Configure 506e PIX from scratch

[ITidiot]

Hi,

I have just got a Cisco PIX 606e... guess what I cant configure it! I managed to configure it to allow inside (intranet) traffic to web browse, send email(SMPT) and ping outside. However trying to setup inbound rules I have completely messed it up. So I need guidance as I have reset the PIX to factory default in rage!!

Could you please help!!! With the config from scratch

This is what I require can you pls, pls send me the config if possible

The PIX Details:

- The Cisco PIX is my LANS Default gateway. (Firewall between my LAN and Intranet Router)

- The Cisco PIX is sitting behind my Internet router (Cisco 2600). The internet routers IP is 76.110.66.65 (public IP)

- My LAN’s/Intranet range is 89.0.0.0/24 (89.0.0.1 to 89.0.0.255) 255 Devices on LAN (255.255.255.0)

- The private IP of the CISCO PIX is 89.0.0.254 (inside address)

- The public IP of the CISCO PIX is 76.100.66.66 (outside address)


The Firewall Rules

- Allow my LAN/Intranet to web browse on port 80

- Allow my LAN/Intranet to use ANY FTP site on the internet

- Allow my LAN/Intranet to use MS Instant Messenger on port(s)??

- Allow my LAN/Intranet to ping, tracert, whois any devices on the internet

- Allow our sister company (Public IP - 223.253.45.146) to access our web server (Private IP - 89.0.0.220) on the following ports 10000, 22, 21, 80

- Allow the LANS Email Server 89.0.0.200(Lotus Domino) to send SMTP emails out of the Intranet to Internet (WAN) on port 25

- Allow EasyNet email relays to forward SMTP emails to our LAN email Server on port 25. Easy net email relays are 2 x 255 Server Clusters (subnets). 195.40.1.0/24 (255.255.255.0) and 212.135.6.0/24 (255.255.255.0)

 

[ITidiot]

using the PDM to look at the config. The PDM ignors the following commands;

access-list 100 permit icmp any host 76.100.66.66 echo-reply
access-list 100 permit icmp any any time-exceeded

access-list 100 permit tcp host 223.253.45.146 host 76.100.66.66 range ftp ssh
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.66 eq www
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.66 eq 1000
access-list 100 permit tcp 195.40.1.0 255.255.255.0 host 76.100.66.66 eq smtp
access-list 100 permit tcp 212.135.6.0 255.255.255.0 host 76.100.66.66 eq smtp

so basically all my access rules!!! CISCO headaches are strong

 

[lgarner]

First, you're not permitting unsolicited traffic into your network. You still need to add:

access-group 100 in interface outside

to activate your access-list statements.


"Part from that everything else works"... Strange, since your default route is to a non-connected address:

ip address outside 76.100.66.66 255.255.255.240
route outside 0.0.0.0 0.0.0.0 82.110.66.65

 

[ixleplix]

lgarner is right. The route outside should be something on the 76.100.66.64/28 network.


What's ADD again?

 

[ixleplix]

Specifically, it should be your next hop router to the Internet.

What's ADD again?

 

[ITidiot]

It works! all the rules are working really well

Thank you so so much!

Will i have to add any more rules for when i setup VPN access for users to gain full unrestricted access to our LAN?

Are you interested in helping me setup the VPN connections? Or do you want a break and put your feet up?

Thanks once again Rowland

 

[ixleplix]

Thank lgarner too!

And yes you'll have to set additional rules when you get around to implementing the VPN.

Give me a day or two and I'll be glad to help on the VPN.

Thanks,
Roland

What's ADD again?

 

[ITidiot]

oh yes sorry Igarner i got over excited when it works. Thanks all for your great help

 

[ITidiot]

Hi,
Would you like to help me on my VPN Cisco Headache? Or are you still putting your feet up

No worries if your to busy because you done me a massive favour already!

But anyway heres my new thread thread35-1112670

Thank you once again

 

[ixleplix]

I'm game.

What's ADD again?

 

[ixleplix]

Busy day! But I should get to this in the afternoon.

What's ADD again?

 

[ixleplix]

I should have asked this already, but the VPN is going to be from PIX to PIX, right? Or...

What's ADD again?