A little bit of a newbie Cisco PIX Config problem here. Need some
help. Having trouble allowing the following ports in 995 (pop3s), 443
(https), and 53 (dns).

DNS needs to come in from 64.28.40.226 to 10.1.2.45 using pat I thought
I had this set up right but my syslog server is still saying that dns
traffic is denied from this ip.

995 and 443 need to come from one public ip at a co-lo to my whole
inside 10.1.2.0 255.255.255.0 network and I am not sure how to do this
one. Thanks


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
fixup protocol dns maximum-length 512
fixup protocol domain 53
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any host 68.1.3.100 eq www
access-list outside_in permit tcp any any eq 3140
access-list outside_in permit tcp any any eq 104
access-list outside_in permit tcp any any eq 4006
access-list outside_in permit tcp host 64.28.40.226 any eq domain
access-list outside_in permit udp host 64.28.40.226 any eq domain
pager lines 24
logging on
logging console warnings
logging monitor warnings
logging trap warnings
logging history warnings
logging host inside 10.1.2.50
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 68.1.3.2 255.255.255.0
ip address inside 10.1.2.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 104 10.1.2.143 104 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 3140 10.1.2.143 3140 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 4006 10.1.2.143 4006 netmask
255.255.255.255 0 0
static (inside,outside) tcp 68.1.3.100 www 10.1.2.148 www netmask
255.255.255.255 0 0
static (inside,outside) tcp interface domain 10.1.2.45 domain netmask
255.255.255.255 0 0
static (inside,outside) udp interface domain 10.1.2.45 domain netmask
255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.1.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
snmp-server host inside 10.1.2.50 trap
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
tftp-server inside 10.1.2.50 TFTP-root
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:154d215f7c747a878818cfb15c61bb52
: end

In article <1106062394.114751.24270@f14g2000cwb.googlegroups. com>,
jspr <jmsprang@hotmail.com> wrote:
[PIX}

NS needs to come in from 64.28.40.226 to 10.1.2.45 using pat I thought
:I had this set up right but my syslog server is still saying that dns
:traffic is denied from this ip.

Your config looks okay for that part, provided that by 'comes in'
you mean that the 64 address is a client and the 10 address is the
server. If the 10 address is the server querying the 64 address
then the configuration is not correct.


:995 and 443 need to come from one public ip at a co-lo to my whole
:inside 10.1.2.0 255.255.255.0 network and I am not sure how to do this
ne. Thanks

The only way to do that would be to address it to different ports
for each device... e.g., instead of to 995, it would be addressed
to 1995 for the first, 2995 for the second. The PIX has to be given
-something- unique and consistant to match against.
--
Disobey all self-referential sentences!

Thanks for the reply,

I few questions though

The 10. address is an inside server querying the 64. address on the
outside of the pix
I need to let in the DNS traffic the 64. sends to the 10. Thanks

in the 995 problem am I going to need to create a static translation
for each pc behind my network? I can't do that is there any way to
send it in to the whole network using some type of dynamic?

In article <1106164948.821140.252060@f14g2000cwb.googlegroups .com>,
jspr <jmsprang@hotmail.com> wrote:
:The 10. address is an inside server querying the 64. address on the
utside of the pix
:I need to let in the DNS traffic the 64. sends to the 10. Thanks

Ah, if the inside 10 address is the one doing the querying,
then now that I think of it what you have should work -and- you
could get rid of the two statics that reference 'domain'. The
outgoing queries are not usually going to have a source port of 'domain'
[though Windows does that sometimes], and the normal Adaptive Security
logic would keep the path open for return traffic.


:in the 995 problem am I going to need to create a static translation
:for each pc behind my network? I can't do that is there any way to
:send it in to the whole network using some type of dynamic?

And which of the PCs would pick up the packets?

Is it really the case that all of your PCs are running as HTTPS and
POPS *servers*? Or is it just that your PCs need to be able
to get return traffic back when they access HTTPS and POPS on the
co-lo's server? Return traffic is handled automatically in
response to outgoing connections. But if you really want all
of your PCs to be HTTPS and POPS -servers- then you should explain
more about how you think the PCs should be able to decide amongst
themselves which of them was really being addressed.
--
The Knights Of The Lambda Calculus aren't dead --this is their normal form!

The mail server is at the Co-lo outside the pix. When ever a user makes
a request through outlook on the inside of the pix to send and recieve
mail an error comes up at the syslog server saying the outside
interface of the pix is blocking port 995 and 443. Outlook spits back
wierd errors. The mail server is using pops and https somehow not
really sure. so I need to open up 995 and 443 into my whole subnet
from the mail server. Thanks

In article <1106239418.354535.291410@c13g2000cwb.googlegroups .com>,
jspr <jmsprang@hotmail.com> wrote:
:The mail server is at the Co-lo outside the pix. When ever a user makes
:a request through outlook on the inside of the pix to send and recieve
:mail an error comes up at the syslog server saying the outside
:interface of the pix is blocking port 995 and 443. Outlook spits back
:wierd errors. The mail server is using pops and https somehow not
:really sure. so I need to open up 995 and 443 into my whole subnet
:from the mail server. Thanks

With the config you posted, it should all be transparent.

