Configuration Help PIX 515

[yanivyon]

Hi
this is my first PIX i have to administrate

i want to forward port 80 and 443 from the outside to this server
name 10.69.1.3 KrSrv3

i have tried these new lines
they work but conflict with my existing configuration by killing my vpn access and my smtp access to the server

access-list Exchange permit tcp any any eq www
static (inside,outside) tcp interface

http://www KrSrv3

www
access-group Exchange in interface outside

this is my current configuration
thank you

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmzside security10
enable password ******** encrypted
passwd ******* encrypted
hostname pixfw
domain-name *******
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.69.1.0 HausLan
name 192.168.10.0 DmzLan
name 192.168.100.0 VpnAdminLan
name 192.168.101.0 VpnUserLan
name 193.110.94.32 DsaLan
name 192.168.10.11 VirusWall
name 10.69.1.1 KrSrv1
name 10.69.1.2 KrSrv2
name 10.69.1.93 Usv
name 126.127.128.0 MspLan
name 212.16.60.130 AmetaNet
name 212.16.60.135 AmetaNet2
name 10.69.1.3 KrSrv3
name 188.20.229.25 Router
name 188.20.229.27 MX
object-group network DomainController
network-object host KrSrv1
network-object host KrSrv2
network-object host KrSrv3
object-group network AdminPcs
network-object host KrSrv1
network-object host KrSrv2
network-object host 10.69.1.4
network-object host KrSrv3
object-group service UserServices tcp
port-object eq 3128
port-object eq https
port-object eq ftp
port-object eq 81
object-group service AdmServicesTcp tcp
port-object eq ssh
port-object eq telnet
port-object eq 1812
port-object eq 10000
port-object eq www
port-object eq domain
port-object eq 2301
port-object eq 2381
port-object eq smtp
port-object eq 26
object-group service AdmServicesUdp udp
port-object eq domain
port-object eq ntp
port-object eq time
port-object eq snmp
object-group network EdiReal
network-object host 212.16.60.140
access-list acl_inside permit icmp any any
access-list acl_inside permit tcp HausLan 255.255.255.0 host VirusWall object-group UserServices
access-list acl_inside permit tcp object-group AdminPcs host VirusWall object-group AdmServicesTcp
access-list acl_inside permit udp object-group AdminPcs host VirusWall object-group AdmServicesUdp
access-list acl_inside permit tcp HausLan 255.255.255.0 any eq 3048
access-list acl_inside permit tcp object-group AdminPcs host 193.80.48.89 object-group AdmServicesTcp
access-list acl_inside permit ip host KrSrv2 host VirusWall
access-list acl_inside permit tcp HausLan 255.255.255.0 host AmetaNet eq https
access-list acl_inside permit tcp HausLan 255.255.255.0 host AmetaNet eq www
access-list acl_inside permit tcp HausLan 255.255.255.0 host AmetaNet2 eq https
access-list acl_inside permit tcp HausLan 255.255.255.0 host AmetaNet2 eq www
access-list acl_inside permit tcp host 10.69.1.104 host 62.116.68.195 eq pop3
access-list acl_inside permit tcp host 10.69.1.104 host 62.116.68.196 eq smtp
access-list acl_inside permit tcp host 10.69.1.110 object-group EdiReal
access-list acl_inside deny ip any any
access-list acl_dmzside permit icmp any any
access-list acl_dmzside permit tcp host VirusWall host KrSrv1 eq smtp
access-list acl_dmzside permit tcp host VirusWall host KrSrv3 eq smtp
access-list acl_dmzside permit ip host VirusWall host KrSrv2
access-list acl_dmzside deny ip DmzLan 255.255.255.0 HausLan 255.255.255.0
access-list acl_dmzside permit ip any any
access-list acl_dmzside deny ip any any
access-list acl_outside permit icmp any any echo-reply
access-list acl_outside permit icmp any any time-exceeded
access-list acl_outside permit tcp any host MX eq smtp
access-list acl_outside permit ip MspLan 255.255.255.0 HausLan 255.255.255.0
access-list acl_outside permit ip VpnAdminLan 255.255.255.0 HausLan 255.255.255.0
access-list acl_outside permit ip VpnAdminLan 255.255.255.0 DmzLan 255.255.255.0
access-list acl_outside permit tcp DsaLan 255.255.255.240 host MX eq ssh
