[c-nsp] Pix config help

Sat Apr 14 18:08:49 EDT 2012

--- On Sat, 4/14/12, Gary Smith <lists at l33t-d00d.co.uk> wrote:

> From: Gary Smith <lists at l33t-d00d.co.uk>
> Subject: [c-nsp] Pix config help
> To: cisco-nsp at puck.nether.net
> Date: Saturday, April 14, 2012, 8:22 AM
> Hi there,
> 
> I'm struggling with a Pix configuration issue which has
> really got me scratching my head.
> 
> It seems quite basic, but I've so far got to the end of my
> troubleshooting.
> 
> The Inside interface of the Pix has the network
> 192.168.70.0/24. The outside interface has the network
> 192.168.70.0/24. The next hop from the Pix on the outside is
> 192.168.71.1 (the Pix is at 192.168.71.2). The next hop is a
> 2811.
> On the 2811, I have ACLs set up to allow connection to a
> machine on the inside interface of the Pix (192.168.71.5).
> If I attempt to connect from a machine allowed through on
> the ACL, this works.
> 
> I've also allowed some machines from another internal
> network (but beyond the outside interface on the Pix) (for
> instance, 192.168.50.3) via an ACL to connect to
> 192.168.71.5. To the best of my problem solving skills,
> these are being allowed but aren't actually connecting. And
> this is the bit I'm struggling with. If, for instance, I
> attempt to RDP through, then it's logged at both the 2811
> and the Pix as being allowed (so far as I can see):
> 
> From the Pix:
> 302013: Built inbound TCP connection 7972 for
> outside:192.168.50.3/4992 (192.168.50.3/4992) to
> inside:192.168.70.5/3389 (192.168.71.5/3389)
> From the 2811:
> Apr 14 15:16:58 62.49.229.217 568: 000564: Apr 14 15:16:57:
> %SEC-6-IPACCESSLOGP: list 122 permitted tcp
> 192.168.50.3(4995) -> 192.168.71.5(3389), 1 packet
> 
> For what it's worth, though, the Pix, immediately after
> logging the connection being built doesn't show it in the
> show conn output. With the static output listed in the
> config below, it's always got the relevant info in the
> xlate.
> 
> So, to my understanding, this should work. I think I've
> ruled out the machine as I can connect in from beyond the
> outside interface of the 2811. Similarly, the config rules
> which allow that connection exactly mirror that which I'm
> attempting to use for 192.168.50.3. So what am I doing
> wrong? I've put the relevant bits of the config here:
> 
> 
> Pix bits:
> access-list serverout permit tcp host [machine beyond the
> outside interface of 2811] host 192.168.71.5
> access-list serverout permit tcp host 192.168.50.3 host
> 192.168.71.5
> ip address outside 192.168.71.1 255.255.255.0
> ip address inside 192.168.70.1 255.255.255.0
> static (inside,outside) 192.168.71.5 192.168.70.5 netmask
> 255.255.255.255 0 0
> access-group serverout in interface outside
> 
> Bits from the 2811:
> Extended IP access list 122
>     25 permit ip host 192.168.50.3 host
> 192.168.71.5 log (6 matches)
>     30 permit ip host [machine beyond outside
> interface of the 2811] host 192.168.71.5 log (1029 matches)
>     310 deny ip any any log (69 matches)
> 
> So - any thoughts anyone?
> 
> Gary

Why am I thinking application-inspection is the issue here.

Have you tried -

fixup protocol rdp 3389?

./Randy