Re: [fw-wiz] Help neeed with Cisco PIX 515 config

On 12/21/06, Brian Blater <brb.lists@xxxxxxxxx> wrote:
The Pix is running 6.3(3) and is connected to a RR cable network like so:
internet --- cbl modem --- linksys voip --- pix outside
It is a private network between the voip and the pix outside interface.

What's the subnet mask on your Linksys router? I would bet this is
part of your problem if you're trying to disable NAT on the PIX. I'll
bet it's 192.168.15.0/24 and it should probably be a /16 mask so that
packets from the inside and DMZ nets don't need to be NAT-ed through
the PIX.

I'm first trying to clean the config up some and get the dmz interface
setup and working correctly.

The DMZ interface looks fine. The problem is that there's not
access-list to allow traffic from dmz -> inside, and there's no NAT
for dmz -> outside, so the packets are getting dropped by your Linksys
router (see above).


Since this pix is behind the voip router I
don't believe I need the NAT statement any more since the voip should
be doing the NAT.

Yes, but with a PIX, you need to turn NAT off with these:

nat (inside) 0 0 0
nat (dmz) 0 0 0


I would like
all traffic from the inside to be able to go to the internet and the
dmz unrestricted.

This is implicit in 'nameif ethernet1 inside security100', no
access-list is neccessary for the inside interface.

I would like all traffic from the dmz to go to the
internet unrestricted. I only want to allow certain traffic from the
dmz to the inside network

Traffic from dmz -> outside is implicitly allowed by 'nameif ethernet2
dmz security50', but you will need to create an access-list for dmz ->
inside traffic, which may mess up the security level on the interface,
so you will want to explicitly define all traffic leaving the dmz:

access-group dmz in interface dmz
access-list dmz permit [define dmz -> inside here]
access-list dmz deny ip 192.168.100.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list dmz permit ip 192.168.100.0 255.255.255.0 any


and certain traffic from the internet to the
dmz.

This is going to require that you get that Linksys out from in front
of the PIX. Then you can use static to perform port redirection from
the outside to the inside. Then allow this traffic in the outside
access-list. But of course, doing this negates some of the stuff I
told you above, like the nat (dmz) 0 command.


PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Help! DMZ on Pix515
    ... I was of course missing static routes to the DMZ. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: Help! DMZ on Pix515
    ... I can't reach anything on the DMZ from the outside. ... interface Ethernet0 ... access-list inside_access_out extended permit tcp 0.0.0.0 255.255.255.0 ... access-group outside_access_in in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: A Tale of Two PIXes
    ... From the inside interface, the PIX attaches to out 6509 ... and there is no DMZ. ... >working through the 4MB connection. ...
    (comp.dcom.sys.cisco)
  • [fw-wiz] Double firewall setup (long)
    ... One PIX 515E w/ 3 interfaces: inside, outside, DMZ. ... access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www ... interface ethernet0 auto ...
    (Firewall-Wizards)
  • [fw-wiz] Help neeed with Cisco PIX 515 config
    ... problems on my PIX 515 at home and had some questions, ... It is a private network between the voip and the pix outside interface. ... I'm first trying to clean the config up some and get the dmz interface ... fixup protocol dns maximum-length 512 ...
    (Firewall-Wizards)