1ms
29/09/08, 19:32
Cisco Pix 501 firewall heeft onderstaande configuratie.
Site: www.blablabla.nl:8080
Is niet bereikbaar.
Hoe kan dat?! Wat moet ik aanpassen om hem wel bereikbaar te maken.
Written by enable_15 at 16:47:42.432 CET Mon Sep 22 2008
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 Eth0-outside security0
nameif ethernet1 Eth1-inside security99
enable password 3V5EUz4hvMdbfZrn encrypted
passwd 3V5EUz4hvMdbfZrn encrypted
hostname s-PIX
domain-name Kantoor.local
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 1:00 last Sun Oct 1:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 10000
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.14.1 s-01
name 10.10.14.2 s-02
name 10.10.14.253 LWAP54G
name 10.10.14.254 CPF501
name 10.0.0.42 CPF501-outside
name 10.0.0.138 TST570i
name 10.10.14.43 Picasso
name 10.10.14.44 Satellite042-E
name 10.10.14.201 s-W004
name 10.10.14.45 Ilum
access-list Local-ACL permit icmp any any
access-list Local-ACL permit tcp any any eq www
access-list Local-ACL permit tcp any any eq https
access-list Local-ACL permit tcp any any eq ftp
access-list Local-ACL permit tcp any any eq 3389
access-list Local-ACL permit tcp any any eq imap4
access-list Local-ACL permit tcp any any eq 587
access-list Local-ACL permit udp any any eq 6903 log
access-list Local-ACL permit udp any any eq 6901 log
access-list Local-ACL permit udp any any eq 11112 log
access-list Local-ACL permit tcp any host S-01 eq 33890
access-list Local-ACL permit tcp host S-02 any eq 33890 log
access-list Local-ACL permit tcp any host S-01 eq 3390
access-list Local-ACL permit tcp host S-01 any eq domain
access-list Local-ACL permit udp host S-01 any eq domain
access-list Local-ACL permit udp host S-01 any eq ntp
access-list Local-ACL permit tcp host S-01 any eq smtp
access-list Local-ACL permit tcp host S-01 any eq pop3
access-list Local-ACL permit tcp host S-01 any eq 10000
access-list Local-ACL permit tcp host S-01 any eq 4343
access-list Local-ACL permit tcp host S-01 any eq pptp
access-list Local-ACL permit tcp host S-01 any eq 5756 log 7
access-list Local-ACL permit ah host S-01 any
access-list Local-ACL permit esp host S-01 any
access-list Local-ACL permit udp host S-01 eq isakmp any
access-list Local-ACL permit gre host S-01 any
access-list Local-ACL permit tcp host S-02 any eq 19638
access-list Local-ACL permit tcp host S-02 any eq 16667
access-list Local-ACL permit tcp host 10.10.14.202 any eq 5756 log 7
access-list Local-ACL permit tcp host Picasso any eq smtp
access-list Local-ACL permit tcp host Picasso any eq pop3
access-list Local-ACL permit tcp host Picasso any eq pptp
access-list Local-ACL permit ah host Picasso any
access-list Local-ACL permit esp host Picasso any
access-list Local-ACL permit udp host Picasso eq isakmp any
access-list Local-ACL permit gre host Picasso any
access-list Local-ACL permit tcp host Picasso any range 5800 6000
access-list Local-ACL permit tcp host Picasso any eq 33890
access-list Local-ACL permit tcp host Satellite042-E any eq smtp
access-list Local-ACL permit tcp host Satellite042-E any eq pop3
access-list Local-ACL permit tcp host Satellite042-E any eq pptp
access-list Local-ACL permit ah host Satellite042-E any
access-list Local-ACL permit esp host Satellite042-E any
access-list Local-ACL permit udp host Satellite042-E eq isakmp any
access-list Local-ACL permit gre host Satellite042-E any
access-list Local-ACL permit tcp host Satellite042-E any range 5800 6000
access-list Local-ACL permit tcp host Satellite042-E any eq 33890
access-list Local-ACL permit tcp host Satellite042-E any eq 15138
access-list Local-ACL permit tcp host Satellite042-E any eq 15137
access-list Local-ACL permit tcp host Satellite042-E any eq 10000
access-list Local-ACL permit ip host Ilum any
access-list Local-ACL permit tcp host S-W004 any eq 8443
access-list Local-ACL permit tcp host S-W004 any eq nntp
access-list Local-ACL permit tcp host S-W004 any eq domain
access-list Local-ACL permit udp host S-W004 any eq domain
access-list Local-ACL permit tcp host S-W004 any eq smtp
access-list Local-ACL permit tcp host S-W004 any eq pop3
