• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Cisco Pix/ASA.. Where to place the firewall

Started by UltraZero, February 27, 2011, 10:11:41 AM

Previous topic - Next topic

UltraZero

#15
O.K.  I've changed the security levels of the ports.

I had both inside and outside set at 100 being I really trust everyone (Yeah Right) I did it that way

so I could pass equal traffic to start out with.  I guess that didn't work.

Now, going for the trusted/untrusted part.  Hmm. Actually, I thought they were one in the same.  (security levels and trusted/untrusted)

Also, I am not running a NAT on the Firewall.

Thanks

cholzhauer


To set the security level, enter the following command:

hostname(config-if)# security-level number


UltraZero

Hi.  I actually figured that out.  Thanks very much.  Sorry.  been swtiching back and forth putting the firewall in, taking it out.  Bla Bla bla bla.  A lot of manual config changes.  Thank god it's only 2 lines of code. and clearing of the routing tables.

Anyway.  Here is what I have found.   

When I put the firewall on the network, I can not ping through it. I can not get any data through it at all.

But.... If I take it, leave the config on it and put a PC on one end and a server on the other, I can ping til my hearts content.  I tried to block the ping,but, I could not.   Hmm. I thought that was really funny..

Basically, I setup the two to ping each other through the firewall.  I setup 50,000 tries, 1024 in size. The I could not stop the pings from either side.  Now I am really perplexed...

Any Ideas on that one??

UltraZero

Sooo.  am I missing something here in regards to the Pix/ASA firewalls??

Is the primary function of the firewall to create a NAT?? so this has to happen which is where ip addresses are hidden and it's firewall check is done??  If so, maybe this is what I am trying to avoid and the avoidance is my problem. 

Is anyone running a router, with a Pix or ASA where the router is  performing the NAT and the tunnel as appose to the router performing the tunnel and the firewall performing the NAT??

I am trying to do the NAT and the Tunnel on the router.  Is this a problem??


Thanks. 

antillie

That is almost exactly how my setup works.

Internet -> Router -> ASA -> LAN

There is no need to perform NAT on the PIX in IPv4. There is an old copy of the running config of my ASA and my 2621xm here. If you are running 7.x or 8.x code on your PIX the command syntax will be the same as my ASA. Just issue the command "no nat-control" on your PIX and it basically becomes a router with a kick ass firewall engine. (Although it does lack a number of features found on real IOS routers.)

UltraZero

Here is what I have run into.  I have totally been making so many changes, I can't connect anything I setup to the net.  But, funny enough, I plugged this pc to the firewall, gave it the IP address of my last config and here I am.  I don't believe it.

This to me is saying there is something wrong with maybe my routes.  I actually thought my connection was slower.  Much slower, til I connected to He.net.  Fired right in here.   I was just on speedtest and my speed was around 3 to 5 mps.  I wonder if that is because of how slow this machine is.  (P4 1.5)  Anyway.  I'll take a look at the config.  Maybe I can see something I am missing.

I need to get some protection before I go to the next step.   Boy.. That didn't sound right.. Hmmm.


Anyway....  I'll take a look.

UltraZero

Hi.  Did I not detect any IPv4 numbers this configuration??? (Yes in the interfaces)

Only IPv6 correct.  I didn't see any routing statements on the 26xx for IPv4..




antillie

It gets its default gateway for IPv4 via DCHP from my ISP. The routes to the rest of the LAN are learned via EIGRP from the ASA 5505.

cerberus#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 70.114.32.1 to network 0.0.0.0

     70.0.0.0/19 is subnetted, 1 subnets
C       70.114.32.0 is directly connected, FastEthernet0/1
D    192.168.200.0/24 [90/30720] via 10.1.1.2, 4w2d, FastEthernet0/0
C       10.1.1.0/30 is directly connected, FastEthernet0/0
D    192.168.100.0/24 [90/30720] via 10.1.1.2, 4w2d, FastEthernet0/0
S*   0.0.0.0/0 [254/0] via 70.114.32.1

So the whole config is dual stack.

UltraZero

#23
Sorry.  Been out of town.  

Here is my problem.  The pix is currently removed from the network.  When I put the pix on the network and plug a PC directly into it, I can get it to work.  When I connect a router behind it, I can not seem to get data to pass through.  I can't ping through it (I do have an access list enabled to allow icmp)  With a PC directly connected, I can ping and access the internet.

When I connect my router, I can ping to that router,but, not through the router.   I have not been able to figure out what the problem is.   I'd like to get this unit online before I proceed with the next steps in regards to the tunnel process.  

The connection from the first router to the pix is a cross over cable.   Same Crossover cable works with the PC with no problem.  This is normal correct?

I could not get the unit to connect via straight through cables.

Here is my config  for the pix.  It's pretty box Stock.  

Let me know what you think.  thanks

# sho run

Heelee
: Saved
:
PIX Version 7.22
!
hostname blabla
domain-name meme.com
enable password x4go3523498oomurw2 encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 100
ip address 192.168.x.253 255.255.255.0
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.x.254 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd 9R38u3jIyI.2erAp encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.x.254
domain-name truckland.com
access-list acl_out extended permit icmp any any
pager lines 28
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 192.168.x.0 255.255.255.0
access-group acl_out in interface outside
!
router eigrp 5
network 192.168.x.0 255.255.255.0
network 192.168.x.0 255.255.255.0
!
router rip
network 192.168.x.0
network 192.168.x.0
version 2
!
route outside 0.0.0.0 0.0.0.0 192.168.x.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.x.253 255.255.255.255 inside
http 192.168.x.0 255.255.255.0 inside
http 192.168.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
 message-length maximum 512
policy-map global_policy
class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect netbios
 inspect rsh
 inspect rtsp
 inspect skinny
 inspect esmtp
 inspect sqlnet
 inspect sunrpc
 inspect tftp
 inspect sip
 inspect xdmcp
!
service-policy global_policy global
ntp server 192.5.41.41 prefer
ntp server 192.5.41.209
username blabla password Wxujocni35cRj5fA encrypted privilege 15
prompt hostname context
Cryptochecksum:4GdKR4z7zm9tn4l74ym7o9748796o3T91A
: end


antillie

#24
Well the first thing i see is you have the same security level set on both of your interfaces. This can cause the PIX to drop traffic. I would set the outside to "0".

