|
Question : Veritas Backup Exec & PIX 515
|
|
We are running a PIX 515E firewall, OS version 7.0(2). This has been up and running for many months now. Recently I started trying to configure Veritas Backup Exec version 9.1 rev. 4691 to backup all our servers in the LAN and in the DMZ. I have opened ports on the firewall per documentation found online, but I am still unable to push the Remote Agent from the Backup Exec Media server (which is in the LAN) to any server in the DMZ. From the Backup Exec Media server, I can however see DMZ servers by the way of \\IP.ADDRESS\SHARE.NAME from Run. But, when I try to manually push the Remote Agent, I receive the error message that the user name / password are not correct. Suggestions, save the user name / password actually being incorrect? All servers in question are Windows 2000 or 2003 Server. Below is my redacted PIX config. Thanks.
: Saved : PIX Version 7.0(2) names ! interface Ethernet0 nameif outside security-level 0 ip address XXX.XXX.XXX.XXX 255.255.248.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet2 nameif dmz security-level 50 ip address 10.0.0.1 255.255.255.0 ! enable password xxxxxxxxxxxx encrypted passwd xxxxxxxxxxxx encrypted hostname pixfirewall domain-name default.domain.invalid ftp mode passive dns retries 2 dns timeout 2 dns domain-lookup outside dns name-server XXX.XXX.XXX.XXX same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network DMZ_ALL network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX object-group network DMZ_HTTP network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX object-group network DMZ_HTTPS network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX object-group network DMZ_ORACLE network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX object-group network DMZ_ORACLEFAC network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX object-group network DMZ_POP3 network-object host XXX.XXX.XXX.XXX object-group network DMZ_SMTP network-object host XXX.XXX.XXX.XXX object-group network DMZ_SSH network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX network-object host XXX.XXX.XXX.XXX object-group network DMZ_MACADMIN network-object XXX.XXX.XXX.XXX 255.255.255.255 network-object XXX.XXX.XXX.XXX 255.255.255.255 network-object XXX.XXX.XXX.XXX 255.255.255.255 object-group network DMZ_HTTP_real network-object 10.0.0.131 255.255.255.255 network-object 10.0.0.132 255.255.255.255 network-object 10.0.0.133 255.255.255.255 network-object 10.0.0.134 255.255.255.255 network-object 10.0.0.135 255.255.255.255 network-object 10.0.0.136 255.255.255.255 network-object 10.0.0.137 255.255.255.255 network-object 10.0.0.138 255.255.255.255 network-object 10.0.0.139 255.255.255.255 network-object 10.0.0.141 255.255.255.255 network-object 10.0.0.142 255.255.255.255 network-object 10.0.0.143 255.255.255.255 network-object 10.0.0.144 255.255.255.255 network-object 10.0.0.145 255.255.255.255 network-object 10.0.0.147 255.255.255.255 network-object 10.0.0.149 255.255.255.255 network-object 10.0.0.150 255.255.255.255 network-object 10.0.0.151 255.255.255.255 object-group network DMZ_HTTPS_real network-object 10.0.0.131 255.255.255.255 network-object 10.0.0.132 255.255.255.255 network-object 10.0.0.133 255.255.255.255 network-object 10.0.0.134 255.255.255.255 network-object 10.0.0.135 255.255.255.255 network-object 10.0.0.136 255.255.255.255 network-object 10.0.0.137 255.255.255.255 network-object 10.0.0.138 255.255.255.255 network-object 10.0.0.139 255.255.255.255 network-object 10.0.0.141 255.255.255.255 network-object 10.0.0.142 255.255.255.255 network-object 10.0.0.144 255.255.255.255 network-object 10.0.0.145 255.255.255.255 network-object 10.0.0.147 255.255.255.255 network-object 10.0.0.149 255.255.255.255 network-object 10.0.0.150 255.255.255.255 network-object 10.0.0.151 255.255.255.255 object-group network DMZ_ORACLE_real network-object 10.0.0.137 255.255.255.255 network-object 10.0.0.138 255.255.255.255 network-object 10.0.0.139 255.255.255.255 object-group network DMZ_ORACLEFAC_real network-object 10.0.0.141 255.255.255.255 network-object 10.0.0.142 255.255.255.255 object-group network DMZ_POP3_real network-object 10.0.0.132 255.255.255.255 object-group network DMZ_SSH_real network-object 10.0.0.137 255.255.255.255 network-object 10.0.0.138 255.255.255.255 network-object 10.0.0.139 255.255.255.255 network-object 10.0.0.141 255.255.255.255 network-object 10.0.0.142 255.255.255.255 network-object 10.0.0.143 255.255.255.255 network-object 10.0.0.131 255.255.255.255 network-object 10.0.0.144 255.255.255.255 network-object 10.0.0.145 255.255.255.255 network-object 10.0.0.149 255.255.255.255 object-group network DMZ_MACADMIN_real network-object 10.0.0.131 255.255.255.255 network-object 10.0.0.141 255.255.255.255 network-object 10.0.0.142 255.255.255.255 object-group service FileShareTCP tcp port-object eq netbios-ssn port-object eq 445 object-group service FileShareUDP udp port-object eq netbios-ns port-object eq netbios-dgm port-object eq 445 object-group network InsideLan network-object 192.168.1.0 255.255.255.0 access-list ToDmz extended