access-list Local-ACL permit tcp host S-W004 any eq pptp
access-list Local-ACL permit ah host S-W004 any
access-list Local-ACL permit esp host S-W004 any
access-list Local-ACL permit udp host S-W004 eq isakmp any
access-list Local-ACL permit gre host S-W004 any
access-list Local-ACL permit tcp host S-W004 any eq 15138
access-list Local-ACL permit tcp host S-W004 any eq 15137
access-list Local-ACL permit tcp host S-W004 any eq 10000
access-list Local-ACL permit tcp host S-W004 any range 5800 6000
access-list Local-ACL permit tcp host S-W004 any eq 19638
access-list Local-ACL permit tcp host S-W004 any eq 33890
access-list Local-ACL deny udp any any log 7
access-list Local-ACL deny tcp any any log 7
access-list Local-ACL deny ip any any log 7
access-list Local-ACL permit tcp any any eq 8080
access-list Local-ACL permit udp any any eq 8080
access-list Internet-ACL permit icmp any any echo-reply
access-list Internet-ACL permit icmp any any time-exceeded
access-list Internet-ACL permit icmp any any unreachable
access-list Internet-ACL permit tcp any host CPF501-outside eq smtp
access-list Internet-ACL permit tcp any host CPF501-outside eq https
access-list Internet-ACL permit tcp any host CPF501-outside eq 3389
access-list Internet-ACL permit tcp any host CPF501-outside eq 3390
access-list Internet-ACL permit tcp any host CPF501-outside eq 10000
access-list Internet-ACL permit tcp any host CPF501-outside eq 4343
access-list Internet-ACL permit tcp any host CPF501-outside eq 8080
access-list Internet-ACL permit tcp host S-01 host CPF501-outside eq 5756
access-list Internet-ACL permit tcp host 10.10.14.202 host CPF501-outside eq 575
6
access-list Internet-ACL permit gre any host CPF501-outside
access-list Internet-ACL permit ah any host CPF501-outside
access-list Internet-ACL permit esp any host CPF501-outside
access-list Internet-ACL permit udp any host CPF501-outside eq isakmp
access-list Internet-ACL deny tcp any host CPF501-outside eq www log 3
access-list Internet-ACL deny ip any any log 5
access-list Internet-ACL deny icmp any any log 3
access-list Internet-ACL permit tcp any host 0.0.31.144 eq 8080
access-list Internet-ACL permit udp any host CPF501-outside eq 8080
access-list Internet-ACL permit tcp any host S-02 eq 8080
access-list RAS-ACL permit ip 10.10.14.0 255.255.255.0 10.10.14.0 255.255.255.0
access-list inside_access_in permit tcp any host 0.0.31.144
pager lines 24
logging on
logging timestamp
logging standby
logging monitor informational
logging trap debugging
logging history warnings
logging facility 23
logging host Eth1-inside S-01 6/1468
mtu Eth0-outside 1500
mtu Eth1-inside 1500
ip address Eth0-outside CPF501-outside 255.255.255.0
ip address Eth1-inside CPF501 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RAS-POOL 10.10.14.32-10.10.14.41
pdm logging informational 100
pdm history enable
arp timeout 14400
global (Eth0-outside) 1 interface
nat (Eth1-inside) 0 access-list RAS-ACL
nat (Eth1-inside) 1 10.10.14.0 255.255.255.0 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside smtp S-01 smtp netmask 2
55.255.255.255 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside 3390 S-01 3389 netmask 2
55.255.255.255 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside https S-01 https netmask
255.255.255.255 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside 3389 S-02 3389 netmask 2
55.255.255.255 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside 4343 S-01 4343 netmask 2
55.255.255.255 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside 8080 S-02 8080 netmask 2
55.255.255.255 0 0
access-group Internet-ACL in interface Eth0-outside
access-group Local-ACL in interface Eth1-inside
route Eth0-outside 0.0.0.0 0.0.0.0 TST570i 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPN-AAA protocol radius
aaa-server VPN-AAA (Eth1-inside) host S-01 Villeroy&Boch timeout 5
aaa authentication include gre Eth0-outside CPF501-outside 255.255.255.255 0.0.0
.0 0.0.0.0 VPN-AAA
aaa authentication include esp Eth0-outside CPF501-outside 255.255.255.255 0.0.0
.0 0.0.0.0 VPN-AAA
aaa authentication include gre Eth1-inside CPF501 255.255.255.255 0.0.0.0 0.0.0.
