Re: Basic pix configuration

From: Nadir Sahnoun (nsahnoun@traderforce.com)
Date: 01/04/02

• Next message: Lars M. Hansen: "Re: 99.9 % of Software/Hardware Firewalls DO-NOT....."
• Previous message: Yizhar Hurwitz: "Re: Sharing Internet Connections"
• In reply to: csyoung@speakeasy.net: "Re: Basic pix configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Nadir Sahnoun" <nsahnoun@traderforce.com>
Date: Fri, 4 Jan 2002 13:23:50 +0100

Thanks a lot, i will check that

Nadir

<csyoung@speakeasy.net> a écrit dans le message de news:
h3s93ucv0prvm8qvtin61umih106sk4nur@4ax.com...
> Nadir,
>
> If you are just wanting to provide access to the inside web server you
> can do a static PAT translation of an outside address to port 80 on
> the inside host.
>
> You should be able to modify one of the examples at
> http://www.cisco.com/warp/public/707/28.html to fix your needs. Keep
> in mind that making an inside host visible to the outside opens up a
> number of potential threats.
>
> --C
>
>
> On Wed, 2 Jan 2002 16:08:53 +0100, "Nadir Sahnoun"
> <nsahnoun@traderforce.com> wrote:
>
> >sorry !!
> >the inside interface is 10.10.10.250
> >the outside interface is 10.10.20.250
> >the inside webserver is 10.10.10.50
> >
> >
> >"Nadir Sahnoun" <nsahnoun@traderforce.com> a écrit dans le message de
news:
> >a0v7mq$c4g$1@s1.read.news.oleane.net...
> >> Hi all,
> >>
> >> i need to creat a basic configuration for pix 506 serie with two
network
> >> interfaces and desactivate tha NAT
> >>
> >> the inside interface is 10.10.10.250
> >> the inside interface is 10.10.20.250
> >> the inside webserver is 10.10.10.50
> >>
> >> how can i allow the inside network to access to web server ?
> >> i have configured the pix as following but it's doesn't work
> >>
> >> Thanks a lot for your precious help
> >>
> >> Nadir
> >>
> >> ////////////////////////////////////////// BEGIN CONFIGURATION
> >> ///////////////////////////////////////
> >> Building configuration...
> >> : Saved
> >> :
> >> PIX Version 5.2(6)
> >> nameif ethernet0 outside security0
> >> nameif ethernet1 inside security100
> >> enable password <xxx> encrypted
> >> passwd <xxx> encrypted
> >> hostname <xxx>
> >> fixup protocol ftp 21
> >> fixup protocol http 80
> >> fixup protocol h323 1720
> >> fixup protocol rsh 514
> >> fixup protocol rtsp 554
> >> fixup protocol smtp 25
> >> fixup protocol sqlnet 1521
> >> fixup protocol sip 5060
> >> names
> >>
> >> access-list 10 permit tcp any any
> >>
> >> access-list acl-in permit tcp host 10.10.10.50 any eq www
> >> access-list acl-in permit icmp host 10.10.10.50 any
> >>
> >> access-list no-nat permit ip any any
> >>
> >> nat (inside) 0 access-list no-nat
> >> access-group acl-in in interface outside
> >> access-group acl-in in interface inside
> >>
> >> pager lines 24
> >> logging on
> >> no logging timestamp
> >> no logging standby
> >> no logging console
> >> no logging monitor
> >> logging buffered debugging
> >> no logging trap
> >> no logging history
> >> logging facility 20
> >> logging queue 512
> >> interface ethernet0 10baset
> >> interface ethernet1 10baset
> >> mtu outside 1500
> >> mtu inside 1500
> >> ip address outside 10.10.20.250 255.255.255.0
> >> ip address inside 10.10.10.250 255.255.255.0
> >>
> >> ip audit info action alarm
> >> ip audit attack action alarm
> >> arp timeout 14400
> >>
> >> route outside 10.10.10.30 255.255.255.0 10.10.20.250 1
> >>
> >> timeout xlate 3:00:00
> >> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> >> 0:05:00 si
> >> p 0:30:00 sip_media 0:02:00
> >> timeout uauth 0:05:00 absolute
> >> aaa-server TACACS+ protocol tacacs+
> >> aaa-server RADIUS protocol radius
> >> no snmp-server location
> >> no snmp-server contact
> >> snmp-server community public
> >> no snmp-server enable traps
> >> floodguard enable
> >> no sysopt route dnat
> >> crypto ipsec transform-set ipsec1 ah-md5-hmac
> >> isakmp identity hostname
> >> telnet timeout 15
> >> ssh timeout 5
> >> terminal width 80
> >> Cryptochecksum:42ecf15ffdcb7bb9bc3946a575b05d8d
> >> : end
> >> [OK]
> >> ////////////////////////////////////////// END CONFIGURATION
> >> ///////////////////////////////////////
> >>
> >>
> >
>

---

• Next message: Lars M. Hansen: "Re: 99.9 % of Software/Hardware Firewalls DO-NOT....."
• Previous message: Yizhar Hurwitz: "Re: Sharing Internet Connections"
• In reply to: csyoung@speakeasy.net: "Re: Basic pix configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Setting up a PIX 501 from scratch ... fixup protocol http 80 ... !--- Enable logging. ... !--- on the inside interface. ... access-group 100 in interface outside ... (comp.dcom.sys.cisco) Basic pix configuration ... the inside interface is 10.10.10.250 ... fixup protocol http 80 ... access-list acl-in permit tcp host 10.10.10.50 any eq www ... no logging timestamp ... (comp.security.firewalls) Re: Basic pix configuration ... >the outside interface is 10.10.20.250 ... >> fixup protocol http 80 ... >> no logging timestamp ... >> no snmp-server location ... (comp.security.firewalls) Re: Basic pix configuration ... >>the outside interface is 10.10.20.250 ... >>> fixup protocol http 80 ... >>> access-list acl-in permit tcp host 10.10.10.50 any eq www ... >>> no logging timestamp ... (comp.security.firewalls) Re: Basic pix configuration ... the outside interface is 10.10.20.250 ... > fixup protocol http 80 ... > access-list acl-in permit tcp host 10.10.10.50 any eq www ... > no logging timestamp ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)