topic PIX 501 Issue in Network Security

PIX 501 Issue

saeedccie — Mon, 11 Mar 2019 21:35:34 GMT

Hi Guys,

I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP but i have some questions please answer me to resolve the issue.

Inside Interface Address: 132.147.162.14/255.255.0.0

Outside Interface Address: ISP provided IP address

My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)

Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?

Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80

Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53

Pix(config)#access-group outbound in interface inside

Waiting your quickly reply?

Regards,

Saeed

PIX 501 Issue

cadet alain — Mon, 10 Oct 2011 08:53:18 GMT

Hi,

from an ASA standpoint INSIDE to OUTSIDE will work even if INSIDE is not private address but from ISP standpoint , how are they gonna route return traffic and will they even accept it? I doubt it so you'll have to do NAT from INSIDE to OUTSIDE.

nat (inside) 1 0.0.0.0 0.0.0.0

global(outside) 1 interface outside

I don't understand question 2, first you gave the same IP as the inside interface of Pix?

second, if you want this machine to get out on the internet then you have nothing special to do but if you want people on the internet to access your mail-server then you must enter static PAT entry for SMPT /POP and create an ACL permitting traffic to this server and apply it inbound on outside interface.

Please clarify second question.

Regards.

Alain.

PIX 501 Issue

saeedccie — Mon, 10 Oct 2011 09:05:01 GMT

Hi,

Thanks for the reply but I'm asking about PIX FW.

Sorry the inside IP: 132.147.162.15/255.255.0.0

Email Server IP: 132.147.162.14/255.255.0.0

So what subnet mask will use for Access-list?

Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 OR 255.255.255.0 OR 255.255.255.255 any eq 80

Pix(config)#access-group outbound in interface inside

Is there any expert person to answer my 1st question properly.

Regards,

Saeed Khan

Re: PIX 501 Issue

cadet alain — Mon, 10 Oct 2011 09:45:38 GMT

Hi,

It's the same way whether it is a Pix or ASA I just did a typo when answering.

and subnet mask is 255.255.0.0 as it is the one for your IPs.

Alain.

Re: PIX 501 Issue

saeedccie — Mon, 10 Oct 2011 10:01:30 GMT

When applying Acl below is the error.

PIX501(config)# access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80

ERROR: Source address,mask <132.147.162.14,255.255.0.0> doesn't pair

Also please tell me if i allow this whole network then what subnet mask will use?

132.147.162.0 255.255.255.0 any eq 80 ??????

Tell me how can i use dhcp for this scenerio?

Regards,

Saeed

Re: PIX 501 Issue

Jon Marshall — Mon, 10 Oct 2011 10:25:26 GMT

Saeed

If you just want to allow this server to access the internet -

access-list outbbound permit tcp host 132.147.162.14 any eq 80

Edit - note, as mentioned by Alain, traffic will be allowed by default from inside to outside (assuming your inside interface has a higher security level). But if you have an access-list applied to the inside interface then you will need the entry above.

Jon

Re: PIX 501 Issue

cadet alain — Mon, 10 Oct 2011 20:58:11 GMT

Hi Jon,

I had answered a stupidity of course the subnet mask is 255.255.255.255 or equivalent to host keyword.

Thanks for correcting me.

Sorry for misleading the OP.

Regards.

Alain.

PIX 501 Issue

Jon Marshall — Mon, 10 Oct 2011 22:31:57 GMT

Hi Alain

No problem, we all do it and you've had to cover up my mistakes in the past

Jon