forwarding packets from external to internal interfaces

[a00590733]

we just got a pix, and have been running into some problems.

we have an external network (192.168.75.0/24) with the pix's external interface set up as 192.168.75.222

the internal network is setup with (192.168.1.0/24) with the pix's internal interface ip being 192.168.1.3

we are trying to simulate attacks on the internal network from the external

we are attacking from 192.168.75.1[EXTERNAL] -> [192.168.75.222]pix[192.168.1.3] -> 192.168.1.10[internal]

but we cannot detect any packets on the internal 192.168.1.10, we are using ethereal, also in promiscuous mode, and cant detct anything?

any suggestions, right now we are using the gui interface, but cant figure much out about the problem

thanks

 

[KiscoKid]

Out of the box, default configuration for access control is to deny all packets from outside to inside.

Use the 'show access-group' command in command line mode tyo verify which access group, if any, has been applied to the outside interface. If none, the default action is to deny all access. You will therefore need to add an outside ACL and apply it to the outside interface if you wish to permit certain applications through.

 

[a00590733]

ya, we have setup 2 seperate groups, and tried something simple to allow all icmp packets through, yet nothing is making through, i have been reading documentation on the cisco site, but nothing yet, we can ping the pix on external, and also ping the internal from the pix, but still no forwarding

access-list acl_out permit icmp any any
access-group acl_out in interface outside

i need to somehow forward from outside interface to inside interface, do we need to setup nat on the pix to forward, or are there ways without by adding a static route somhow?

 

[a00590733]

ya we figured it out, thanks for your help...

any reason why things on the access group acl_out do not show up in ASDM? or am i just looking in wrong place

 

[polykleitus]

I'm having a similar problem. Quick description of my config (WAN IP's change to protect the innocent):

SITE ONE:
Cisco 1641
- T1 WAN for Internet Access (9.8.7.6/240)
- T1 to Site Two (10.0.0.1/30)
- 100Mb LAN interface (5.6.7.8/240) connected to...

Cisco PIX501
- Outside (5.6.7.9/240)
- Inside NAT (192.168.10.254/24)

SITE TWO:
Cisco 1760
- DSL WAN for Internet Access (1.2.3.4/240)
- T1 to Site One (10.0.0.2/30)
- 100Mb LAN interface, no FW (192.168.1.253/24)

THE PROBLEM:
Users at Site1 can ping into the subnet at Site2 and access everything needed. Users at Site2 cannot ping anything past the outside interface of Site1's PIX501. I only have access to the PDM, and I've used it to set up ACL's similar to the ones described in this post.

Any ideas on what I'm missing? Perhaps more detail on setting up ACL's? Perhaps there's a Translation Rule I need to set up?

 

[NetworkGhost]

Sho your config. You can still do this from the PDM from the CLI Tool.

 

[polykleitus]

Sorry - should have done that in the first place. It's rather long, but here goes:

SITE1-PIX501# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ipsVHwL6Nkn4tLPA encrypted
passwd qjegNHyIr0WJiqpP encrypted
hostname SITE1-PIX501
domain-name SAMPLECOMPANY.COM
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.5 server-sbs
name 192.168.10.6 server-citrix
name 192.168.10.7 server-accounting
name 111.222.333.96 Outside_IP_Range
name 192.168.1.0 Site2_Subnet
name 192.168.10.0 Site1_Subnet
object-group service ExchangeServices tcp
description Ports to be opened for Microsoft Exchange services
port-object eq imap4
port-object eq ldap
port-object eq 135
port-object eq pop3
port-object eq 102
port-object eq smtp
port-object eq chargen
port-object eq www
port-object eq https
port-object eq 3389
port-object eq 995
object-group service CitrixServices tcp
description Ports open for Citrix services
port-object eq 2598
port-object eq 2513
port-object eq 2512
port-object eq citrix-ica
port-object eq https
port-object eq www
port-object eq 3389
access-list acl_out remark Translate all TCP from Site2 (any for testing purposes)
access-list acl_out permit tcp any any
access-list acl_out remark Translate all UDP from Site2 (any for testing purposes)
access-list acl_out permit udp any any
access-list acl_out remark Translate all ICMP from Site2 (any for testing purposes)
access-list acl_out permit icmp any any
access-list acl_out remark Translate all IP from Site2 (any for testing purposes)
access-list acl_out permit ip any any
access-list acl_out remark server-SBS Open for Exchange
access-list acl_out permit tcp any host 111.222.333.100 object-group ExchangeServices log
access-list acl_out remark server-CITRIX open for ICA traffic
access-list acl_out permit tcp any host 111.222.333.101 object-group CitrixServices log
access-list acl_out remark server-CITRIX open for ICA TCP Browse operations
access-list acl_out permit udp any host 111.222.333.101 eq 1604 log
access-list acl_out remark server-accounting open for RDP traffic
access-list acl_out permit tcp any host 111.222.333.102 eq 3389 log
access-list acl_out remark server-accounting open for direct outside connect
access-list acl_out permit tcp any host 111.222.333.102 eq 9998 log
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 16
logging host inside server-sbs
icmp permit Site2_Subnet 255.255.255.0 outside
icmp permit host 111.222.333.97 outside
icmp permit 10.0.0.0 255.255.255.0 outside
icmp permit any inside
icmp permit host 111.222.333.97 inside
mtu outside 1500
mtu inside 1500
ip address outside 111.222.333.98 255.255.255.240
ip address inside 192.168.10.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location Site1_Subnet 255.255.255.0 inside
pdm location server-sbs 255.255.255.255 inside
pdm location server-citrix 255.255.255.255 inside
pdm location server-accounting 255.255.255.255 inside
pdm location Berk_Subnet 255.255.255.0 outside
pdm location 10.0.0.0 255.255.255.252 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.222.333.100 server-sbs netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.101 server-citrix netmask 255.255.255.255 0 0
static (inside,outside) 111.222.333.102 server-accounting netmask 255.255.255.255 0 0
access-group acl_out in interface outside
rip outside passive version 2
rip inside passive version 2
route outside 0.0.0.0 0.0.0.0 111.222.333.97 1
route outside 10.0.0.0 255.255.255.252 111.222.333.97 1
route outside Berk_Subnet 255.255.255.0 111.222.333.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server server-sbs source inside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http Site1_Subnet 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set 3DES-MD5-MD5 ah-md5-hmac esp-3des esp-md5-hmac
crypto ipsec transform-set DES-MD5-MD5 ah-md5-hmac esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set peer 444.555.666.74
crypto map outside_map 20 set transform-set DES-MD5-MD5
crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 4608000
! Incomplete
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 444.555.666.74 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity key-id Site1
isakmp nat-traversal 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet Site1_Subnet 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
vpnclient server 444.555.666.74 111.222.333.98
vpnclient mode network-extension-mode
vpnclient vpngroup Site1 password ********
vpnclient username Site1 password ********
terminal width 80
Cryptochecksum:1d995869b9fc89055f58f49147626d9a
: end

Thank you SO MUCH for taking a look at this!