Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix Configuration with dmz

Status
Not open for further replies.
davek2003

davek2003

IS-IT--Management
Feb 23, 2003
6
CA
All default info has been removed. As well Ip's

What I would like to know is this correct.
I need outside people to have limited access
to 206.xxx.xxx.xx6(dmz) for smtp,pop3,dns,http
the dmz only needs to access outside for this.
As well the Inside needs full access outside
and to the dmz.
Please read between the lines down below.

any help would be great


PIX Version 6.2(2)135
--Security settings of interfaces
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
--Access-lists do I need lines 1-3
--I know I need 4-6 for outside people
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 206.xxx.xxx.xx6 eq pop3
access-list 100 permit tcp any host 206.xxx.xxx.xx6 eq smtp
access-list 100 permit udp any host 206.xxx.xxx.xx6 eq dman
-- This is to allow inside to go anywhere(correct)?
access-list inside_access_in permit ip any any
--After upgrade this showed up help?
ip verify reverse-path interface outside
--This is the ip people use to surf etc.
global (outside) 1 206.xxx.xxx.xx5
--This is the ip inside to dmz (do I need this)
--If not how do I accomplish
global (dmz) 1 172.17.1.100-172.17.1.150
--Tells pix to translate these to outside 206.xxx.xxx.xx5
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
nat (dmz) 1 172.17.1.0 255.255.255.0 0 0
--Static Ip(public) to private
static (inside,outside) 206.xxx.xxx.xxx8 172.16.1.250 netmask 255.255.255.255 0 0
static (dmz,outside) 206.xxx.xxx.xx6 NS2 netmask 255.255.255.255 0 0
--not sure what these are?
access-group 100 in interface outside
access-group inside_access_in in interface inside

: end
[OK]
 
Sort by date Sort by votes
Yank the access-gourp inside_access_in. It is poitnless, if you don't specify an access-list for outbound, the pix will open it up by default because the interface has a higher security level.

Yank the static(inside,outside).... You are running NAT from the inside to the dmz by your global(dmz) command.

You don't need access-list lines 1-3 unless you want to be able to ping your servers or get unreachables, etc. ICMP is king of like the error collector of TCP/IP, you only need it to troubleshoot.

I don't think your need the NAT 1 command for your dmz. You have created a static, so it's kind of useless.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
732
Sameer258
Sameer258
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
161
kythri
kythri
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
151
ISDPCMAN
ISDPCMAN
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
110
xwray
xwray
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
201
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top