Basic PIX setup required.

[leaky5]

I have been 'left ' a half configured pair of Pix's to finish configuring.

It has Interfaces setup, IP any any ACLS and matching access-group statments.

But I can't connect from the outside (sec level 0) network through to the inside (sec level 100) network.

I am not worried about security at this point or NATing any IP's, I just need to create a flow through the box.

I am guessing it is something to do with static's, NAT's or Globals.

Can someone please help with these basic commands.

 

[unclerico]

can you post your scrubbed config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[leaky5]

Hopefully there is enough info here, I have cut out all the rubbish. At the moment it is working from DMZ to Inside, but I think that was more luck than judgement, I made the inside sec level lower than the DMZ on.


PIX Version 7.2(4)

interface Ethernet1
nameif inside
security-level 40
ip address 10.143.145.201 255.255.255.248 standby 10.143.145.202
interface Ethernet2

nameif DMZ
security-level 50
ip address 10.183.101.1 255.255.255.128 standby 10.183.101.2

interface Ethernet5
description LAN Failover Interface

access-list outside_access_in extended permit ip any any log errors
access-list DMZ_in extended permit ip any any log errors
access-list DMZ_in extended permit icmp any any log errors
access-list nonat extended permit ip any any
access-list inside_access_in extended permit ip any any log errors
access-list inside_access_in extended permit icmp any any log errors

failover
failover lan unit primary
failover lan interface faillink Ethernet5
failover lan enable
failover interface ip faillink 192.168.1.1 255.255.255.0 standby 192.168.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/
asdm history enable
arp timeout 14400
nat-control

nat (inside) 0 0.0.0.0 0.0.0.0
nat (DMZ) 0 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_in in interface DMZ

route inside 10.143.120.0 255.255.254.0 10.133.145.206 1

http server enable
http 0.0.0.0 0.0.0.0 Darzi_DMZ
http 0.0.0.0 0.0.0.0 inside
http 10.133.145.211 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 outside

telnet 0.0.0.0 0.0.0.0 inside

 

[unclerico]

ok, i know that you said that security doesn't matter at this point, but i have to ask what the purpose of the device is if it is wide open?? there's no question that we can get it functioning with only the necessary ports open and necessary services available, but you have to be willing to basically start over with the config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[leaky5]

The whole network was in the process of being redesigned/implemented when the previous engineer left, I have only worked for the company for a few weeks and had to pick it up.

In effect there are 2 internal networks, DMZ and Inside and then a connection out to the company network, this is currently via the inside network. The plan is to eventually have Outside as the company network with both DMZ and Inside being through the firewall.

We are not talking about internet connectivity through this only company traffic. I do not have resource to completely finish the network before Monday when users on DMZ go live 24/7.

I just need to get DMZ talking through the firewall to Inside and the company network and vis versa. For now, If I had the time I would probably just created a new routed VLAN on the Inside switches and connected the DMZ switches into that.

 

[unclerico]

Ok, is the DMZ going to be a true DMZ meaning all resources available on it need to be treated as vulnerable and only certain ports/services should be available from the DMZ to the inside??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)