Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Pix Firewall Entries, confused!

Status
Not open for further replies.
outofcontrol

outofcontrol

MIS
Jul 31, 2001
89
US
Good Afternoon.

I have a problem with a Cisco PIX 506 firewall. This will be a long story. I am trying to install this firewall for a friend and did not do all the original setup of his server.
-----------------------------------------------------------
The current configuration of the network is one Dell Server with two NIC cards:
The external NIC has three addresses:
*.*.*.21 for web pages
*.*.*.20 for mail pages
*.*.*.18 for DNS
We are servicing several web pages with all the addresses
pointing to *.*.*.18
The Dell server has three internal addresses of
192.168.1.101 – this is the only real address any one uses.
192.168.1.102
192.168.1.103
----------------------------------------------------------
Once I added the PIX 506E, I disabled the external NIC card on the server and added the following statements to the CLI on the PIX
access-list 100 permit tcp any host *.*.*.21 eq www
access-list 100 permit tcp any host *.*.*.21 eq https
access-list 100 permit tcp any host *.*.*.21 eq nntp
access-list 100 permit tcp any host *.*.*.21 eq ftp
access-list 100 permit tcp any host *.*.*.21 eq ftp-data
access-list 100 permit tcp any host *.*.*.20 eq smtp
access-list 100 permit tcp any host *.*.*.20 eq pop3
access-list 100 permit tcp any host *.*.*.20 eq imap4
access-group 100 in interface outside
static (inside,outside) *.*.*.20 192.168.1.102 netmask 255.255.255.255 0 0
static (inside,outside) *.*.*.21 192.168.1.101 netmask 255.255.255.255 0 0

Everyone on the internal network can get out to the internet just fine. No one can send mail in or see the webpages

I am confused on what I need to do to fix this problem.
Please help.

Thanks
 
Sort by date Sort by votes
Looks fine for me. Would you collect some debugs? I would suggest a "debug packet" or a "debug access-list all". Be aware that the debug could generate amazing quantities of output lines but I am considering you have a restricted environment.
 
Upvote 0 Downvote
When you disabled the external NIC on the Dell server (the one that would have had a default route to the internet), did you then add a new default route on the server via the internal IP of the PIX? If not then the traffic from the internet would get passed through the PIX to the server but the server wouldn't have a route back.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Chris, do you have an example of that? I am not sure how to accomplish that?

Thanks
Joe
 
Upvote 0 Downvote
In the TCP/IP properties of the network card on the server, you enter a default gateway for your network. In this case it will be the address of the PIX internal IP address.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Thanks Chris, I did enter the 192.168.1.1 address for the cisco as the internal and the same as the gateway address on the card. The dell can see the outside world if I open up IE.

It appears that the problem might be in the DNS since I am serving the DNS entries from the DELL??
 
Upvote 0 Downvote
Do you mean that you are running DNS on the Dell that is authorative for your domain? If so then your PIX isn't allowing anyone from the outside to query your DNS server. You are blocking port 53.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Chris, I did not do the original setup but I believe you might be correct. Since all of our web sites on nslookup point to the *.*.*.18 address. And within the DNS there is an entry for host of *.*.*.21 and a mail entry for *.*.*.20 on the DNS server.

What is port 53
 
Upvote 0 Downvote
Port 53 (UDP) is the port that a DNS resolver uses to resolve DNS. So, if your server is authorative for your domain and I want to send you an e-mail then my mail server would have to do a DNS lookup on your domain to resolve the mail record. It would send a DNS query to your server on port UDP 53. At the moment this is blocked by your firewall.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Try adding this to your PIX.

access-list 100 permit ucp any host *.*.*.20 eq domain
access-list 100 permit tcp any host *.*.*.20 eq domain

-Bad Dos
 
Upvote 0 Downvote
I think you should also map DNS static entry as well:

static (inside,outside) *.*.*.18 192.168.1.101 netmask 255.255.255.255 0 0

I agree with baddos, open tcp and udp for port 53.

D.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question
Cisco RV042G router
Replies
0
Views
304
Blackybear
Blackybear
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
388
badwolf1686
B
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
786
nt8d09
nt8d09
CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
539
CPM86
CPM86
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
768
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top