of my problem solving skills,
> these are being allowed but aren't actually connecting. And
> this is the bit I'm struggling with. If, for instance, I
> attempt to RDP through, then it's logged at both the 2811
> and the Pix as being allowed (so far as I can see):
>
> From the Pix:
> 302013: Built inbound TCP connection 7972 for
> outside:192.168.50.3/4992 (192.168.50.3/4992) to
> inside:192.168.70.5/3389 (192.168.71.5/3389)
> From the 2811:
> Apr 14 15:16:58 62.49.229.217 568: 000564: Apr 14 15:16:57:
> %SEC-6-IPACCESSLOGP: list 122 permitted tcp
> 192.168.50.3(4995) -> 192.168.71.5(3389), 1 packet
>
> For what it's worth, though, the Pix, immediately after
> logging the connection being built doesn't show it in the
> show conn output. With the static output listed in the
> config below, it's always got the relevant info in the
> xlate.
>
> So, to my understanding, this should work. I think I've
> ruled out the machine as I can connect in from beyond the
> outside interface of the 2811. Similarly, the config rules
> which allow that connection exactly mirror that which I'm
> attempting to use for 192.168.50.3. So what am I doing
> wrong? I've put the relevant bits of the config here:
>
>
> Pix bits:
> access-list serverout permit tcp host [machine beyond the
> outside interface of 2811] host 192.168.71.5
> access-list serverout permit tcp host 192.168.50.3 host
> 192.168.71.5
> ip address outside 192.168.71.1 255.255.255.0
> ip address inside 192.168.70.1 255.255.255.0
> static (inside,outside) 192.168.71.5 192.168.70.5 netmask
> 255.255.255.255 0 0
> access-group serverout in interface outside
>
> Bits from the 2811:
> Extended IP access list 122
>     25 permit ip host 192.168.50.3 host
> 192.168.71.5 log (6 matches)
>     30 permit ip host [machine beyond outside
> interface of the 2811] host 192.168.71.5 log (1029 matches)
>     310 deny ip any any log (69 matches)
>
> So - any thoughts anyone?
>
> Gary

Why am I thinking application-inspection is the issue here.

Have you tried -

fixup protocol rdp 3389?

./Randy

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/