What do the route tables look like on the PIX and both routers when you have them all connected? Do you get proper RIP and/or EIGRP adjacencies between peer devices? Also, how did you get EIGRP working on PIX 7.22? I was under the impression that EIGRP was only available in 8.0 and later.

If the router and the PIX can ping each other then a crossover cable is fine.

UltraZero

#25
I thought by setting all ports to 100, there would not be any processing done of them.  (firewall will act neutral as far as running firewall algorithm against the port)

I actually tried setting it up this way. The results were the same.

I'll try again since this is a fresh install.  

re: the cross over cable.

Funny. I though so too.  When I connect the pc to the Firewall, all seems well.  Although, pinging response is cut down really slow.

UltraZero

#26
here is my router config


hostname myohmy
!
boot-start-marker
boot system flash:c2600-advipservicesk9-mz.123-8.bin
boot-end-marker
!
enable secret 5 $1$MZ68246$b/7/J7z6k9TB.
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip domain name mymy.com
ip name-server 209.57.222.252
ip name-server 209.57.222.242
!
ipv6 unicast-routing
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username woops password 7 34563R6DTW981e493BAGAGAFG
!
!
!
!
!
!
!
interface Loopback0
no ip address
ipv6 enable
!
!
interface FastEthernet0/0
ip dhcp client hostname goonie
ip address dhcp
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
ipv6 enable
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0/1
description Network Conection from Firewall to Home Network
ip address 192.168.X.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
ipv6 address
ipv6 enable
ipv6 rip ipv6 enable
ipv6 ospf 1 area 0
!
router eigrp 5
network 192.168.X.0
auto-summary
!
router rip
version 2
network 192.168.X.0
neighbor 192.168.X.254
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 192.168.x.0 255.255.255.0 192.168.x.253
!
ip dns server
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.0.0.0 0.255.255.255
access-list 104 permit tcp any any eq echo established
access-list 104 permit tcp any any eq
access-list 104 permit tcp any any eq
access-list 104 permit ip any any
access-list 104 permit 41 any any
access-list 104 deny   tcp any any eq  established log
access-list 104 deny   tcp any any eq  established log
access-list 104 deny   tcp any any eq  established log
access-list 104 deny   tcp any any eq  established log
access-list 104 deny   tcp any any eq  established log
access-list 104 deny   ip 172.16.0.0 0.0.255.255 any log
access-list 104 deny   ip 10.0.0.0 0.0.255.255 any log
access-list 104 deny   ip 224.0.0.0 0.31.255.255 any log
ipv6 route 2001:000:0001::/64 FastEthernet0/0
ipv6 route ::/0 Tunnel0
ipv6 router ospf 1
log-adjacency-changes
!
ipv6 router rip ipv6
!
ipv6 router rip process1
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
password you must be serious
login
line aux 0
line vty 0 15
login
transport input telnet
!
ntp clock-period 17180388
ntp server 192.5.41.41 prefer
ntp server 192.5.41.209
!
end

antillie

#27
Well it looks like your EIGRP config is missing its net mask. Its also not redistributing the default route out. And running unauthenticated EIGRP on your internet facing interface really isn't a good idea. It should look something like this:

router eigrp 5
redistribute static
passive-interface FastEthernet0/0
network 192.168.100.0 0.0.0.255
auto-summary

My guess is that this preventing your PIX from peering with the router and/or getting a default gateway from it. You can check by looking at the PIX's route table and its EIGRP neighbor table. Also is there a reason you are running both RIP and EIGRP in IPv4? You really only need one. Personally I would turn off RIP since it sucks. And unless you have another RIPv6 or OSPFv3 capable router I would also turn off RIP and OSPF for IPv6 as well.

Oh and make sure you have issued the command "no nat-control" on your PIX and set the security level of the outside interface to something less than 100. Like 0 for example. Setting two interfaces to the same level does not stop the PIX from processing packets sent through them through its stateful inspection engine. It just messes with how permit and deny decisions are made based whether or not you have "same-security-traffic permit inter-interface" in your config.

UltraZero

thanks for the reply.

I will give this a shot. I have made so many changes it's kinda gotten out of hand.  Test lab though.

Between the tunnel, switching routers around, adding multiple routers, adding multiple vlans adding new swtiches, dealing with a 200 foot cabling issue, moving the eqipment to a different location in the house.

has gotten kind silly.   My config didn't look like this though and it seemed to work without a hitch.  Kind a like now.  I don't have the pix in place and it's not complaining.   Rip and EIGRP updates are happening. 

Anyway.  I'm by no way a wiz at this,but, I really enjoy working with it. I also appreciate yours and any help I receive.   

Thank  You..

I've goto to go out for a while. I'll be back and let you know what I find.

Thanks


UltraZero

Hi there.  I tried the config changes and the results are the same. 

Hmm.  I wonder why the PC can connect and the via the firewall and the network can not.