Please push your logging level up to informational (6) and trace
a complete attempt to access the mail server, including all
of the building and tearing down of translations, and post the
complete transaction here.
--
"I want to make sure [a user] can't get through ... an online
experience without hitting a Microsoft ad"
-- Steve Ballmer [Microsoft Chief Executive]

Thanks Walter

I will push the log level to 6 later today and post those later here is
the warning level 4 messages I encountered so far

2005-01-20 16:01:35 Local4.Warning 10.1.2.1 %PIX-4-106023: Deny udp src
outside:dns.ramp.com/53 dst inside:h-68-1-3-2.amdif.sbc.net/41780 by
access-group "outside_in"
2005-01-20 16:01:37 Local4.Warning 10.1.2.1 %PIX-4-106023: Deny tcp src
outside:mail.mailserver.com/995 dst
inside:h-68-1-3-2.amdif.sbc.net/63558 by access-group "outside_in"
2005-01-20 16:02:03 Local4.Warning 10.1.2.1 %PIX-4-106023: Deny tcp src
outside:mail.mailserver.com/25 dst
inside:h-68-1-3-2.amdif.sbc.net/63624 by access-group "outside_in"
Also as you see 53 DNS is still blocked thanks for all your help

Here are the log messages

mail server = 64.28.40.21
host requesting mail = 10.1.2.107
outside interface of pix = 68.1.3.2

305011: Built dynamic TCP translation from inside:10.1.2.107/1469 to
outside:68.1.3.2/7936
302013: Built outbound TCP connection 9644 for outside:64.28.40.21/995
(64.28.40.21/995) to inside:10.1.2.107/1469 (68.1.3.2/7936)
305011: Built dynamic TCP translation from inside:10.1.2.107/1470 to
outside:68.1.3.2/7937
302013: Built outbound TCP connection 9645 for outside:64.28.40.21/995
(64.28.40.21/995) to inside:10.1.2.107/1470 (68.1.3.2/7937)
305011: Built dynamic TCP translation from inside:10.1.2.107/1471 to
outside:68.1.3.2/7938
302013: Built outbound TCP connection 9646 for outside:64.28.40.21/995
(64.28.40.21/995) to inside:10.1.2.107/1471 (68.1.3.2/7938)
305011: Built dynamic TCP translation from inside:10.1.2.107/1472 to
outside:68.1.3.2/7939
302013: Built outbound TCP connection 9647 for outside:64.28.40.21/995
(64.28.40.21/995) to inside:10.1.2.107/1472 (68.1.3.2/7939)
302014: Teardown TCP connection 9644 for outside:64.28.40.21/995 to
inside:10.1.2.107/1469 duration 0:00:01 bytes 1637 TCP Reset-I
106023: Deny tcp src outside:mail.mailserver.com/995 dst
inside:68.1.3.2/7936 by access-group "outside_in"
302014: Teardown TCP connection 9646 for outside:64.28.40.21/995 to
inside:10.1.2.107/1471 duration 0:00:01 bytes 1798 TCP FINs
302014: Teardown TCP connection 9647 for outside:64.28.40.21/995 to
inside:10.1.2.107/1472 duration 0:00:01 bytes 1637 TCP FINs
302014: Teardown TCP connection 9645 for outside:64.28.40.21/995 to
inside:10.1.2.107/1470 duration 0:00:01 bytes 47647 TCP Reset-I
106023: Deny tcp src outside:mail.regionaldiagnostics.com/995 dst
inside:68.1.3.2/7937 by access-group "outside_in"

Thanks

In article <1106414333.152890.49030@c13g2000cwb.googlegroups. com>,
jspr <jmsprang@hotmail.com> wrote:
:Here are the log messages

:302014: Teardown TCP connection 9644 for outside:64.28.40.21/995 to
:inside:10.1.2.107/1469 duration 0:00:01 bytes 1637 TCP Reset-I
:106023: Deny tcp src outside:mail.mailserver.com/995 dst
:inside:68.1.3.2/7936 by access-group "outside_in"

:302014: Teardown TCP connection 9645 for outside:64.28.40.21/995 to
:inside:10.1.2.107/1470 duration 0:00:01 bytes 47647 TCP Reset-I
:106023: Deny tcp src outside:mail.regionaldiagnostics.com/995 dst
:inside:68.1.3.2/7937 by access-group "outside_in"

Note that both of those 'Deny' messages immediately follow
'Teardown' messages. Those messages aren't telling you that the
inside systems were unable to properly reach the outside systems:
those messages are telling you that your inside system signalled
a connection shutdown (a TCP FIN packet) and that the PIX closed off
the connection and dropped its from its tables faster than the
remote end was able to reply with it's own FIN or FIN ACK packet.

You aren't seeing any lack of permissions: you are seeing the PIX
not holding on long enough after a closed connection, and then
not recognizing that the remote end is agreeing to close the connection.

There isn't anything you can do about these messages. There is no way
for you to tell the PIX to hold on to old connections for longer
in order to reap the shutdown messages coming from the other end.
All you can do is:

- ignore the problem
- complain to Cisco that the 'socket linger' time isn't long enough
- filter the messages out of your logs; or
- tell the PIX not to bother logging that particular message.
no message logging 106023

Unfortunately, 106023 messages are the same ones generated when
someone tries to break in to your system, so you probably don't
really want to ignore them or filter them out...
--
If a troll and a half can hook a reader and a half in a posting and a half,
how many readers can six trolls hook in six postings?