Firewall Wizards mailing list archives
PIX 515 7.1 vs: 8.0
From: Brian Blater <brb.lists () gmail com>
Date: Tue, 8 Mar 2011 20:24:50 -0500
I was recently able to pick up another pix to play with. I currently have a PIX 515e with 7.1, but this new one comes with 8.0. I'm wondering if there is something new in the 8.0 version that is working differently and has me stumped. One difference between the two PIXs I have is that the new one has a 4 port card for a total of 6 ethernet ports. I've setup DHCPD on two of the interfaces, but I can't get it to assign an address to anything connected to those interfaces (dmz and vonage). Also, if I manually assign an IP to a device on one of those networks I can't even get out the internet. So, either some ACL or static mapping is interfering there, but I can't see what I've messed up. The DMZ port on the PIX 515e with 7.1 just works both with DHCPD and internet access, but even if I try the same ACLs and statics on the 8.0 PIX I"m still not getting anything working. Basically I'm stumped. I've attached the 8.0 config below. If anyone can give me a hand and let me know what I'm missing that would be great. Thanks for your help. Brian PIX Version 8.0(4)32 ! hostname brb-pix domain-name bfamily.org enable password xxxxxx encrypted passwd xxxxxxx encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 24.199.216.33 .255.255.255.248 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.99.1 255.255.255.0 ! interface Ethernet2 nameif dmz security-level 50 ip address 192.168.109.1 255.255.255.0 ! interface Ethernet3 nameif vonage security-level 25 ip address 192.168.149.1 255.255.255.0 ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.99.201 domain-name bfamily.org access-list outside remark access list for outside access-list outside extended permit icmp any any echo-reply access-list outside extended permit icmp any any unreachable access-list outside extended permit tcp any any eq https access-list outside extended permit tcp any any eq 2525 access-list dmz remark access list for dmz access-list dmz extended permit icmp 192.168.109.0 255.255.255.0 192.168.99.0 255.255.255.0 echo-reply access-list dmz extended permit icmp 192.168.109.0 255.255.255.0 192.168.99.0 255.255.255.0 unreachable access-list dmz extended permit udp 192.168.109.0 255.255.255.0 host 192.168.99.201 eq domain access-list dmz extended permit ip 192.168.109.0 255.255.255.0 any access-list nonat remark nonat for dmz and inside interfaces access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.109.0 255.255.255.0 access-list nonat extended permit ip 192.168.109.0 255.255.255.0 192.168.99.0 255.255.255.0 access-list nonat extended permit ip 192.168.99.0 255.255.255.0 192.168.129.0 255.255.255.0 access-list nonat extended permit ip 192.168.129.0 255.255.255.0 192.168.99.0 255.255.255.0 access-list vonage remark access list for vonage network access-list vonage_access_in extended permit ip 192.168.149.0 255.255.255.0 any pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu vonage 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 192.168.99.0 255.255.255.0 nat (dmz) 0 access-list nonat nat (dmz) 1 192.168.109.0 255.255.255.0 nat (vonage) 0 access-list nonat nat (vonage) 1 192.168.149.0 255.255.255.0 static (dmz,outside) tcp interface https 192.168.109.44 https netmask 255.255.255.255 static (inside,outside) tcp interface 2525 192.168.99.202 smtp netmask 255.255.255.255 static (inside,dmz) 192.168.99.0 192.168.99.0 netmask 255.255.255.0 static (inside,vonage) 192.168.99.0 192.168.99.0 netmask 255.255.255.0 access-group outside in interface outside access-group dmz in interface dmz access-group vonage_access_in in interface vonage timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.99.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet 192.168.99.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.99.0 255.255.255.0 inside ssh 192.168.109.0 255.255.255.0 dmz ssh timeout 60 console timeout 0 dhcpd dns 4.2.2.1 8.8.8.8 dhcpd lease 259200 dhcpd ping_timeout 750 dhcpd domain bfamily.org ! dhcpd address 192.168.109.101-192.168.109.110 dmz dhcpd dns 208.67.222.222 208.67.220.220 interface dmz dhcpd lease 259200 interface dmz dhcpd ping_timeout 750 interface dmz dhcpd domain bfamily.org interface dmz dhcpd enable dmz ! dhcpd address 192.168.149.101-192.168.149.110 vonage dhcpd enable vonage ! threat-detection basic-threat threat-detection statistics host threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept username bblater password xxxxxxxxx encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum: brb-pix# _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 515 7.1 vs: 8.0 Brian Blater (Mar 11)
- Re: PIX 515 7.1 vs: 8.0 John Morrison (Mar 15)
- Re: PIX 515 7.1 vs: 8.0 Christopher J. Wargaski (Mar 15)
- Re: PIX 515 7.1 vs: 8.0 Kevin Horvath (Mar 17)
- Re: PIX 515 7.1 vs: 8.0 Brian Blater (Mar 19)
- Re: PIX 515 7.1 vs: 8.0 Christopher J. Wargaski (Mar 22)
- Re: PIX 515 7.1 vs: 8.0 Brian Blater (Mar 22)
- Re: PIX 515 7.1 vs: 8.0 Christopher J. Wargaski (Mar 22)
- Re: PIX 515 7.1 vs: 8.0 Kevin Horvath (Mar 17)
- Re: PIX 515 7.1 vs: 8.0 John Morrison (Mar 22)
- Re: PIX 515 7.1 vs: 8.0 Brian Blater (Mar 22)