Questions

Could someone help me with my PIX? I Almost got it!

Tags:
+
0 Votes
Locked

Could someone help me with my PIX? I Almost got it!

TheSwabbie
I have my firewall ALMOST doing what it needs to do. I think i've stared at it too long and I cant see the forest for the trees anymore. The firewall is in a remote datacenter, I CAN connect to it to configure.

This should be simple - but part of it isnt working. Basically, i have 3 servers. A PDC, BDC and a Backup Server. I can connect to the PDC on the ports i've outlined. But, I CANT communicate with the BDC or BACKUP Server... What am I doing wrong?


The BDC should have incoming ports 80, 443 open for inbound traffic

The Backup Server should have incoming ports 80, 308, 443, 2003 open for inbound connections.

Any help would be GREATLY appreciated!!!!!


Jim

PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.244 InsideIPAddress
name 10.0.0.240 Server-PDC
name 10.0.0.241 Server-BDC
name 10.0.0.242 Server-BackUP
access-list acl-in deny icmp any any mask-request
access-list acl-in permit icmp any any
access-list acl-in permit tcp any host 200.200.200.3 eq www
access-list acl-in permit tcp any host 200.200.200.3 eq https
access-list acl-in permit tcp any host 200.200.200.1 eq smtp
access-list acl-in permit tcp any host 200.200.200.1 eq pop3
access-list acl-in permit tcp any host 200.200.200.1 eq www
access-list acl-in permit tcp any host 200.200.200.1 eq https
access-list acl-in permit tcp any host 200.200.200.2 eq www
access-list acl-in permit tcp any host 200.200.200.2 eq https
access-list acl-in permit tcp any host 200.200.200.2 eq 2003
access-list acl-in permit tcp any host 200.200.200.2 eq 308
access-list acl-in deny ip any any log
access-list in permit tcp any host 200.200.200.2
pager lines 200
mtu outside 1500
mtu inside 1500
ip address outside 200.200.200.200 255.255.255.240
ip address inside InsideIPAddress 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location Server-BDC 255.255.255.255 inside
pdm location Server-BackUP 255.255.255.255 inside
pdm location InsideIPAddress 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
static (inside,outside) 200.200.200.1 Server-BDC netmask 255.255.255.255 0 0
static (inside,outside) 200.200.200.2 Server-BackUP netmask 255.255.255.255 0 0
static (inside,outside) 200.200.200.3 Server-PDC netmask 255.255.255.255 0 0
access-group acl-in in interface outside
route outside 0.0.0.0 0.0.0.0 200.200.200.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community nytemon
no snmp-server enable traps
floodguard enable
telnet Server-PDC 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
  • +
    0 Votes
    SYNner

    I don't see how you can reach your PDC at all. Your default gateway is not directly connected to your pix. Your outside interface and your default gateway are not in the same subnetwork. Your pix doesn't know where to send traffic that is not reachable on one of it's interfaces.

    Your outside interface:
    ip address outside 200.200.200.200 255.255.255.240

    Your default route:
    route outside 0.0.0.0 0.0.0.0 200.200.200.17 1

  • +
    0 Votes
    SYNner

    I don't see how you can reach your PDC at all. Your default gateway is not directly connected to your pix. Your outside interface and your default gateway are not in the same subnetwork. Your pix doesn't know where to send traffic that is not reachable on one of it's interfaces.

    Your outside interface:
    ip address outside 200.200.200.200 255.255.255.240

    Your default route:
    route outside 0.0.0.0 0.0.0.0 200.200.200.17 1