Firewall Wizards mailing list archives
Re: Fwd: Re: Firewall configuration with DMZ
From: rgolodner () infratection com
Date: Mon, 19 Mar 2007 05:52:59 +0000
Anthony could you provide some more insight regarding what you want to have happen with this config.What is not working? What do you think the problem might be. Richard Golodner -----Original Message----- From: Anthony Mile [mailto:mileanthony () yahoo com] Sent: Monday, March 12, 2007 04:32 AM To: firewall-wizards () listserv cybertrust com Subject: [fw-wiz] Fwd: Re: Firewall configuration with DMZ Hi guys!! Help me in this.... I have used this configuration below in my implementation but in vain. Can you tell me where am wrong or which way to go!!!!! i have a scenario like this: i have an internet link going to a router, the router connects to a Pix 515E pix, the pix has a DMZ interface which connects mail server and file and application server running sql. the ethernet interface 1 connects to a LAN. the LAN has ISA server as the proxy where all authentication is made. 1. ethernet0 = outside, connects to WAN router. ip=a.b.c.146 255.255.255.248 2. ethernet1 = inside, LAN.ip 4.16.10.2 255.255.255.0 3. DMZ = connects Mail server and also application/file server.ip 4.16.11.254 255.255.255.0 mail server=public ip =a.b.c.148; private ip=4.16.10.43 appl./file server = a.b.c.149; private ip=4.16.11.42 proxy server = a.b.c.147; private ip=4.16.10.254 Router: inside ip=a.b.c.145; Help me with this configuration for this Pix. Kind regards, Anthony here are the configs i have already done PIX# show run : Saved : PIX Version 7.2(1) ! names ! interface Ethernet0 description Connection to WAN Router nameif Outside security-level 0 ip address a.b.c.146 255.255.255.248 ! interface Ethernet1 description Connection to Server nameif inside security-level 100 ip address 4.16.10.254 255.255.255.0 ! interface Ethernet2 description connection to mail, application and file server nameif DMZ security-level 50 ip address 4.16.11.254 255.255.255.0 ! access-list Outside_mpc extended permit ip any interface inside access-list Outside_access_in extended permit tcp any host a.b.c.148 eq www access-list Outside_access_in extended permit tcp any host a.b.c.148 eq ftp access-list Outside_access_in extended permit tcp any host a.b.c.148 eq ftp-data access-list Outside_access_in extended permit tcp any host a.b.c.148 eq https access-list Outside_access_in extended permit tcp any host a.b.c.148 eq imap4 access-list Outside_access_in extended permit tcp any host a.b.c.148 eq lotusnotes access-list Outside_access_in extended permit tcp any host a.b.c.148 eq pop3 access-list Outside_access_in extended permit tcp any host a.b.c.148 eq smtp access-list Outside_access_in extended permit tcp any host a.b.c.149 eq www access-list Outside_access_in extended permit tcp any host a.b.c.149 eq ftp access-list Outside_access_in extended permit tcp any host a.b.c.149 eq ftp-data access-list Outside_access_in extended permit tcp any host a.b.c.149 eq https access-list Outside_access_in extended permit tcp any host a.b.c.149 eq imap4 access-list Outside_access_in extended permit tcp any host a.b.c.149 eq sqlnet access-list Outside_access_in extended permit tcp any host a.b.c.149 eq ssh access-list Outside_access_in extended permit tcp 4.16.10.0 255.255.255.0 any eq smtp access-list Outside_access_in extended permit udp any host a.b.c.148 eq domain access-list Outside_access_in extended permit udp any host a.b.c.148 eq isakmp access-list Outside_access_in extended permit tcp any host a.b.c.148 access-list Outside_access_in extended permit udp any host a.b.c.149 eq domain access-list Outside_access_in extended permit tcp 4.16.10.0 255.255.255.0 any pager lines 24 logging enable logging asdm informational mtu Outside 1500 mtu inside 1500 mtu DMZ 1500 icmp permit any unreachable inside icmp permit any time-exceeded inside icmp permit any inside asdm image flash:/asdm no asdm history enable arp timeout 14400 global (Outside) 2 4.16.10.0-4.16.10.255 netmask 255.255.255.0 global (Outside) 1 interface global (DMZ) 1 4.16.11.0-4.16.11.254 netmask 255.255.255.248 nat (inside) 1 4.16.10.0 255.255.255.0 static (DMZ,Outside) a.b.c.148 4.16.11.252 netmask 255.255.255.255 static (DMZ,Outside) a.b.c.149 4.16.11.251 netmask 255.255.255.255 access-group Outside_access_in in interface Outside route Outside 0.0.0.0 0.0.0.0 a.b.c.145 1 route DMZ a.b.c.148 255.255.255.255 4.16.11.253 2 route DMZ 4.16.10.151 255.255.255.255 4.16.11.253 2 route DMZ 4.16.10.252 255.255.255.255 4.16.11.253 2 route DMZ a.b.c.149 255.255.255.255 4.16.11.253 2 ! class-map Outside-class match access-list Outside_mpc class-map class_http match port tcp eq ftp class-map inspection_default match default-inspection-traffic !bhbbb ! policy-map global_policy class inspection_default inspect ftp inspect http inspect esmtp class class_http inspect http policy-map Accessserver class Outside-class inspect http ! service-policy global_policy global service-policy Accessserver interface Outside : end PIX# ------------------------------------------------------------ Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Fwd: Re: Firewall configuration with DMZ Anthony Mile (Mar 18)
- <Possible follow-ups>
- Re: Fwd: Re: Firewall configuration with DMZ rgolodner (Mar 19)