Configuring PIX 515 for OWA in DMZ
From: Paul Chang (pchang@andanetworks.com)Date: 06/12/02
- Next message: #MK: "Raw Socket - WinME"
- Previous message: nicekit@btinternet.com: "Microsoft ISA Server & Kazaa"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul Chang" <pchang@andanetworks.com> Date: Wed, 12 Jun 2002 10:32:25 -0700
Hi,
I have a Cisco PIX 515. Currently I have just a web server and a Linux mail
(pop, smtp) server outside of the firewall. And I have a route to our co-lo.
I want to move the web server and mail server into the DMZ for more
security. I also want to add an outlook web access (OWA) server that allows
users to access their mail on Exchange server using web browsers. Can
someone tell me if you see any problem with my new config.
Here is a portion of my current config:
----------------------------------------------------------------------------
-------------
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
access-list nonat permit ip 10.18.0.0 255.255.0.0 host 10.87.1.25
ip address outside 163.146.78.2 255.255.255.0
ip address inside 10.18.0.1 255.255.0.0
ip address dmz 10.10.10.1 255.255.255.0
global (outside) 1 163.146.78.51-163.146.78.250 netmask 255.255.255.0
global (outside) 1 163.146.78.50 netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.18.0.0 255.255.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 163.146.78.1 1
route inside 10.87.1.25 255.255.255.255 10.18.1.1 1
----------------------------------------------------------------------------
------
Here is my new config:
----------------------------------------------------------------------------
-----
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
access-list nonat permit ip 10.18.0.0 255.255.0.0 host 10.87.1.25
ip address outside 163.146.78.2 255.255.255.0
ip address inside 10.18.0.1 255.255.0.0
ip address dmz 10.10.10.1 255.255.255.0
global (outside) 1 163.146.78.51-163.146.78.250 netmask 255.255.255.0
global (outside) 1 163.146.78.50 netmask 255.255.255.0
global (dmz) 2 10.10.10.51-10.10.10.80 netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.18.0.0 255.255.0.0 0 0
nat (dmz) 2 10.10.10.0 255.255.255.0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 163.146.78.1 1
route inside 10.87.1.25 255.255.255.255 10.18.1.1 1
name 10.10.10.11 mailserver
name 10.10.10.21 webserver
name 10.10.10.31 outlook
name 10.10.10.41 ftpserver
name 10.18.0.13 exchange
static (dmz, outside) 163.146.78.6 webserver
static (dmz, outside) 163.146.78.11 mailserver
static (dmz, outside) 163.146.78.8 outlook
static (dmz, outside) 163.146.78.9 ftpserver
static (inside, dmz) 10.10.10.8 exchange
access-list 110 permit tcp any host 163.146.78.6 eq 80
access-list 120 permit tcp any host 163.146.78.11 eq 25
access-list 130 permit tcp any host 163.146.78.8 eq 80
access-list 140 permit tcp any host 163.146.78.9 eq 21
access-list 150 permit tcp outlook host exchange eq 80
access-group 110 in interface outside
access-group 120 in interface outside
access-group 130 in interface outside
access-group 140 in interface outside
access-group 150 in interface dmz
route inside 10.10.10.0 255.255.255.0 10.18.0.1 1
route inside 163.146.78.0 255.255.255.0 10.18.0.1 1
------------------------------------------------------------------------
Any help is greatly appreciated.
- Next message: #MK: "Raw Socket - WinME"
- Previous message: nicekit@btinternet.com: "Microsoft ISA Server & Kazaa"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
