Re: [fw-wiz] PIX 515 7.1 vs: 8.0



Brian,

I don't see an address range defined for the inside. For example:
dhcpd address 192.168.99.10-192.168.99.250 inside

Or the dhcpd enable:
dhcpd enable inside




On 9 March 2011 01:24, Brian Blater <brb.lists@xxxxxxxxx> wrote:
I was recently able to pick up another pix to play with. I currently
have a PIX 515e with 7.1, but this new one comes with 8.0. I'm
wondering if there is something new in the 8.0 version that is working
differently and has me stumped. One difference between the two PIXs I
have is that the new one has a 4 port card for a total of 6 ethernet
ports. I've setup DHCPD on two of the interfaces, but I can't get it
to assign an address to anything connected to those interfaces (dmz
and vonage). Also, if I manually assign an IP to a device on one of
those networks I can't even get out the internet. So, either some ACL
or static mapping is interfering there, but I can't see what I've
messed up. The DMZ port on the PIX 515e with 7.1 just works both with
DHCPD and internet access, but even if I try the same ACLs and statics
on the 8.0 PIX I"m still not getting anything working. Basically I'm
stumped.

I've attached the 8.0 config below. If anyone can give me a hand and
let me know what I'm missing that would be great.

Thanks for your help.

Brian



PIX Version 8.0(4)32
!
hostname brb-pix
domain-name bfamily.org
enable password xxxxxx encrypted
passwd xxxxxxx encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 24.199.216.33 .255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.99.1 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 192.168.109.1 255.255.255.0
!
interface Ethernet3
 nameif vonage
 security-level 25
 ip address 192.168.149.1 255.255.255.0
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.99.201
 domain-name bfamily.org
access-list outside remark access list for outside
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any unreachable
access-list outside extended permit tcp any any eq https
access-list outside extended permit tcp any any eq 2525
access-list dmz remark access list for dmz
access-list dmz extended permit icmp 192.168.109.0 255.255.255.0
192.168.99.0 255.255.255.0 echo-reply
access-list dmz extended permit icmp 192.168.109.0 255.255.255.0
192.168.99.0 255.255.255.0 unreachable
access-list dmz extended permit udp 192.168.109.0 255.255.255.0 host
192.168.99.201 eq domain
access-list dmz extended permit ip 192.168.109.0 255.255.255.0 any
access-list nonat remark nonat for dmz and inside interfaces
access-list nonat extended permit ip 192.168.99.0 255.255.255.0
192.168.109.0 255.255.255.0
access-list nonat extended permit ip 192.168.109.0 255.255.255.0
192.168.99.0 255.255.255.0
access-list nonat extended permit ip 192.168.99.0 255.255.255.0
192.168.129.0 255.255.255.0
access-list nonat extended permit ip 192.168.129.0 255.255.255.0
192.168.99.0 255.255.255.0
access-list vonage remark access list for vonage network
access-list vonage_access_in extended permit ip 192.168.149.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vonage 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.99.0 255.255.255.0
nat (dmz) 0 access-list nonat
nat (dmz) 1 192.168.109.0 255.255.255.0
nat (vonage) 0 access-list nonat
nat (vonage) 1 192.168.149.0 255.255.255.0
static (dmz,outside) tcp interface https 192.168.109.44 https netmask
255.255.255.255
static (inside,outside) tcp interface 2525 192.168.99.202 smtp netmask
255.255.255.255
static (inside,dmz) 192.168.99.0 192.168.99.0 netmask 255.255.255.0
static (inside,vonage) 192.168.99.0 192.168.99.0 netmask 255.255.255.0
access-group outside in interface outside
access-group dmz in interface dmz
access-group vonage_access_in in interface vonage
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.99.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.99.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.99.0 255.255.255.0 inside
ssh 192.168.109.0 255.255.255.0 dmz
ssh timeout 60
console timeout 0
dhcpd dns 4.2.2.1 8.8.8.8
dhcpd lease 259200
dhcpd ping_timeout 750
dhcpd domain bfamily.org
!
dhcpd address 192.168.109.101-192.168.109.110 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd lease 259200 interface dmz
dhcpd ping_timeout 750 interface dmz
dhcpd domain bfamily.org interface dmz
dhcpd enable dmz
!
dhcpd address 192.168.149.101-192.168.149.110 vonage
dhcpd enable vonage
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username bblater password xxxxxxxxx encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect netbios
 inspect rsh
 inspect rtsp
 inspect skinny
 inspect esmtp
 inspect sqlnet
 inspect sunrpc
 inspect tftp
 inspect sip
 inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
brb-pix#
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Help! DMZ on Pix515
    ... I was of course missing static routes to the DMZ. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
    (comp.dcom.sys.cisco)
  • [fw-wiz] PIX 515 7.1 vs: 8.0
    ... to assign an address to anything connected to those interfaces (dmz ... DHCPD and internet access, but even if I try the same ACLs and statics ... interface Ethernet0 ... access-group outside in interface outside ...
    (Firewall-Wizards)
  • Re: Help! DMZ on Pix515
    ... I can't reach anything on the DMZ from the outside. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] PIX access-list help
    ... Easiest thing to remember is any communication is allowed from a higher ... DMZ, DMZ to outside) unless explicitly prevented. ... You create an ACL and apply it either in or out of the interface. ... are applied "access-group out interface blah". ...
    (Firewall-Wizards)
  • Re: Odd dhcpcd behaviour
    ... The program that gets an IP address for an interface is dhclient, ... FWIW, dhcpd is the server. ... and dhcpcd is what would have run under Slackware. ... which is described, very helpfully, as "DHCP Client". ...
    (Debian-User)