# PIX 501: Odd Traffic Flow - Rule Issues



## emgey007 (May 30, 2009)

Hello,

(IPs have been adjust to represent a testing environment)

I have been spending a lot of time trying to configure my pix 501 firewall to allow full traffic and then later add rules to secure it. I have it mostly working, however I am having issues getting the outside network to talk to the inside network freely. I cannot get any icmp packets through or telnet to any ports (not including port 80 on the inside interface - yes odd).

Network setup: DSL modem (network: 192.168.0.0 gw .1) sits at the front, followed by a netgear router (network: 192.168.1.0 gw .1) then the pix 501 firewall (network: 192.168.2.0 gw .1). The netgear has been given a static route to push traffic wanting to go to 192.168.2.0 to go to 192.168.1.254 pix outside interface.

Outside traffic (192.168.1.0) can reach the outside interface and can do so when pointing to an inside address. The inside can see all networks and can ping. The odd part is if i telnet from a box behind the Pix 501, of course succeeding, i can then access the inside network from the outside network. But untill that happens the outside cannot see the inside.

any idea?

Thank you

Sincerely

~Emgey007


(config posted - keep in mind the address have change to represent a test environment - as well their are a number of access rules in my attempts to succeed)
MGVPNR001# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8G74C7mbN2bQHtnO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MGVPNR001
domain-name gaet0010.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
object-group icmp-type ICMP_MANAGEMENT
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit tcp 192.168.1.0 255.255.255.0 eq ssh any eq ssh
access-list montclair_splitTunnelAcl permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.2.192 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.192 255.255.255.192
pager lines 24
icmp permit 192.168.1.0 255.255.255.0 outside
icmp permit any outside
icmp permit 192.168.2.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.254 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool montclair 192.168.2.200-192.168.2.254 mask 255.255.255.0
pdm location 192.168.2.192 255.255.255.192 outside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 outside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup montclair address-pool montclair
vpngroup montclair default-domain gaet0010.com
vpngroup montclair split-tunnel montclair_splitTunnelAcl
vpngroup montclair idle-time 1800
vpngroup montclair password ********
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 10
console timeout 0
username mgaetano password qfm2QFgX6VwvLryD encrypted privilege 15
terminal width 80
Cryptochecksum:6dba7e49f7fd4e52391e664d03d96b7e
: end
MGVPNR001#


----------

