What is wrong with this PIX 501 config?

jhoogerhuis — Fri, 21 Feb 2020 06:17:53 GMT

I am experimenting with a Cisco PIX 501. In the future I want to connect about 35 to our central (now 3600) router using VPN tunnels.

First I want to understand the basic functions.

(I will ask the tunnel questions later)

This is what I want::

1. Do nat from in to outside

2. Forward some ports (WWW, SMTP, FTP NNTP and some other) to an internal

host.

Problems:

- Somehow only www forwarding seems to work.

- It looks like the PIX does not use "statefull inspection" because as soon

as I make a connection with a remote system, suddenly all protocols are

forwarded to my redirect system. (and all ports are open?)

This is what I do:

clear conf all

hostname MyHostinterface ethernet0 10baset

interface ethernet0 10baseT

ip address outside 123.187.1.204 255.255.248.0

route outside 0.0.0.0 0.0.0.0 123.187.0.1 1

ip address inside 172.16.4.43 255.255.255.248

nat 1 0.0.0.0 0.0.0.0

global 1 interface

http server enable

http 172.16.4.0 255.255.255.0

pdm loggin informational

access-list outside_in permit icmp any host 123.187.1.204

access-list outside_in permit tcp any host 123.187.1.204 eq 20

access-list outside_in permit tcp any host 123.187.1.204 eq 21

access-list outside_in permit tcp any host 123.187.1.204 eq 22

access-list outside_in permit tcp any host 123.187.1.204 eq 25

access-list outside_in permit tcp any host 123.187.1.204 eq 80

access-list outside_in permit tcp any host 123.187.1.204 eq 110

access-list outside_in permit tcp any host 123.187.1.204 eq 113

access-list outside_in permit tcp any host 123.187.1.204 eq 119

access-list outside_in permit tcp any host 123.187.1.204 eq 443

access-list inside_access_in permit ip any any

access-group outside_in in interface outside

access-group inside_access_in in interface inside

static tcp interface 20 172.16.4.41 20 netmask 255.255.255.255 0 0static tcp

interface 21 172.16.4.41 21 netmask 255.255.255.255 0 0static tcp interface

22 172.16.4.41 22 netmask 255.255.255.255 0 0static tcp interface 25

172.16.4.41 25 netmask 255.255.255.255 0 0static tcp interface 80

172.16.4.41 80 netmask 255.255.255.255 0 0static tcp interface 110

172.16.4.41 110 netmask 255.255.255.255 0 0static tcp interface 113

172.16.4.41 113 netmask 255.255.255.255 0 0static tcp interface 119

172.16.4.41 119 netmask 255.255.255.255 0 0static tcp interface 443

172.16.4.41 443 netmask 255.255.255.255 0 0

Re: What is wrong with this PIX 501 config?

s-doyle — Thu, 17 Oct 2002 14:52:54 GMT

PIX does stateful inspection.

May be few tips on this page will help you to fix your problem

http://www.cisco.com/warp/public/707/index.shtml#pix

Re: What is wrong with this PIX 501 config?

george.banaszak — Wed, 30 Oct 2002 17:42:18 GMT

In your access-list statements, you use 123.187.1.204 as a host, this is your PIX firewall's outside interface. This should be a host matched to 172.16.4.41 in a static statement.

topic Re: What is wrong with this PIX 501 config? in Network Security

What is wrong with this PIX 501 config?

Re: What is wrong with this PIX 501 config?

Re: What is wrong with this PIX 501 config?