topic PIx Configuration in Network Security

PIx Configuration

ishwar — Fri, 21 Feb 2020 06:56:20 GMT

I am just started to configure the PIX Firewall.

But I am in confusion.

Here is the conf file.

PIX Version 6.2(2)

nameif ethernet0 backbone_251 security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

hostname dmg-fw

domain-name mos.com.np

access-list 101 permit icmp any any

acess-list 110 permit tcp host 202.52.227.18 host 202.52.227.2 eq smtp

access-list 111 permit tcp host 202.52.227.10 host 202.52.227.18 eq smtp

access-list 111 permit tcp host 202.52.227.10 host 202.52.227.2 eq smtp

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 10baset

interface ethernet3 10baset

interface ethernet4 10baset shutdown

interface ethernet5 10baset shutdown

mtu backbone_251 1500

ip address backbone_251 202.52.251.3 255.255.255.0

ip address inside 202.52.227.1 255.255.255.248

ip address intf2 202.52.227.9 255.255.255.248

ip address intf3 202.52.227.17 255.255.255.248

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (intf3,backbone_251) 202.52.227.16 202.52.227.16 netmask 255.255.255.248 0 0

static (intf3,intf2) 202.52.227.16 202.52.227.16 netmask 255.255.255.248 0 0

static (intf2,backbone_251) 202.52.227.8 202.52.227.8 netmask 255.255.255.248 0 0

static (inside,intf2) 202.52.227.0 202.52.227.0 netmask 255.255.255.248 0 0

static (inside,intf3) 202.52.227.0 202.52.227.0 netmask 255.255.255.248 0 0

access-group 101 in interface backbone_251

access-group 111 in interface intf2

access-group 110 in interface intf3

route backbone_251 0.0.0.0 0.0.0.0 202.52.251.1 1

But as soon as I apply the 110 in interface intf3

It obey the rule

cess-list 110 permit tcp host 202.52.227.18 host 202.52.227.2 eq smtp

But it close the connection to lower interface.For example I can not Browse from intf3.Now should I add the access-list to permit in lower interface??

Please help me

Ishwar

Re: PIx Configuration

bdube — Sun, 17 Aug 2003 13:28:57 GMT

Hi Ishwar,

To your question, yes, you must configure access-list to lower interface. At the moment, you use access-list on an interface, you must specify all rules to permit/deny any traffic passing through this interface.

Ben

Re: PIx Configuration

ishwar — Mon, 18 Aug 2003 03:21:18 GMT

Hi Ben,

Thanks a lot.

Now is there any way to configure PIX that

It does not affect the default behavior when I apply the rule to access in higher interface so that I do not have to add long access-list again.

Ishwar

Re: PIx Configuration

bdube — Mon, 18 Aug 2003 10:49:36 GMT

Unfortunately, ACL affects default behavior. Then, you use it or not. But, since your access-list only apply to SMTP servers between inside and DMZ, you can use "NAT 0 access-list id" between those servers. The "NAT 0 access-list id" is apply to inside interface and leaves incoming or outgoing traffics that match the access-list specified. That way, i suppose you can simply remove your ACL 110 applied to int3, to keep default behavior (browsing), and permit traffics between your SMTP servers.

Hope this help

Ben