permit tcp any object-group DMZ_HTTP eq www access-list ToDmz extended permit tcp any object-group DMZ_HTTPS eq https access-list ToDmz extended permit tcp any object-group DMZ_ORACLE eq 8432 access-list ToDmz extended permit tcp any object-group DMZ_ORACLEFAC eq 5464 access-list ToDmz extended permit tcp any object-group DMZ_POP3 eq pop3 access-list ToDmz extended permit tcp any object-group DMZ_SMTP eq smtp access-list ToDmz extended permit udp any object-group DMZ_SMTP eq 25 access-list ToDmz extended permit tcp any object-group DMZ_SSH eq ssh access-list ToDmz extended permit icmp any any access-list ToDmz extended permit tcp any object-group DMZ_MACADMIN eq 311 access-list ToDmz extended permit tcp any object-group DMZ_MACADMIN eq 625 access-list ToDmz extended permit tcp any object-group DMZ_MACADMIN eq 5900 access-list ToDmz extended permit tcp any object-group DMZ_MACADMIN eq 5988 access-list ToDmz extended permit udp any object-group DMZ_MACADMIN eq 3283 access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0 access-list FromDmzToLan extended permit icmp any any access-list InsideToDmz extended permit udp object-group InsideLan object-group DMZ_ALL object-group FileShareUDP access-list DmzToInside extended permit tcp object-group DMZ_ALL object-group InsideLan range 10051 10075 access-list DmzToInside extended permit tcp object-group DMZ_ALL object-group InsideLan eq 10000 access-list DmzToInside extended permit udp object-group DMZ_ALL object-group InsideLan range 10051 10075 access-list DmzToInside extended permit udp object-group DMZ_ALL object-group InsideLan eq 10000 pager lines 20 logging trap debugging logging asdm informational logging host inside 192.168.1.XXX mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip local pool stlvpn-pool 192.168.1.120-192.168.1.140 monitor-interface outside monitor-interface inside monitor-interface dmz icmp permit any outside icmp permit any inside icmp permit any dmz asdm image flash:/asdm no asdm history enable arp timeout 14400 global (outside) 1 interface global (dmz) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.1.0 255.255.255.0 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.131 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.132 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.133 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.134 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.135 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.136 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.137 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.138 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.139 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.141 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.142 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.143 netmask 255.255.255.255 static (dmz,inside) XXX.XXX.XXX.XXX 10.0.0.141 netmask 255.255.255.255 static (dmz,inside) XXX.XXX.XXX.XXX 10.0.0.142 netmask 255.255.255.255 static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.144 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.145 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.147 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.149 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.150 netmask 255.255.255.255 static (dmz,outside) XXX.XXX.XXX.XXX 10.0.0.151 netmask 255.255.255.255 access-group ToDmz in interface outside access-group DmzToInside out interface inside route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server vpntest protocol nt aaa-server vpntest host 192.168.1.5 nt-auth-domain-controller XXXXXX group-policy vpnPolicy internal group-policy vpnPolicy attributes dns-server value 192.168.1.5 split-tunnel-policy tunnelspecified split-tunnel-network-list value ra-tunnel default-domain value XXX.XXX.XXX.XXX split-dns value XXX.XXX.XXX.XXX username xxxxxx password /xxxxxxxxxxxxx encrypted http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp crypto ipsec transform-set stl-ra-set esp-3des esp-md5-hmac crypto dynamic-map stl1-ra-map 15 set transform-set stl-ra-set crypto map pix1map 99 ipsec-isakmp dynamic stl1-ra-map crypto map pix1map interface outside isakmp identity address isakmp enable outside isakmp policy 15 authentication pre-share isakmp policy 15 encryption 3des isakmp policy 15 hash md5 isakmp policy 15 group 2 isakmp policy 15 lifetime 86400 isakmp nat-traversal 20 telnet 192.168.1.XXX 255.255.255.255 inside telnet 192.168.1.XXX 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.150-192.168.1.254 inside dhcpd dns XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable inside tunnel-group stl-remote type ipsec-ra tunnel-group stl-remote general-attributes address-pool stlvpn-pool authentication-server-group vpntest default-group-policy vpnPolicy tunnel-group stl-remote ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxx : end
|
Answer : Veritas Backup Exec & PIX 515
|
|
So, it appears you already have a syslog destination configured. Now just enable logging and look in the logs for "106023" - that should point you to the blocked ports.
|
|
|
|