Help neeed with Cisco PIX 515 config

["Brian Blater" <brb.lists () gmail com>]

Joined this list not to long ago and have been lurking. Having some
problems on my PIX 515 (R) at home and had some questions, so I
thought I would give the list a try. Understand I'm confortable with
the pix and have a basic understanding, but I'm by no means a guru at
this.

The Pix is running 6.3(3) and is connected to a RR cable network like so:
internet --- cbl modem --- linksys voip --- pix outside
It is a private network between the voip and the pix outside interface.

Here is what I'm trying to do.

I'm first trying to clean the config up some and get the dmz interface
setup and working correctly. The outside interface is on
192.168.15.0/24, the inside interface is 192.168.99.0/24 and the dmz
is on 192.168.100.0/24. Since this pix is behind the voip router I
don't believe I need the NAT statement any more since the voip should
be doing the NAT. Right now it is doing double natting. I would like
all traffic from the inside to be able to go to the internet and the
dmz unrestricted. I would like all traffic from the dmz to go to the
internet unrestricted. I only want to allow certain traffic from the
dmz to the inside network and certain traffic from the internet to the
dmz. I've tried setting this up but things just aren't working - I
can't access the dmz from the inside network and I can't access the
internet from the dmz etc. Things are now running pretty slow also, so
I screwed something up. I tried creating the correct access-list for
the interfaces, but those have always caused me trouble. So, before
the wife and kids start complaining things aren't working I've got to
get this working correctly. I've attached a recent copy of the pix
config (before I tried to make the changes above). Any suggestions on
how this can be accomplished?

Just for further information I would eventually like to add vpn client
capability to this. I'm also considering upgrading the memory and
running 7.x software and doing some kind of QoS so I can move the voip
router to the dmz. Unless that is not recommended.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname brb-PIX
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any unreachable
access-list outside permit tcp any host 192.168.15.202 eq ssh
access-list outside permit tcp any host 192.168.15.205 eq www
access-list outside permit tcp any host 192.168.15.206 eq smtp
access-list gcap permit ip host 192.168.99.201 any
access-list gcap permit ip any host 192.168.99.201
pager lines 24
logging buffered warnings
logging trap informational
logging history informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.15.2 255.255.255.0
ip address inside 192.168.99.1 255.255.255.0
ip address dmz 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.99.0 255.255.255.0 0 0
static (inside,dmz) 192.168.99.0 192.168.99.0 netmask 255.255.255.0 0 0
static (inside,outside) 192.168.15.202 192.168.99.202 netmask
255.255.255.255 0 0
static (inside,outside) 192.168.15.205 192.168.99.205 netmask
255.255.255.255 0 0
static (inside,outside) 192.168.15.206 192.168.99.206 netmask
255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.15.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.99.201 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
isakmp policy 1 authentication rsa-sig
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.168.99.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:95d4d90304d78a74dbcac3bd2c490050

Again any help is greatly appreciated.

Thanks,
Brian
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards