Re: Need help with a PIX 520 and VPN traffic
- From: Chad Mahoney <chad@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 27 Jun 2007 14:23:15 -0400
docpatelsf@xxxxxxxxx wrote:
I need some help configuring a firewall that was pretty much thrown at
me to manage. I'm unable to get out of the firewall for an
application that requires the following ports be open (this is from
the application vendor:
Firewall ports (outbound) that need to be enabled:
TCP/264
IPSEC and IKE (UDP/500)
IPSEC ESP (IP type 50)
IPSEC AH (IP type 51)
TCP/500
UDP/2746
UDP/259
TCP/18231
Here's the current firewall config; the IOS has not been updated in a
seriously long time; I would really appreciate some help as to why I
am not able to get out of the firewall for this application.
Syslogging shows that acl_inside group is disallowing the connection.
The application vendor's IP's are 192.131.69.200 and 192.131.65.200
I am not familiar with CISCO firewalls, but I believe there might also
be an issue with NAT-T (correct me if I am wrong).
Thanks in advance for any/all help.
firewall config (condensed, minus some ACL's):
PIX Version 5.2(6)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 public security10
enable password 0NVe7N9xFeDnrRfe encrypted
passwd tflge61LqXv/Dm/V encrypted
hostname internetfw
domain-name masked.out
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol ftp 2120
no fixup protocol smtp 25
no names
access-list acl_inside deny ip any host 152.163.0.0
access-list acl_inside permit tcp any any eq ftp-data
access-list acl_inside permit tcp any any eq ftp
access-list acl_inside permit tcp any any eq domain
access-list acl_inside permit udp any any eq domain
access-list acl_inside permit tcp any any eq 443
access-list acl_inside permit tcp any any eq 554
access-list acl_inside permit tcp any any eq 1080
access-list acl_inside permit tcp any any eq 1755
access-list acl_inside permit tcp any any eq 1863
access-list acl_inside permit tcp any any eq 3101
access-list acl_inside permit tcp any any eq 3520
access-list acl_inside permit tcp any any eq 5050
access-list acl_inside permit tcp any any eq 5190
access-list acl_inside permit tcp any any eq 8000
access-list acl_inside permit tcp any any eq 8010
access-list acl_inside permit tcp any any eq 8080
access-list acl_inside permit icmp host 151.209.194.228 any echo
access-list acl_inside permit icmp host 151.209.194.119 any echo
access-list acl_inside permit icmp any any echo
access-list acl_inside permit tcp any any eq www
access-list acl_inside deny tcp any any eq smtp
access-list acl_inside deny tcp any any
access-list acl_inside deny udp any any
access-list acl_inside deny ip any any
access-list acl_inside deny udp any any eq tftp
access-list acl_inside deny tcp any any eq 81
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny tcp any any eq 136
access-list acl_inside deny udp any any eq 136
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny udp any any eq netbios-ns
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq netbios-dgm
access-list acl_inside deny tcp any any eq 139
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny udp any any eq 445
access-list acl_inside deny tcp any any eq 4444
access-list acl_inside permit tcp any host 192.131.69.200 eq 264
access-list acl_inside permit udp any host 192.131.69.200 eq isakmp
access-list acl_inside permit udp any host 192.131.69.200 eq 2746
access-list acl_inside permit udp any host 192.131.69.200 eq 259
access-list acl_inside permit tcp any host 192.131.69.200 eq 18231
access-list acl_inside permit udp any host 192.131.69.200 eq 4500
access-list acl_inside permit tcp any host 192.131.65.200 eq 264
access-list acl_inside permit udp any host 192.131.65.200 eq isakmp
access-list acl_inside permit udp any host 192.131.65.200 eq 2746
access-list acl_inside permit udp any host 192.131.65.200 eq 259
access-list acl_inside permit tcp any host 192.131.65.200 eq 18231
access-list acl_inside permit udp any host 192.131.65.200 eq 4500
access-list acl_inside permit tcp any host 192.131.69.200 eq 500
access-list acl_inside permit tcp any host 192.131.65.200 eq 500
The ACL's are read from top to bottom, you have explicit deny ACL
> access-list acl_inside deny ip any any
That ACL is being read by the firewall before
> access-list acl_inside permit tcp any host 192.131.69.200 eq 264
> access-list acl_inside permit udp any host 192.131.69.200 eq isakmp
> access-list acl_inside permit udp any host 192.131.69.200 eq 2746
> access-list acl_inside permit udp any host 192.131.69.200 eq 259
> access-list acl_inside permit tcp any host 192.131.69.200 eq 18231
> access-list acl_inside permit udp any host 192.131.69.200 eq 4500
> access-list acl_inside permit tcp any host 192.131.65.200 eq 264
> access-list acl_inside permit udp any host 192.131.65.200 eq isakmp
> access-list acl_inside permit udp any host 192.131.65.200 eq 2746
> access-list acl_inside permit udp any host 192.131.65.200 eq 259
> access-list acl_inside permit tcp any host 192.131.65.200 eq 18231
> access-list acl_inside permit udp any host 192.131.65.200 eq 4500
> access-list acl_inside permit tcp any host 192.131.69.200 eq 500
> access-list acl_inside permit tcp any host 192.131.65.200 eq 500
You need to move the above lines above all the deny statements you have defined.
.
- References:
- Need help with a PIX 520 and VPN traffic
- From: docpatelsf
- Need help with a PIX 520 and VPN traffic
- Prev by Date: SSH2 connection rejected by NAT Static ???
- Next by Date: Re: Site to Site VPN Problem
- Previous by thread: Need help with a PIX 520 and VPN traffic
- Next by thread: Re: Site to Site VPN Problem
- Index(es):
Relevant Pages
|
|
