I am Newbie. 2 Port Pix 501, need to have e-mail and web servers insid

[Skribbles]

So I'm trying to setup a PIX 501.

What I need is to have FTP, HTTP, and SSL available for my web-server and all SMTP and POP3 for my mail server. This is the first time I've ever touched a PIX, I've used cisco router lots, just not the firewalls. Anyway, here is my config, if anyone could help me out it would be great.


:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****** encrypted
passwd ***** encrypted
hostname GATE1
domain-name ******
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_grp permit icmp any any
access-list inbound permit icmp any any
access-list inbound permit tcp any host 209.115.217.*** eq www
access-list inbound permit tcp any host 209.115.217.*** eq ftp
access-list outbound permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 209.115.217.*** 255.255.255.***
ip address inside 209.82.112.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 209.82.112.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.115.217.*** 209.82.114.73 netmask 255.255.255.255 0
0
access-group acl_grp in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:****************
: end
GATE1#


Any help would be greatly appreciated

 

[mwanazed]

Try if u can use this.
Interface IP address assigment
ip address outside pix public_ip pix public_ip-mask
ip address inside pix inside-ip pix inside-ip-mask

Firewall Address Translations
If you want the translate (static) the inside web_server address to its outside public address
static (inside,outside) web_server_public_ip web_server_inside_ip netmask 255.255.255.255
If you want the translate (static) the inside mail-server address to its outside public address
static (inside,outside) mail_server_public_ip mail_server_inside_ip netmask 255.255.255.255
If you want the translate (dynamic NAT or PAT) the inside network to a range or a single outside public address
nat (inside) 2 inside-subnet-addr inside-subnet-mask
If you want the translate (dynamic NAT or PAT) the whole inside network to a range or a single outside public address
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
global (outside) 2 public_start_ip-public_end_ip netmask public_subnet_mask

Outside access-lists
If you want the whole outside world to ping anything inside that is statically translated. This is not usually recommended but for diagnostic purposes it is useful. I would recomend you do the second line only which is slightly restricted
access-list outside_acl_name permit icmp any any
access-list outside_acl_name permit icmp any outside-subnet-addr outside-subnet-mask
If you want the whole outside world to access your web server on port 80 (www)
access-list outside_acl_name permit tcp any host web_server_public_ip eq www
If you want the whole outside world to access your web server on port 443 (ssl)
access-list outside_acl_name permit tcp any host web_server_public_ip eq 443
If you want the whole outside world to access your web server on port 21 (ftp)
access-list outside_acl_name permit tcp any host web_server_public_ip eq ftp
If you want the whole outside world to access your mail server on port 25 (smtp). However if you have your mail relayed to you via your ISP then allow only the ISP mail relay server server as shown in the second line
access-list outside_acl_name permit tcp any host mail_server_public_ip eq smtp
access-list outside_acl_name permit tcp host isp_mail_relay_server_public_ip host mail_server_public_ip eq smtp
Apply the outside accesss list to the outside interface
access-group outside_acl_name in interface outside

Inside access-lists
Generally most people prefer the defualt security levels to allow the inside to do anything onto the outside but I prefer to implement restrictions as such the following access list are optional
access-list inside_acl_name permit icmp any any
If you want the whole inside network to browse the internet assuming you do not have a proxy server. If you have a proxy server use the second line
access-list inside_acl_name permit tcp inside_subnet_addr inside_subnet_mask any eq www
access-list inside_acl_name permit tcp proxy_inside_ip_addr proxy_inside_ip_mask any eq www
If you want the your mail server on port 25 (smtp) to send mail to any on the outside. However if you have your mail is relayed to the outside via your ISP then allow only for the ISP mail relay server server as shown in the second line
access-list inside_acl_name permit tcp host mail_server_inside_ip any eq smtp
access-list inside_acl_name permit tcp host mail_server_inside_ip host isp_mail_relay_server_public_ip eq smtp
Once you have defined the access lists on the inside you would have to explictly allow any service you want the inside network to have access to

 

[Skribbles]

Thank you very much. I will be testing this tonite or tommorrow nite and let you know how it went.

Thanx again.