Re: Cisco PIX Config Help Please

From: Martin (mvinfotech_at_NOSPAMbtinternet.com)
Date: 07/10/03


Date: Thu, 10 Jul 2003 08:29:54 GMT

On Thu, 10 Jul 2003 02:50:21 GMT, "John" <jwholmes@earthlink.net>
wrote:
>
> It looks like you want your mail server to send/receive so you
>will need to give it a static address to the outside. The rest of the
>network can use nat overloading unless you have the addresses to spare.
>The DMZ is simple enough to setup but you say you don't want it visible
>from the inside network. Since, by default, it will have a security level
>lower than the inside interface you will need an access-list to block
>inside traffic from accessing anything except the one address you want
>reached.

>
> You should not need routing (good thing because the PIX is not a router)
>but it is possible since you don't detail the network layout. I strongly
>recommend that you visit
>
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/index.htm
>
>since you need to understand what you are doing setting up a firewall or
>else you may end up being far less secure than you think! This is not a
>very complicated config but just giving you commands without you knowing
>why you are entering them is dangerous to you and your employer. Sorry if
>that sounds like a cop-out to you.
>
I have configured my firewall similar to this:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
ip address outside 19x.x.x.34 255.255.255.0
ip address inside 192.168.254.252 255.255.255.0
ip address dmz 172.16.0.252 255.255.255.0
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 19x.x.x.33 1
access-list acl_inside permit tcp any any eq www
access-list acl_inside permit icmp any any
access-list outside_access_in permit icmp any any
access-group outside_access_in in interface outside
access-group acl_inside in interface inside

I have put the icmp's in temporarily for ping tests. I can ping the
outside world, and can access web sites using ip addresses, but not
dns names

any suggestions?

thanks

Martin



Relevant Pages

  • Re: SETUP A VPN CONNECTION FROM THE OUTSIDE
    ... interface ethernet0 100full ... access-list allow_inbound permit tcp any interface outside eq smtp ... pdm location 10.1.1.6 255.255.255.255 inside ... access-group allow_inbound in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: 2600 router + 2924 switch and vlans
    ... switchport trunk encapsulation isl ... interface FastEthernet0/0.2 ... match access-group 101 ... access-list 1 permit 10.0.0.0 0.0.0.255 ...
    (comp.dcom.sys.cisco)
  • Re: static routes on pix 506e
    ... interface ethernet0 auto ... fixup protocol dns maximum-length 1024 ... access-group outside_access_in in interface outside ... vpngroup dh2remote dns-server 194.72.6.57 10.35.104.106 ...
    (comp.dcom.sys.cisco)
  • [VERY LONG] Cisco 3620 and very low throghuput.
    ... Last clearing of "show interface" counters 00:20:57 ... input packets with dribble condition detected ... permit tcp 10.14.212.0 0.0.0.255 any eq telnet ...
    (comp.dcom.sys.cisco)
  • Re: Help with 876w config bridging wireless/lan
    ... the wireless interface in the same bridge-group and then configure the ... ip inspect name FIREWALL cuseeme ...
    (comp.dcom.sys.cisco)