Re: Basic pix configuration

From: Billy Bob Thornton (bbt@yomama.com)
Date: 01/04/02 

From: "Billy Bob Thornton" <bbt@yomama.com>
Date: Fri, 4 Jan 2002 12:35:48 -0600

I agree, the DMZ is a much more appropriate place for severs connected to
the outside world. A good rule to follow is to only allow traffic through
the firewall that was requested by someone already inside the firewall. In
other words never allow unsolicited traffic through your firewall. By
placing the servers on a DMZ you will effectively accomplish this. 

--
William Hayden (CCNP, CUSA)
SI Engineer / Lab Manager

"Writing is learning to say nothing, more cleverly every day."
- William Allingham

"The more I learn the more I realize how little I know"
- As far as I can tell me

<csyoung@speakeasy.net> wrote in message
news:h3s93ucv0prvm8qvtin61umih106sk4nur@4ax.com...
> Nadir,
>
> If you are just wanting to provide access to the inside web server you
> can do a static PAT translation of an outside address to port 80 on
> the inside host.
>
> You should be able to modify one of the examples at
> http://www.cisco.com/warp/public/707/28.html to fix your needs.  Keep
> in mind that making an inside host visible to the outside opens up a
> number of potential threats.
>
> --C
>
>
> On Wed, 2 Jan 2002 16:08:53 +0100, "Nadir Sahnoun"
> <nsahnoun@traderforce.com> wrote:
>
> >sorry !!
> >the inside interface is 10.10.10.250
> >the outside interface is 10.10.20.250
> >the inside webserver is 10.10.10.50
> >
> >
> >"Nadir Sahnoun" <nsahnoun@traderforce.com> a écrit dans le message de
news:
> >a0v7mq$c4g$1@s1.read.news.oleane.net...
> >> Hi all,
> >>
> >> i need to creat a basic configuration for pix 506 serie with two
network
> >> interfaces and desactivate tha NAT
> >>
> >> the inside interface is 10.10.10.250
> >> the inside interface is 10.10.20.250
> >> the inside webserver is 10.10.10.50
> >>
> >> how can i allow the inside network to access to web server ?
> >> i have configured the pix as following but it's doesn't work
> >>
> >> Thanks a lot for your precious help
> >>
> >> Nadir
> >>
> >> ////////////////////////////////////////// BEGIN CONFIGURATION
> >> ///////////////////////////////////////
> >> Building configuration...
> >> : Saved
> >> :
> >> PIX Version 5.2(6)
> >> nameif ethernet0 outside security0
> >> nameif ethernet1 inside security100
> >> enable password <xxx> encrypted
> >> passwd <xxx> encrypted
> >> hostname <xxx>
> >> fixup protocol ftp 21
> >> fixup protocol http 80
> >> fixup protocol h323 1720
> >> fixup protocol rsh 514
> >> fixup protocol rtsp 554
> >> fixup protocol smtp 25
> >> fixup protocol sqlnet 1521
> >> fixup protocol sip 5060
> >> names
> >>
> >> access-list 10 permit tcp any any
> >>
> >> access-list acl-in permit tcp host 10.10.10.50 any eq www
> >> access-list acl-in permit icmp host 10.10.10.50 any
> >>
> >> access-list no-nat permit ip any any
> >>
> >> nat (inside) 0 access-list no-nat
> >> access-group acl-in in interface outside
> >> access-group acl-in in interface inside
> >>
> >> pager lines 24
> >> logging on
> >> no logging timestamp
> >> no logging standby
> >> no logging console
> >> no logging monitor
> >> logging buffered debugging
> >> no logging trap
> >> no logging history
> >> logging facility 20
> >> logging queue 512
> >> interface ethernet0 10baset
> >> interface ethernet1 10baset
> >> mtu outside 1500
> >> mtu inside 1500
> >> ip address outside 10.10.20.250 255.255.255.0
> >> ip address inside 10.10.10.250 255.255.255.0
> >>
> >> ip audit info action alarm
> >> ip audit attack action alarm
> >> arp timeout 14400
> >>
> >> route outside 10.10.10.30 255.255.255.0 10.10.20.250 1
> >>
> >> timeout xlate 3:00:00
> >> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> >> 0:05:00 si
> >> p 0:30:00 sip_media 0:02:00
> >> timeout uauth 0:05:00 absolute
> >> aaa-server TACACS+ protocol tacacs+
> >> aaa-server RADIUS protocol radius
> >> no snmp-server location
> >> no snmp-server contact
> >> snmp-server community public
> >> no snmp-server enable traps
> >> floodguard enable
> >> no sysopt route dnat
> >> crypto ipsec transform-set ipsec1 ah-md5-hmac
> >> isakmp identity hostname
> >> telnet timeout 15
> >> ssh timeout 5
> >> terminal width 80
> >> Cryptochecksum:42ecf15ffdcb7bb9bc3946a575b05d8d
> >> : end
> >> [OK]
> >> ////////////////////////////////////////// END CONFIGURATION
> >> ///////////////////////////////////////
> >>
> >>
> >
>

Relevant Pages

  • Basic pix configuration
    ... the inside interface is 10.10.10.250 ... fixup protocol http 80 ... access-list acl-in permit tcp host 10.10.10.50 any eq www ... no logging timestamp ...
    (comp.security.firewalls)
  • Setting up a PIX 501 from scratch
    ... fixup protocol http 80 ... !--- Enable logging. ... !--- on the inside interface. ... access-group 100 in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: Basic pix configuration
    ... the outside interface is 10.10.20.250 ... > fixup protocol http 80 ... > access-list acl-in permit tcp host 10.10.10.50 any eq www ... > no logging timestamp ...
    (comp.security.firewalls)
  • Re: Basic pix configuration
    ... >the outside interface is 10.10.20.250 ... >> fixup protocol http 80 ... >> no logging timestamp ... >> no snmp-server location ...
    (comp.security.firewalls)
  • Re: cant ping or telnet to or from a cat 3550
    ... Logging is enabled but shows nothing at all other than a couple ... Interface FastEthernet0/18, changed state to down ... I am trying to ping from a host on Vlan 9, ... from the switch which also does not work. ...
    (comp.dcom.sys.cisco)