https://community.cisco.com/t5/network-security/validate-pix-515e-configuration/m-p/317047#M556789 <HTML><HEAD></HEAD><BODY><P>Patrick - Thanks for the reply. I've changed the VPN Pool which should also help with security if I choose to place more restrictive rights on it in the future. Thanks for the tip. </P></BODY></HTML> Mon, 04 Oct 2004 18:49:09 GMT ryanwilhelm 2004-10-04T18:49:09Z https://community.cisco.com/t5/network-security/validate-pix-515e-configuration/m-p/317045#M556782 <P>Hello all,</P><P>I'm trying to validate my configuration before going live and would appreciate if anyone could take a look and make recommendations. </P><P></P><P>I would like to accomplish the following:</P><P></P><P>1. Any External user connects to DMZ web server on port 80 (though ultimately 443 will be used), the dmz web server makes a connection to oracle (sqlnet) which sends packets and should be able to receive the replies back</P><P>2. smtp connections come in through a public address to a dmz box which in turn sends the message to an internal (inside interface) smtp box for delivery</P><P>3. Remote workers may connect to a public ip (204.50.125.138 in the example) on port 443 which will then allow a connection into the inside interface to connect to an internal web server (not a good idea, but i'm working with what i have).</P><P>4. I would like to pretty much allow all packets routed from a higher security level (100) to route out the outside interface without being blocked and receive replies back. Do I have it set up correctly?</P><P>5. Support VPN users connecting to the Inside nework via the Cisco Secure VPN client.</P><P></P><P>I've attached my config (with entries changed to protect the innocent). Any feedback would be appreciated!</P><P></P><P> </P><P></P> Fri, 21 Feb 2020 07:39:44 GMT https://community.cisco.com/t5/network-security/validate-pix-515e-configuration/m-p/317045#M556782 ryanwilhelm 2020-02-21T07:39:44Z https://community.cisco.com/t5/network-security/validate-pix-515e-configuration/m-p/317046#M556786 <HTML><HEAD></HEAD><BODY><P>Feedback config:</P><P></P><P>1.) Never publish public IPs in your config examples.</P><P></P><P>2.) You used a VPN IP pool that has the same range as the internal interface. This works but might give problems in routing. I usually uses another IP Range for that. </P><P></P><P>3.) Everything else look good, You could use instead of this:</P><P></P><P>static (inside,dmz) tcp 10.20.x.y smtp 192.168.0.z smtp netmask 255.255.255.255 0 0</P><P></P><P>a NAT0 or static for the whole network so that no translation occours for all inside to dmz or web interface traffic. But this should work like that.</P><P></P><P>sincerely</P><P>Patrick</P><P></P></BODY></HTML> Mon, 04 Oct 2004 16:01:31 GMT https://community.cisco.com/t5/network-security/validate-pix-515e-configuration/m-p/317046#M556786 Patrick Iseli 2004-10-04T16:01:31Z https://community.cisco.com/t5/network-security/validate-pix-515e-configuration/m-p/317047#M556789 <HTML><HEAD></HEAD><BODY><P>Patrick - Thanks for the reply. I've changed the VPN Pool which should also help with security if I choose to place more restrictive rights on it in the future. Thanks for the tip. </P></BODY></HTML> Mon, 04 Oct 2004 18:49:09 GMT https://community.cisco.com/t5/network-security/validate-pix-515e-configuration/m-p/317047#M556789 ryanwilhelm 2004-10-04T18:49:09Z