0 VPN-AAA
aaa authentication include esp Eth1-inside CPF501 255.255.255.255 0.0.0.0 0.0.0.
0 VPN-AAA
aaa authentication ssh console VPN-AAA
ntp server S-01 source Eth1-inside prefer
http server enable
http 10.10.14.0 255.255.255.0 Eth1-inside
snmp-server location Mettlach
no snmp-server contact
snmp-server community Villeroy&Boch
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
auth-prompt prompt Dit toegangspunt gaat trachten u door de domeinserver te late
n authoriseren ...
auth-prompt accept Welkom, u bent door de domeinserver geautoriseerd voor toegan
g op het netwerk.
auth-prompt reject Helaas, de domeinserver heeft uw authenticatie negatief beant
woord. Controleer uw gegevens en/of contacteer uw systeembeheerder.
telnet timeout 5
ssh 10.10.14.0 255.255.255.0 Eth1-inside
ssh timeout 5
console timeout 0
vpdn group VPN-GROUP accept dialin pptp
vpdn group VPN-GROUP ppp authentication pap
vpdn group VPN-GROUP ppp authentication chap
vpdn group VPN-GROUP ppp authentication mschap
vpdn group VPN-GROUP ppp encryption mppe 40 required
vpdn group VPN-GROUP client configuration address local RAS-POOL
vpdn group VPN-GROUP client authentication aaa VPN-AAA
vpdn group VPN-GROUP pptp echo 60
vpdn enable Eth0-outside
vpdn enable Eth1-inside
username bauto password UBV6KksNYQ6BNp7M encrypted privilege 15
username admin password u8JefVIRKyEh/90D encrypted privilege 15
terminal width 80
Cryptochecksum:0bc786b0237fa2cf296bbecf0420919c
Site: www.blablabla.nl:8080
Is niet bereikbaar.
Hoe kan dat?! Wat moet ik aanpassen om hem wel bereikbaar te maken.
Written by enable_15 at 16:47:42.432 CET Mon Sep 22 2008
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 Eth0-outside security0
nameif ethernet1 Eth1-inside security99
enable password 3V5EUz4hvMdbfZrn encrypted
passwd 3V5EUz4hvMdbfZrn encrypted
hostname s-PIX
domain-name Kantoor.local
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 1:00 last Sun Oct 1:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 10000
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.14.1 s-01
name 10.10.14.2 s-02
name 10.10.14.253 LWAP54G
name 10.10.14.254 CPF501
name 10.0.0.42 CPF501-outside
name 10.0.0.138 TST570i
name 10.10.14.43 Picasso
name 10.10.14.44 Satellite042-E
name 10.10.14.201 s-W004
name 10.10.14.45 Ilum
access-list Local-ACL permit icmp any any
access-list Local-ACL permit tcp any any eq www
access-list Local-ACL permit tcp any any eq https
access-list Local-ACL permit tcp any any eq ftp
access-list Local-ACL permit tcp any any eq 3389
access-list Local-ACL permit tcp any any eq imap4
access-list Local-ACL permit tcp any any eq 587
access-list Local-ACL permit udp any any eq 6903 log
access-list Local-ACL permit udp any any eq 6901 log
access-list Local-ACL permit udp any any eq 11112 log
access-list Local-ACL permit tcp any host S-01 eq 33890
access-list Local-ACL permit tcp host S-02 any eq 33890 log
access-list Local-ACL permit tcp any host S-01 eq 3390
access-list Local-ACL permit tcp host S-01 any eq domain
access-list Local-ACL permit udp host S-01 any eq domain
access-list Local-ACL permit udp host S-01 any eq ntp
access-list Local-ACL permit tcp host S-01 any eq smtp
access-list Local-ACL permit tcp host S-01 any eq pop3
access-list Local-ACL permit tcp host S-01 any eq 10000
access-list Local-ACL permit tcp host S-01 any eq 4343
access-list Local-ACL permit tcp host S-01 any eq pptp
access-list Local-ACL permit tcp host S-01 any eq 5756 log 7
access-list Local-ACL permit ah host S-01 any
access-list Local-ACL permit esp host S-01 any
access-list Local-ACL permit udp host S-01 eq isakmp any
access-list Local-ACL permit gre host S-01 any
access-list Local-ACL permit tcp host S-02 any eq 19638
