Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 501: Config

Status
Not open for further replies.
SYMNET

SYMNET

Programmer
Jun 5, 2002
2
US
Hello, I'm new to the firewall arena and I'm looking for any help I can get. So here goes...

I have 3 global IPs xxx.xxx.xxx.241, xxx.xxx.xxx.242, xxx.xxx.xxx.243. Internal I have 192.168.23.11, 192.168.23.12, 192.168.23.13. Currently all these IPs are bound to one NIC, but as I get more servers they will be removed and tied to individual boxes.

With the DSL router sitting as xxx.xxx.xxx.1

I'm running Cisco PIX Firewall Version 6.1(1)

I need to allow web (80), smtp (25 tcp), pop3 (110 tcp), domain (53 tcp & udp) through the firewall.

Currently I am allowing anything outbound (i.e. so I can post on the web and look up helpful info). But I need to restrict inbound to the before mentioned ports.

Here is config:

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
no fixup protocol skinny 2000
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol rtsp 554

access-list acl_inside permit ip 192.168.23.0 255.255.255.0 any
access-list acl_outside permit tcp any host xxx.xxx.xxx.241 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.241 eq smtp
access-list acl_outside permit tcp any host xxx.xxx.xxx.241 eq pop3
access-list acl_outside permit tcp any host xxx.xxx.xxx.241 eq domain
access-list acl_outside permit tcp any host xxx.xxx.xxx.242 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.242 eq smtp
access-list acl_outside permit tcp any host xxx.xxx.xxx.242 eq pop3
access-list acl_outside permit tcp any host xxx.xxx.xxx.242 eq domain
access-list acl_outside permit tcp any host xxx.xxx.xxx.243 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.243 eq smtp
access-list acl_outside permit tcp any host xxx.xxx.xxx.243 eq pop3
access-list acl_outside permit tcp any host xxx.xxx.xxx.243 eq domain
access-list acl_outside permit udp any host xxx.xxx.xxx.241 eq domain
access-list acl_outside permit udp any host xxx.xxx.xxx.242 eq domain
access-list acl_outside permit udp any host xxx.xxx.xxx.243 eq domain

interface ethernet0 10baset
interface ethernet1 10full

ip address outside xxx.xxx.xxx.243 255.255.255.0
ip address inside 192.168.23.1 255.255.255.0

global (outside) 1 xxx.xxx.xxx.241-xxx.xxx.xxx.242
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.241 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.241 smtp 192.168.23.11 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.241 pop3 192.168.23.11 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.241 domain 192.168.23.11 domain netmask 255.255.255.255 0
static (inside,outside) udp 216.30.0.241 domain 192.168.23.11 domain netmask 255.255.255.255 0 0

access-group acl_outside in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1

NOTE: the statics for .242 amd .243 are not in there becuase when I do that all access is cut off from the firewall.

So...

1) Any ideas on why when I add the statics for .242 and .243 that the firewall does not allow any traffice in or out?

2) I know I'm doing something wrong in either the acl or static or something, but I just can't figure out which part has the problem. I have the Cisco PIX book, I've perused Barnes and Nobles a great many times, I've been up one side and down the other of Cisco's site, but I just can't figure out what I'm doing wrong. So if you see where the error(s) are I would greatly appreciate it.



Thanks in advance.
 
Sort by date Sort by votes
BTW... What I am trying to do is use port redirection for all the IPs... hence the statics...


Thanks.
 
Upvote 0 Downvote
HI.

Here are some tips:

* This is wrong - as it can allow only 2 hosts to "nat" out, and is conflicting with your static mappings.

global (outside) 1 xxx.xxx.xxx.241-xxx.xxx.xxx.242

Instead, you should use PAT with a single ip address:

global 1 interface

* Why do you need to open access to your own DNS server from the Interenet? This is a bad idea for security , availabilty and perrformance reasons. Let your ISP manage your registed DNS name space instead.

* Now you'll need 2 more addresses - one for internal web server and the other for mail server, so you can use "normal" static which should be preffered over port forwarding.

Here is my suggestion:

ip address outside xxx.xxx.xxx.243 255.255.255.0
ip address inside 192.168.23.1 255.255.255.0

static xxx.xxx.xxx.241 192.168.23.11
static xxx.xxx.xxx.242 192.168.23.12

access-list acl_outside permit tcp any host xxx.xxx.xxx.241 eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.242 eq smtp
access-list acl_outside permit tcp any host xxx.xxx.xxx.242 eq pop3

global 1 interface
nat 1 0 0

etc...

Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
602
Johnkite
Johnkite
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
tjbradford
  • Locked
  • Question
ASAX 5508 - basic config - packet loss
Replies
0
Views
159
tjbradford
tjbradford
RMurr34
  • Locked
  • Question
ASA Config - Open port 3389 for all IPs
Replies
1
Views
175
iggsterman
iggsterman
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
151
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top