RE: PIX questions [7:53953]
If you are using Dynamic NAT/PAT, connection from the outside can't be initiated. If you need the outside world to contact your server/host behind this pix, make sure that you have static Nat configured an access-list or conduit that will allow port for that application. Static Nat is used for permanent two way translation. Static(inside,outside)192.168.1.35 10.1.1.35 netmask 255.255.255.255 10.1.1.35 is the real ip address of the FTP server 192.168.1.35 is how outside world sees this FTP server (example probably would be more clear if they would use public ip address instead). Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX http://www.cisco.com/warp/public/707/28.html Make sure that you understand how, when and why static command is used on the PIX. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 9:48 PM To: [EMAIL PROTECTED] Subject: RE: PIX questions [7:53953] OK.. I think I roughly understand what is the problem now. Let me tell you our pix setup. We do a PAT for every outgoing packet so the source address to be translated to 192.168.5.200 before leaving the external interface of the PIX. So when the outside party tried to make connection to 192.168.5.200, it was considered outside as the routing table of the PIX show that the IP 192.168.5.200 should be routed out via external interface. Sound logical? But how to solve it, if I don't want this log 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168.5.200/58000 Another Question2 :) I saw a sentence on a book that I don't understand- The combination of the static declaration and the conduit command can allow FTP traffic through your network. You have allowed FTP traffic to the FTP server with the following two lines Static(inside,outside)192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0--(1) Conduit permit tcp host 192.168.1.35 eq ftp any--(2) I understand the second statement which mean it allow ftp traffic from any outside workstations to connect to 192.168.1.35 in the inside network But what is meaning of the first statement? What is 10.1.1.35 IP for? Why we need this? Thanks a lot Sim -Original Message- From: Lidiya White [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 1:39 AM To: Sim, CT (Chee Tong); [EMAIL PROTECTED] Subject: RE: PIX questions [7:53953] The problem here is the source and destination are outside. Why? PIX can't redirect traffic so even if conduit is allowing this traffic, PIX won't let it through, unless it's src outside and dst is inside. You either routing issue here or just something is misconfigured on the PIX. Use wr term on the PIX to view the current config. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 10:50 AM To: [EMAIL PROTECTED] Subject: PIX questions [7:53953] I keep having the following log in my PIX. It is very frequent. What is that mean? It seems my PIX deny this connection, but actually I want to allow it now and make it no longer log to the PIX log. 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 I tried to clear it by adding the following command in the PIX config to allow the connection to come in. However, I still found the same log in my PIX? What should be the correct command? conduit permit udp any range 58000 58001 any Question2- How to show the running-config in PIX? I found whenever I made a change on PIX. I can't see the change when I issue sh conf command until I do wr mem What is the router equivalent show running-config command in PIX? Thanks a lot == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == == De informatie opgenomen in dit bericht kan vertrouwelijk zijn
Re: PIX questions [7:53953]
Hi Sim, There is some flaw in your security policy. Pls check the = configuration again. I am enclosing some info from CCO regarding the = syslog message 106011: %PIX-7-106011: Deny inbound (No xlate) chars Explanation This is a connection-related message. This message = occurs when a packet is sent to the same interface that it arrived on. = This usually indicates that a security breach is occurring. When the PIX = Firewall receives a packet, it tries to establish a translation slot = based on the security policy you set with the global and conduit = commands, and your routing policy set with the route command.=20 Failing both policies, PIX Firewall allows the packet to flow from the = higher priority network to a lower priority network, if it is consistent = with the security policy. If a packet comes from a lower priority = network and the security policy does not allow it, PIX Firewall routes = the packet back to the same interface. To provide access from an interface with a higher security to a lower = security, use the nat and global commands. For example, use the nat = command to let inside users access outside servers, to let inside users = access perimeter servers, and to let perimeter users access outside = servers. To provide access from an interface with a lower security to higher = security, use the static and conduit commands. For example, use the = static and conduit commands to let outside users access inside servers, = outside users access perimeter servers, or perimeter servers access = inside servers.=20 Action Fix your configuration to reflect your security policy for = handling these attack events.=20 In PIX the running configuration is shown by Show Config. Any changes = made in PIX will be effective only once you write them to the memory. = There is no such thing as startup and running configuration in PIX. To = add to this info, PIX uses an Operating system called Finesse which is = different from Cisco IOS. Hope this helps. Regards, Vamsi - Original Message -=20 From: Sim, CT (Chee Tong) To: Sent: Tuesday, September 24, 2002 4:49 PM Subject: PIX questions [7:53953] I keep having the following log in my PIX. It is very frequent. What = is that mean? It seems my PIX deny this connection, but actually I want = to allow it now and make it no longer log to the PIX log. =20 =20 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 = dst outside:192.168.5.200/58000 =20 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 = dst outside:192.168.5.200/58000 =20 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 = dst outside:192.168.5.200/58001 =20 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 = dst outside:192.168.5.200/58001 =20 I tried to clear it by adding the following command in the PIX config = to allow the connection to come in. However, I still found the same log = in my PIX? What should be the correct command? =20 =20 =20 conduit permit udp any range 58000 58001 any =20 =20 =20 =20 =20 Question2- How to show the running-config in PIX? I found whenever = I made a change on PIX. I can't see the change when I issue sh conf command = until I do wr mem What is the router equivalent show running-config = command in PIX? =20 =20 =20 Thanks a lot =20 =20 =20 =20 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D De informatie opgenomen in dit bericht kan vertrouwelijk zijn en=20 is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht=20 onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en=20 de afzender direct te informeren door het bericht te retourneren.=20 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The information contained in this message may be confidential=20 and is intended to be exclusively for the addressee. Should you=20 receive this message unintentionally, please do not use the contents=20 herein and notify the sender immediately by return e-mail. =20 =20 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 =20 =20 =20 **Disclaimer** Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly
