Configuring PIX 515 to allow Inbound & Outbound connection

[mashadif]

Hi!

NEED THE SOLUTION PLEASE:

My company has purchased PIX 515 and would like to configure the interfaces as given below:

Inside: 192.168.100.3
Outside: DHCP Route
DMZ: 172.16.0.1

WebServer: 192.168.100.5
DNSServer: 172.16.0.2
==========================================================
The objectives are:

A) NAT should be enabled
B) ISA Server (192.168.100.4) will be connected back-to-back with PIX 515 on Inside Interface
C) Allow all Inside users to access internet for the following ports (80, 21, 25, 110, 443, 15000, 53)
D) Allow outside users (from Internet) to use WebServer (192.168.100.5) on Internal network and also open ports (80, 21, 25, 110, 443, 15000, 53) for them.
E) Allow all Outside users (from Internet) to connect to DNS Server (172.16.0.2) placed on DMZ zone
=========================================================

Internal users are able to connect to Internet with the following commands, However, when i apply access-list on Inside interface for the above given ports, users on internal network are not allowed to surf Internet:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

.....................................................
MY CURRENT CONFIGURATION SETTINGS ARE AS GIVEN BELOW:
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name cbs
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.0.2 dns-server
name 192.168.100.4 ISAServer
name 192.168.100.5 WebServer
access-list outside_acl permit tcp any 10.0.12.0 255.255.255.0 eq www
access-list outside_acl permit tcp any 10.0.12.0 255.255.255.0 eq https
access-list outside_acl permit tcp any 10.0.12.0 255.255.255.0 eq smtp
access-list outside_acl permit tcp any 10.0.12.0 255.255.255.0 eq 8080
access-list outside_acl permit tcp any 10.0.12.0 255.255.255.0 eq ftp
access-list outside_acl permit tcp any 10.0.12.0 255.255.255.0 eq telnet
access-list outside_acl permit tcp any any eq pop3
access-list outside_acl permit tcp any any eq 15000
pager lines 20
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside dhcp setroute
ip address inside 192.168.100.3 255.255.255.0
ip address dmz 172.16.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.100.1 255.255.255.255 inside
pdm location 192.168.100.1 255.255.255.255 dmz
pdm location 192.168.100.0 255.255.255.0 dmz
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_acl in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.100.1 255.255.255.255 inside
telnet 192.168.100.1 255.255.255.255 dmz
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a1afa81eba1540bf0d770d1be57727bf
: end
[OK]

 

[lgarner]

A) looks good.
B) Shouldn't be a problem, depending upon what it's there for.
C) If you mean "restrict users to these ports", then create an ACL: "access-list inside_out permit tcp any any eq 80", etc.
D) Same as (C), but in reverse and first translate the web server's address to a public one:
static (inside,outside) interface 192.168.100.5 netmask 255.255.255.255
access-list outside_acl permit tcp any host interface eq 80
... etc...
E) See (D)

 

[mashadif]

Thanks Iqarner,

I tried following command but gives following error:

access-list outside_acl permit tcp any host interface eq 80
ERROR: invalid IP address interface

I am using Cisco PIX Firewall Version 6.3(4)

Please suggest.

 

[lgarner]

Hmmm. I think it might be "permit tcp any interface eq 80". Remember, the ? mark gives help at any point.

 

[mashadif]

Hi Igarner

As soon as i give following command my LAN (inside users) are unable to connect to Internet.

static (inside,outside) interface 192.168.100.5 netmask 255.255.255.255

Also, since PIX accepts access-list command as given below, please let me know whether it is true or not

access-list outside_acl permit tcp any interface outside eq 80

THE SYNTAX ACCEPTED BY PIX 515 FOR ACCESS-LIST IS AS GIVEN BELOW FOR YOUR REFERENCE:
access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]

Please guide