Re: Cisco PIX Config Help Please
From: Martin (mvinfotech_at_NOSPAMbtinternet.com)
Date: 07/10/03
- Next message: Mike: "Re: Do I Need a Firewall?"
- Previous message: Christina Wagner: "Re: Hardware firewall for laptop"
- In reply to: John: "Re: Cisco PIX Config Help Please"
- Next in thread: Chris: "Re: Cisco PIX Config Help Please"
- Reply: Chris: "Re: Cisco PIX Config Help Please"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Jul 2003 08:29:54 GMT
On Thu, 10 Jul 2003 02:50:21 GMT, "John" <jwholmes@earthlink.net>
wrote:
>
> It looks like you want your mail server to send/receive so you
>will need to give it a static address to the outside. The rest of the
>network can use nat overloading unless you have the addresses to spare.
>The DMZ is simple enough to setup but you say you don't want it visible
>from the inside network. Since, by default, it will have a security level
>lower than the inside interface you will need an access-list to block
>inside traffic from accessing anything except the one address you want
>reached.
>
> You should not need routing (good thing because the PIX is not a router)
>but it is possible since you don't detail the network layout. I strongly
>recommend that you visit
>
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/index.htm
>
>since you need to understand what you are doing setting up a firewall or
>else you may end up being far less secure than you think! This is not a
>very complicated config but just giving you commands without you knowing
>why you are entering them is dangerous to you and your employer. Sorry if
>that sounds like a cop-out to you.
>
I have configured my firewall similar to this:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
ip address outside 19x.x.x.34 255.255.255.0
ip address inside 192.168.254.252 255.255.255.0
ip address dmz 172.16.0.252 255.255.255.0
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 19x.x.x.33 1
access-list acl_inside permit tcp any any eq www
access-list acl_inside permit icmp any any
access-list outside_access_in permit icmp any any
access-group outside_access_in in interface outside
access-group acl_inside in interface inside
I have put the icmp's in temporarily for ping tests. I can ping the
outside world, and can access web sites using ip addresses, but not
dns names
any suggestions?
thanks
Martin
- Next message: Mike: "Re: Do I Need a Firewall?"
- Previous message: Christina Wagner: "Re: Hardware firewall for laptop"
- In reply to: John: "Re: Cisco PIX Config Help Please"
- Next in thread: Chris: "Re: Cisco PIX Config Help Please"
- Reply: Chris: "Re: Cisco PIX Config Help Please"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