Re: PIX questions [7:53953]
Question 2: write term Sim, CT (Chee Tong) wrote:I keep having the following log in my PIX. It is very frequent. What is that mean? It seems my PIX deny this connection, but actually I want to allow it now and make it no longer log to the PIX log. 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 I tried to clear it by adding the following command in the PIX config to allow the connection to come in. However, I still found the same log in my PIX? What should be the correct command? conduit permit udp any range 58000 58001 any Question2- How to show the running-config in PIX? I found whenever I made a change on PIX. I can't see the change when I issue sh conf command until I do wr mem What is the router equivalent show running-config command in PIX? Thanks a lot == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Do you Yahoo!? New DSL Internet Access from SBC Yahoo! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53967t=53953 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX questions [7:53953]
The problem here is the source and destination are outside. Why? PIX can't redirect traffic so even if conduit is allowing this traffic, PIX won't let it through, unless it's src outside and dst is inside. You either routing issue here or just something is misconfigured on the PIX. Use wr term on the PIX to view the current config. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 10:50 AM To: [EMAIL PROTECTED] Subject: PIX questions [7:53953] I keep having the following log in my PIX. It is very frequent. What is that mean? It seems my PIX deny this connection, but actually I want to allow it now and make it no longer log to the PIX log. 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 I tried to clear it by adding the following command in the PIX config to allow the connection to come in. However, I still found the same log in my PIX? What should be the correct command? conduit permit udp any range 58000 58001 any Question2- How to show the running-config in PIX? I found whenever I made a change on PIX. I can't see the change when I issue sh conf command until I do wr mem What is the router equivalent show running-config command in PIX? Thanks a lot == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53968t=53953 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: PIX questions [7:53953]
I had the same problem because of the following 172.16.64.3 is a IP address in the inside network; however, in someone turn off 172.16.64.3 and if someone try to access the machine the routing protocol send it to the default gateway the PIX. However on the PIX it knows that 172.16.0.0 is the inside addresses thus the error message u are getting. From: Lidiya White Date: 2002/09/24 Tue PM 01:38:57 EDT To: [EMAIL PROTECTED] Subject: RE: PIX questions [7:53953] The problem here is the source and destination are outside. Why? PIX can't redirect traffic so even if conduit is allowing this traffic, PIX won't let it through, unless it's src outside and dst is inside. You either routing issue here or just something is misconfigured on the PIX. Use wr term on the PIX to view the current config. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 10:50 AM To: [EMAIL PROTECTED] Subject: PIX questions [7:53953] I keep having the following log in my PIX. It is very frequent. What is that mean? It seems my PIX deny this connection, but actually I want to allow it now and make it no longer log to the PIX log. 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 I tried to clear it by adding the following command in the PIX config to allow the connection to come in. However, I still found the same log in my PIX? What should be the correct command? conduit permit udp any range 58000 58001 any Question2- How to show the running-config in PIX? I found whenever I made a change on PIX. I can't see the change when I issue sh conf command until I do wr mem What is the router equivalent show running-config command in PIX? Thanks a lot == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53975t=53953 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX questions [7:53953]
OK.. I think I roughly understand what is the problem now. Let me tell you our pix setup. We do a PAT for every outgoing packet so the source address to be translated to 192.168.5.200 before leaving the external interface of the PIX. So when the outside party tried to make connection to 192.168.5.200, it was considered outside as the routing table of the PIX show that the IP 192.168.5.200 should be routed out via external interface. Sound logical? But how to solve it, if I don't want this log 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168.5.200/58000 Another Question2 :) I saw a sentence on a book that I don't understand- The combination of the static declaration and the conduit command can allow FTP traffic through your network. You have allowed FTP traffic to the FTP server with the following two lines Static(inside,outside)192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0--(1) Conduit permit tcp host 192.168.1.35 eq ftp any--(2) I understand the second statement which mean it allow ftp traffic from any outside workstations to connect to 192.168.1.35 in the inside network But what is meaning of the first statement? What is 10.1.1.35 IP for? Why we need this? Thanks a lot Sim -Original Message- From: Lidiya White [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 1:39 AM To: Sim, CT (Chee Tong); [EMAIL PROTECTED] Subject: RE: PIX questions [7:53953] The problem here is the source and destination are outside. Why? PIX can't redirect traffic so even if conduit is allowing this traffic, PIX won't let it through, unless it's src outside and dst is inside. You either routing issue here or just something is misconfigured on the PIX. Use wr term on the PIX to view the current config. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 10:50 AM To: [EMAIL PROTECTED] Subject: PIX questions [7:53953] I keep having the following log in my PIX. It is very frequent. What is that mean? It seems my PIX deny this connection, but actually I want to allow it now and make it no longer log to the PIX log. 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 I tried to clear it by adding the following command in the PIX config to allow the connection to come in. However, I still found the same log in my PIX? What should be the correct command? conduit permit udp any range 58000 58001 any Question2- How to show the running-config in PIX? I found whenever I made a change on PIX. I can't see the change when I issue sh conf command until I do wr mem What is the router equivalent show running-config command in PIX? Thanks a lot == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54022t=53953 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]