access-list Local-ACL permit tcp host S-02 any eq 16667
access-list Local-ACL permit tcp host 10.10.14.202 any eq 5756 log 7
access-list Local-ACL permit tcp host Picasso any eq smtp
access-list Local-ACL permit tcp host Picasso any eq pop3
access-list Local-ACL permit tcp host Picasso any eq pptp
access-list Local-ACL permit ah host Picasso any
access-list Local-ACL permit esp host Picasso any
access-list Local-ACL permit udp host Picasso eq isakmp any
access-list Local-ACL permit gre host Picasso any
access-list Local-ACL permit tcp host Picasso any range 5800 6000
access-list Local-ACL permit tcp host Picasso any eq 33890
access-list Local-ACL permit tcp host Satellite042-E any eq smtp
access-list Local-ACL permit tcp host Satellite042-E any eq pop3
access-list Local-ACL permit tcp host Satellite042-E any eq pptp
access-list Local-ACL permit ah host Satellite042-E any
access-list Local-ACL permit esp host Satellite042-E any
access-list Local-ACL permit udp host Satellite042-E eq isakmp any
access-list Local-ACL permit gre host Satellite042-E any
access-list Local-ACL permit tcp host Satellite042-E any range 5800 6000
access-list Local-ACL permit tcp host Satellite042-E any eq 33890
access-list Local-ACL permit tcp host Satellite042-E any eq 15138
access-list Local-ACL permit tcp host Satellite042-E any eq 15137
access-list Local-ACL permit tcp host Satellite042-E any eq 10000
access-list Local-ACL permit ip host Ilum any
access-list Local-ACL permit tcp host S-W004 any eq 8443
access-list Local-ACL permit tcp host S-W004 any eq nntp
access-list Local-ACL permit tcp host S-W004 any eq domain
access-list Local-ACL permit udp host S-W004 any eq domain
access-list Local-ACL permit tcp host S-W004 any eq smtp
access-list Local-ACL permit tcp host S-W004 any eq pop3
access-list Local-ACL permit tcp host S-W004 any eq pptp
access-list Local-ACL permit ah host S-W004 any
access-list Local-ACL permit esp host S-W004 any
access-list Local-ACL permit udp host S-W004 eq isakmp any
access-list Local-ACL permit gre host S-W004 any
access-list Local-ACL permit tcp host S-W004 any eq 15138
access-list Local-ACL permit tcp host S-W004 any eq 15137
access-list Local-ACL permit tcp host S-W004 any eq 10000
access-list Local-ACL permit tcp host S-W004 any range 5800 6000
access-list Local-ACL permit tcp host S-W004 any eq 19638
access-list Local-ACL permit tcp host S-W004 any eq 33890
access-list Local-ACL deny udp any any log 7
access-list Local-ACL deny tcp any any log 7
access-list Local-ACL deny ip any any log 7
access-list Local-ACL permit tcp any any eq 8080
access-list Local-ACL permit udp any any eq 8080
access-list Internet-ACL permit icmp any any echo-reply
access-list Internet-ACL permit icmp any any time-exceeded
access-list Internet-ACL permit icmp any any unreachable
access-list Internet-ACL permit tcp any host CPF501-outside eq smtp
access-list Internet-ACL permit tcp any host CPF501-outside eq https
access-list Internet-ACL permit tcp any host CPF501-outside eq 3389
access-list Internet-ACL permit tcp any host CPF501-outside eq 3390
access-list Internet-ACL permit tcp any host CPF501-outside eq 10000
access-list Internet-ACL permit tcp any host CPF501-outside eq 4343
access-list Internet-ACL permit tcp any host CPF501-outside eq 8080
access-list Internet-ACL permit tcp host S-01 host CPF501-outside eq 5756
access-list Internet-ACL permit tcp host 10.10.14.202 host CPF501-outside eq 575
6
access-list Internet-ACL permit gre any host CPF501-outside
access-list Internet-ACL permit ah any host CPF501-outside
access-list Internet-ACL permit esp any host CPF501-outside
access-list Internet-ACL permit udp any host CPF501-outside eq isakmp