access-list acl_outside permit tcp DsaLan 255.255.255.240 host MX eq 1812
access-list acl_outside permit tcp DsaLan 255.255.255.240 host MX eq 10000
access-list acl_outside permit tcp DsaLan 255.255.255.240 host MX eq 81
access-list acl_outside permit icmp any any
access-list acl_outside deny ip any any
access-list no_nat_inside permit ip HausLan 255.255.255.0 DmzLan 255.255.255.0
access-list no_nat_inside permit ip HausLan 255.255.255.0 MspLan 255.255.255.0
access-list no_nat_inside permit ip HausLan 255.255.255.0 VpnAdminLan 255.255.255.0
access-list no_nat_dmzside permit ip DmzLan 255.255.255.0 VpnAdminLan 255.255.255.0
access-list outside_cryptomap_40 permit ip HausLan 255.255.255.0 MspLan 255.255.255.0
access-list acl_vpn_splittunnel permit ip HausLan 255.255.255.0 any
access-list acl_vpn_splittunnel permit ip DmzLan 255.255.255.0 any
pager lines 500
logging on
logging trap warnings
logging history notifications
logging facility 23
logging host dmzside VirusWall
mtu outside 1500
mtu inside 1500
mtu dmzside 1500
ip address outside 188.20.229.26 255.255.0.0
ip address inside 10.69.1.92 255.255.255.0
ip address dmzside 192.168.10.92 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VpnAdminPool 192.168.100.1-192.168.100.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 HausLan 255.255.255.0 0 0
nat (dmzside) 0 access-list no_nat_dmzside
nat (dmzside) 1 DmzLan 255.255.255.0 0 0
static (dmzside,outside) MX VirusWall netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
access-group acl_dmzside in interface dmzside
route outside 0.0.0.0 0.0.0.0 Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http KrSrv1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 199 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 193.110.94.42
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 199 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 193.110.94.42 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 28800
isakmp policy 199 authentication pre-share
isakmp policy 199 encryption 3des
isakmp policy 199 hash md5
isakmp policy 199 group 2
isakmp policy 199 lifetime 86400
vpngroup kramas-admin-clients address-pool VpnAdminPool
vpngroup kramas-admin-clients dns-server KrSrv1
vpngroup kramas-admin-clients wins-server KrSrv1
vpngroup kramas-admin-clients default-domain karmas.at
vpngroup kramas-admin-clients split-tunnel acl_vpn_splittunnel
vpngroup kramas-admin-clients idle-time 3600
vpngroup kramas-admin-clients password ********
telnet HausLan 255.255.255.0 inside
telnet timeout 5
ssh DsaLan 255.255.255.240 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:83df8ffeba6df11760053e3b5bff7bca

 

[unclerico]

try this:

access-list acl_outside line 3 extended permit tcp any 188.20.229.26 eq www
access-list acl_outside line 4 extended permit tcp any 188.20.229.26 eq https

static (inside,outside) tcp interface https KrSrv3 https

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[yanivyon]

i get the error

ERROR:<extended> not a valid permission

for the first line

 

[Supergrrover]

Don't mix interface and ip references. Stick to one or the other. I've had strange results when mixing them.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[yanivyon]

Whats this command?
line 3 extended

and i thought i need the access-list name in the static command

static (inside,outside) tcp interface https KrSrv3 https

thanks

 

[Supergrrover]

Take out the extended word. It's for a different software version. The ACL goes in the access group command applied to the interface. You need a PAT static for each port you want fowarded.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[yanivyon]

hi
am i right on this

if i add my new roul i add it after the existing
access-list acl_outside permit icmp any any
line, so it won't work

what is the correct syntac for this command to put it in front of the deny any any rule

access-list acl_outside line 3 extended permit tcp any 188.20.229.26 eq www

thank you