Firewall Wizards mailing list archives
Help neeed with Cisco PIX 515 config
From: "Brian Blater" <brb.lists () gmail com>
Date: Thu, 21 Dec 2006 12:04:48 -0500
Joined this list not to long ago and have been lurking. Having some problems on my PIX 515 (R) at home and had some questions, so I thought I would give the list a try. Understand I'm confortable with the pix and have a basic understanding, but I'm by no means a guru at this. The Pix is running 6.3(3) and is connected to a RR cable network like so: internet --- cbl modem --- linksys voip --- pix outside It is a private network between the voip and the pix outside interface. Here is what I'm trying to do. I'm first trying to clean the config up some and get the dmz interface setup and working correctly. The outside interface is on 192.168.15.0/24, the inside interface is 192.168.99.0/24 and the dmz is on 192.168.100.0/24. Since this pix is behind the voip router I don't believe I need the NAT statement any more since the voip should be doing the NAT. Right now it is doing double natting. I would like all traffic from the inside to be able to go to the internet and the dmz unrestricted. I would like all traffic from the dmz to go to the internet unrestricted. I only want to allow certain traffic from the dmz to the inside network and certain traffic from the internet to the dmz. I've tried setting this up but things just aren't working - I can't access the dmz from the inside network and I can't access the internet from the dmz etc. Things are now running pretty slow also, so I screwed something up. I tried creating the correct access-list for the interfaces, but those have always caused me trouble. So, before the wife and kids start complaining things aren't working I've got to get this working correctly. I've attached a recent copy of the pix config (before I tried to make the changes above). Any suggestions on how this can be accomplished? Just for further information I would eventually like to add vpn client capability to this. I'm also considering upgrading the memory and running 7.x software and doing some kind of QoS so I can move the voip router to the dmz. Unless that is not recommended. PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 hostname brb-PIX domain-name mydomain.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside permit icmp any any echo-reply access-list outside permit icmp any any unreachable access-list outside permit tcp any host 192.168.15.202 eq ssh access-list outside permit tcp any host 192.168.15.205 eq www access-list outside permit tcp any host 192.168.15.206 eq smtp access-list gcap permit ip host 192.168.99.201 any access-list gcap permit ip any host 192.168.99.201 pager lines 24 logging buffered warnings logging trap informational logging history informational mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 192.168.15.2 255.255.255.0 ip address inside 192.168.99.1 255.255.255.0 ip address dmz 192.168.100.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.99.0 255.255.255.0 0 0 static (inside,dmz) 192.168.99.0 192.168.99.0 netmask 255.255.255.0 0 0 static (inside,outside) 192.168.15.202 192.168.99.202 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.15.205 192.168.99.205 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.15.206 192.168.99.206 netmask 255.255.255.255 0 0 access-group outside in interface outside route outside 0.0.0.0 0.0.0.0 192.168.15.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.99.201 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec isakmp policy 1 authentication rsa-sig isakmp policy 1 encryption des isakmp policy 1 hash sha isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 telnet 192.168.99.0 255.255.255.0 inside telnet timeout 5 ssh timeout 60 management-access inside console timeout 0 terminal width 80 Cryptochecksum:95d4d90304d78a74dbcac3bd2c490050 Again any help is greatly appreciated. Thanks, Brian _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Help neeed with Cisco PIX 515 config Brian Blater (Dec 24)
- Re: Help neeed with Cisco PIX 515 config Paul Melson (Dec 25)