access-list Internet-ACL deny tcp any host CPF501-outside eq www log 3
access-list Internet-ACL deny ip any any log 5
access-list Internet-ACL deny icmp any any log 3
access-list Internet-ACL permit tcp any host 0.0.31.144 eq 8080
access-list Internet-ACL permit udp any host CPF501-outside eq 8080
access-list Internet-ACL permit tcp any host S-02 eq 8080
access-list RAS-ACL permit ip 10.10.14.0 255.255.255.0 10.10.14.0 255.255.255.0
access-list inside_access_in permit tcp any host 0.0.31.144
pager lines 24
logging on
logging timestamp
logging standby
logging monitor informational
logging trap debugging
logging history warnings
logging facility 23
logging host Eth1-inside S-01 6/1468
mtu Eth0-outside 1500
mtu Eth1-inside 1500
ip address Eth0-outside CPF501-outside 255.255.255.0
ip address Eth1-inside CPF501 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RAS-POOL 10.10.14.32-10.10.14.41
pdm logging informational 100
pdm history enable
arp timeout 14400
global (Eth0-outside) 1 interface
nat (Eth1-inside) 0 access-list RAS-ACL
nat (Eth1-inside) 1 10.10.14.0 255.255.255.0 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside smtp S-01 smtp netmask 2
55.255.255.255 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside 3390 S-01 3389 netmask 2
55.255.255.255 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside https S-01 https netmask
255.255.255.255 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside 3389 S-02 3389 netmask 2
55.255.255.255 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside 4343 S-01 4343 netmask 2
55.255.255.255 0 0
static (Eth1-inside,Eth0-outside) tcp CPF501-outside 8080 S-02 8080 netmask 2
55.255.255.255 0 0
access-group Internet-ACL in interface Eth0-outside
access-group Local-ACL in interface Eth1-inside
route Eth0-outside 0.0.0.0 0.0.0.0 TST570i 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPN-AAA protocol radius
aaa-server VPN-AAA (Eth1-inside) host S-01 Villeroy&Boch timeout 5
aaa authentication include gre Eth0-outside CPF501-outside 255.255.255.255 0.0.0
.0 0.0.0.0 VPN-AAA
aaa authentication include esp Eth0-outside CPF501-outside 255.255.255.255 0.0.0
.0 0.0.0.0 VPN-AAA
aaa authentication include gre Eth1-inside CPF501 255.255.255.255 0.0.0.0 0.0.0.
0 VPN-AAA
aaa authentication include esp Eth1-inside CPF501 255.255.255.255 0.0.0.0 0.0.0.
0 VPN-AAA
aaa authentication ssh console VPN-AAA
ntp server S-01 source Eth1-inside prefer
http server enable
http 10.10.14.0 255.255.255.0 Eth1-inside
snmp-server location Mettlach
no snmp-server contact
snmp-server community Villeroy&Boch
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
auth-prompt prompt Dit toegangspunt gaat trachten u door de domeinserver te late
n authoriseren ...
auth-prompt accept Welkom, u bent door de domeinserver geautoriseerd voor toegan
g op het netwerk.
auth-prompt reject Helaas, de domeinserver heeft uw authenticatie negatief beant
woord. Controleer uw gegevens en/of contacteer uw systeembeheerder.
telnet timeout 5
ssh 10.10.14.0 255.255.255.0 Eth1-inside
ssh timeout 5
console timeout 0
vpdn group VPN-GROUP accept dialin pptp
vpdn group VPN-GROUP ppp authentication pap
vpdn group VPN-GROUP ppp authentication chap
vpdn group VPN-GROUP ppp authentication mschap
vpdn group VPN-GROUP ppp encryption mppe 40 required
vpdn group VPN-GROUP client configuration address local RAS-POOL
vpdn group VPN-GROUP client authentication aaa VPN-AAA
vpdn group VPN-GROUP pptp echo 60
vpdn enable Eth0-outside
vpdn enable Eth1-inside
username bauto password UBV6KksNYQ6BNp7M encrypted privilege 15
username admin password u8JefVIRKyEh/90D encrypted privilege 15
terminal width 80
Cryptochecksum:0bc786b0237fa2cf296bbecf0420919c