simple ip route command or access list question??

[geranimo666]

Hello-

I want one of my servers to be able to communicate with my router.. I just want to update the bin file that is on a tftp server in my network (172.16.x.x) to a router that has a f0/0 port with a 63.x.x.x address.. could I just create a static route? or acl?

thanks for any support

geranimo

 

[geranimo666]

Hello Chipk and Burtbees-

There is a darn PIX in the middle of this this! That is our culprit my friends..

The devil is always in the detail. Anyway, I would need an access-list that says allow my router (thru it's FastEthernet0/0 port 63.138.x.x) to be able to communicate with my TFTP server (172.16.x.x).

I didn't see this device until late last night, if you could only see how this rack is situated then you wouldn't blame me for not detecting this firewall in the first place.

Woule either of you know the proper syntax for this access-list? or do I need the firewall forum?

thanks either way for all your support.

geranimo

 

[burtsbees]

You only need an allow if there is any acl on the outgoing interface pointing to the 172.16.x.x network in the first place, which I assume. Once an acl is put in place, a "deny everything else" is implied at the end of the list, which includes the 172.16.x.x network.
So, you need the number of the original acl, and if it is not a named acl, then you can't simply include an entry for the 172.16 nw---you will have to delete the entire list and rewrite it with the allow any 172.16.x.x 0.0.255.255 added on.
Please post a sh run from the PIX, and we can help you.

Burt

 

[geranimo666]

Alright Burtsbees-

Here is a sho run of Pix

Thanks please let me know.. and thanks so much for your help.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
nameif ethernet3 other_dmz security40
nameif ethernet4 intf4 security20
nameif ethernet5 proxy_dmz security25
enable password yadayada encrypted
passwd yadayada encrypted
hostname mypix
domain-name mypix.nyc
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

object-group service OWA tcp-udp
description Outlook Web access server to my dc
port-object range 1600 1600
port-object range 135 135
port-object range 3268 3268
port-object range 389 389
port-object range domain domain
port-object range 88 88
port-object range 2874 2874
port-object range 445 445
port-object range 139 139
port-object range 123 123
object-group network OWAgroup
description OWA to active directory servers
network-object mydc 255.255.255.255
network-object mydc 255.255.255.255
object-group network OWAmail
network-object mydc 255.255.255.255
network-object mydc 255.255.255.255
object-group service Citrix-tcp tcp
description Citrix tcp ports
port-object range citrix-ica citrix-ica
port-object eq www
port-object eq https
port-object range 8080 8080
object-group service citrxi-udp udp
description citrix udp port
port-object range 1604 1604
object-group network telco
network-object

acccess-list outside_access_in permit icmp any any echo-reply
acccess-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit tcp any host MAIL-ext-IP eq smtp
access-list outside_access_in remark nothing
access-list outside_access_in permit tcp any host nothing-ext-ip eq www
access-list outside_access_in remark deltaweb
access-list outside_access_in permit tcp any host nothing-ext-ip range pcanywhe
-data 5632
access-list outside_access_in permit ip host notgood host goodnot-ip
access-list outside_access_in permit ip host nothingelse host goodnot-ip
access-list outside_access_in remark Outside access to OWA server over port 80
access-list outside_access_in permit tcp any host webmail eq www
access-list outside_access_in remark Outside access to OWA server over port 443

access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit tcp any host MAIL-ext-IP eq smtp
access-list outside_access_in remark nuttin
access-list outside_access_in permit tcp any host nuttinip eq www
access-list outside_access_in remark nuttin
access-list outside_access_in permit tcp any host nuttint-ip range pcanywhe
-data 5632
access-list outside_access_in permit ip host whatever host blah-ext-ip
access-list outside_access_in permit ip host whatever2 host blah-ext-ip
access-list outside_access_in remark Outside access to OWA server over port 80
access-list outside_access_in permit tcp any host mail eq www
access-list outside_access_in remark Outside access to OWA server over port 443
access-list outside_access_in permit tcp any host mail eq https
access-list dmz_in permit tcp host owa MAIL eq https
access-list dmz_in permit tcp host online host telcoserver eq 22
60
access-list dmz_in permit tcp host owa host MAIL eq www
access-list dmz_in permit tcp host owa object-group OWA_ref obj
ect-group OWA
access-list dmz_in permit tcp host 170.x.x.x eq https any
access-list dmz_in permit tcp host Host eq 9020 host mainserver
access-list dmz_in permit ip host router any

access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 172.16.228
.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging trap warnings
logging history warnings
logging queue 5120
logging device-id hostname
logging host inside myserver
logging host inside 172.16.x.x
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu other_dmz 1500
mtu proxy_dmz 1500
ip address outside 63.138.x.x 255.255.255.240 <--- router address
ip address inside 172.16.x.x 255.255.255.0 <---inside pix
no failover
failover timeout 0:00:00
failover poll 15
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 0 0
static (inside,outside) MAIL-ext MAIL netmask 255.255.255.255 0 0
static (dmz,outside) mail bpgowa01 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group dmz_in in interface dmz
access-group other_dmz_in in interface other_dmz
route outside 0.0.0.0 0.0.0.0 myrouter 1
http 172.16.0.0 255.255.0.0 inside
: end
[OK]


geranimo

 

[burtsbees]

Just hook up a laptop to the router via crossover!

Burt

 

[geranimo666]

Thx BB,

Somehow I knew you'd say that...

geranimo

 

[burtsbees]

Well, so far you've added 2 devices in between the server and the router, and not once have you posted a sh run of the router. You only posted a sh route, which proves there is no route from the router to the server, which we already knew. The pix probably has nothing to do with it---a config from the router will show WHY there is no route from the router to the server. So, to eliminate evryone's headache, including yours, just do it the easy way.

Burt

 

[geranimo666]

hi Burtsbees-

I was hoping you could help me out alittle further.. I noticed that on the back of this router, this is only one T1 port available, ( this 2600 router is an internet router) and the fa0/0 interfce is the 63.128.x.x address I telnet from inside. All I have is 2 open BRI ports as you'll see below from my sho int command.. Could I still take a cross over to one of the BRI's and do what I need to do here? or am I totally screwed!?

Thanks for any info...
geranimo



Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 63.138.x.x YES NVRAM up up
BRI0/0 unassigned YES NVRAM administratively down down
Serial0/0:0 63.138.x.x YES NVRAM up up
BRI0/0:1 unassigned YES unset administratively down down
BRI0/0:2 unassigned YES unset administratively down down

 

[Minue]

Hello
You can't use the bri port!In any case you will have about a 3 minute down time once you load the new IOS.If youplug the laptop into the FastEthernet0/0 and load the IOS.Your down-time will be about 8 minutes.It all depends on the network needs.If you need less down you will have to create that access-list on the PIX.
Regards

 

[burtsbees]

If the fa0/0 is on the inside of the nw, then why do both the serial and fast ethernet interfaces have pubic IP's on them? Also, are they on the same subnet?
One more thing...it goes 2600---PIX---6503, right? Who configured the PIX in the first place? Was the tftp server in place before or after the PIX?


Burt

 

[geranimo666]

Not sure who configured the PIX and no the s0/0 is on the same subnet as the serial interface.. yes, you are correct with your visual topology.. I only care that I can really do this on the bri interface at this time, I suppose I can set up a 63.138.x.x address on the bri interface and hopefully plug my laptop into it via crossover cable and just tftp the file.. am I dead in the water here?

thanks

geranimo

 

[Minue]

As I said before it's impossible on the BRI!!!Just go for the access-list on the PIX.
Regards

 

[geranimo666]

Yes Minue,

It is what it is... I'll just use the fa0/0 port on the router and do this "after hours"..

that is all I can do..

Thanks so much
geranimo

 

[geranimo666]

Minue-

Since I haven't actually done this yet and based on the configs I've given above, would you be able to give me what access-list I would need. basically, I want to allow the router to be able to communicate with my tftp server but there is the pix in the middle. I don't know the syntax for the access-list in it's specifics needed here..

If not, then the original plan will have to do.

thanks eitherway
geranimo

 

[burtsbees]

Laptop should only take less than a minute---done it a thousand times---that is, if the laptop has 100Mbps interface...but you cannot connect ISDN BRI interface to anything with an ethernet anything cable....you'll fry your router.
tftp service running in the backround on the laptop, default location of the downloads should be directly on C:\, and therefore the IOS you plan to upload should be right on C:\..then type
router#copy tftp flash
then fill in the blanks..just put the laptop ip address on the same subnet as the router fast ethernet interface.

Burt

 

[Minue]

Hello
Your PIX will not let any traffic in from the outside.Your router can only speak to the server when the server starts the conversation.
Try these commands
"static(inside,outside)63.138.PIX address 172.16.server address 0 0"
access-list 102 permit tcp any host 172.16.server address eq 69
Then apply the command to the interface outside with this command."access-group 102 in interface outside"
Try this and let me know how it goes,this should work.
Regards