Re: Problems configuring my PIX525
From: Daniel Crichton (danielc@helio.co.uk)Date: 04/05/02
- Next message: Mike_Bryeans@webbbs.org: "Re: Peronal Firewall Review"
- Previous message: Jason: "Re: How good is smoothwall?"
- In reply to: John: "Re: Problems configuring my PIX525"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Daniel Crichton" <danielc@helio.co.uk> Date: Fri, 5 Apr 2002 11:24:59 +0100
"John" <jwiles545@cs.com> wrote in message
news:76180f6b.0204042014.6fba72eb@posting.google.com...
> As an aside, I do not think that spending money on another consultant
> is what you want to do. I have never used Cisco Pix (although they
> seem not much different from the routers), but I think you would be
> better off taking the money that would be spent on Consultants, and
> spending it on some training instead. I am almost sure that Cisco
> offers some kind of training for the PIX.
Cisco resellers normally do this - I took the basic PIX course a couple of
years ago, it's not particularly hard but is costly. When I did it there was
coverage of the original web and gui management tools - both of which
crashed spectacularly and the class had to rely on the theory side without
doing the practical. It might be cheaper, and more convenient, to pick up
the Cisco Press book based on the full PIX certification course; ISBN
1587050358. As a quick plug for my company you can pick up a copy up at 25%
off RRP at http://www.compman.co.uk/cgi-win/browse.exe?isbn=1587050358 (UK
company, probably not worth it to anyone in the US due to carriage costs).
Brian: As to the PIX config, there are a number of problems.
a) You want inside client to be on 10.x.x.x, yet you have a 255.255.255.0
subnet mask - change it 255.0.0.0. A class C range is 255.255.255.0, but
that would be a range of 10.x.y.z where x and y are fixed and z is variable,
eg.10.1.1.1 - 10.1.1.254.
b) DMZ should be 192.168.x.x, again you have the wrong subnet mask - change
it to 255.255.0.0
c) You have no global or nat for the dmz, therefore inside clients won't be
able to talk to the dmz machines without statically mapped dmz ips, and dmz
machines won't be able to make connections to the outside
d) http commands - not familiar with these. Are you trying to define a web
server on the inside interface? Surely you should be putting a public server
in the dmz.
And now to these:
> 4) Other outside IPs in the range of 76-125 will be able to be statically
mapped
back to the internal addresses.
> 5) The DMZ will have addresses in the range of 192.168.x.x and those
addresses
will be mapped back statically to the following public IPs allocated to the
DMZ:
x.y.z.70-x.y.z.75.
For mapping IPs in the older 4.4 OS I was trained on, which still works in
5.x (not sure about 6.x, still running 5.3 here), you use static and conduit
commands, eg.
#inside hosts
static (inside,outside) x.y.z.76 10.1.1.76 netmask 255.255.255.255
This tells the PIX to map x.y.z.76 on the outside to 10.1.1.76 on the
inside, the netmask tells it that this is a single IP mapping. You could use
ranges by varying the netmask such that you cover the 76-125 ranges in a
couple of statics. You do a similar thing with the dmz addresses. Just
remember the 2 IP addresses look reversed compared to the interface names,
and static is only used for incoming connection. If you don't need to allow
incoming connections to the inside addresses then that's it - don't define
any conduits.
To allow a connection to a dmz address I would use
conduit permit tcp host x.y.z.75 eq www any
to tell the PIX to allow an incoming connection on port 80 (www) to outside
address x.y.z.75 from any address. The static that maps to that outside
address will be used to determine the dmz host to pass the connection to.
Just open up each port that you need to allow access to - it's not a good
idea to open everything and then deny specific ports, always deny everything
and allow only what is required.
That should give you enough to go on for now. I definitely recommend reading
up on PIX configurations, either from the book I've mentioned or from the
Cisco documentation (if you don't have the manuals then go to the Cisco web
site and look at the sample configs on there).
Dan
- Next message: Mike_Bryeans@webbbs.org: "Re: Peronal Firewall Review"
- Previous message: Jason: "Re: How good is smoothwall?"
- In reply to: John: "Re: Problems configuring my PIX525"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
