https://community.cisco.com/t5/network-security/pix-506e/m-p/751458#M971481 <P>I am installing a new PIX506E and want to have it wide open in the beginning and then will run a qualsys network test and shut things down from that point. My problem is this: I believe it is wide open, but when I attach it to the network external people cannot access our website. Internal users have no problems. Any ideas or pointers would be great!!!</P> Mon, 11 Mar 2019 10:56:02 GMT tknight 2019-03-11T10:56:02Z https://community.cisco.com/t5/network-security/pix-506e/m-p/751458#M971481 <P>I am installing a new PIX506E and want to have it wide open in the beginning and then will run a qualsys network test and shut things down from that point. My problem is this: I believe it is wide open, but when I attach it to the network external people cannot access our website. Internal users have no problems. Any ideas or pointers would be great!!!</P> Mon, 11 Mar 2019 10:56:02 GMT https://community.cisco.com/t5/network-security/pix-506e/m-p/751458#M971481 tknight 2019-03-11T10:56:02Z https://community.cisco.com/t5/network-security/pix-506e/m-p/751459#M971482 <HTML><HEAD></HEAD><BODY><P>Could you post a config?</P></BODY></HTML> Thu, 09 Aug 2007 19:00:47 GMT https://community.cisco.com/t5/network-security/pix-506e/m-p/751459#M971482 acomiskey 2007-08-09T19:00:47Z https://community.cisco.com/t5/network-security/pix-506e/m-p/751460#M971483 <HTML><HEAD></HEAD><BODY><P>Here is my config file...</P><P></P><P> </P><P></P></BODY></HTML> Thu, 09 Aug 2007 19:06:41 GMT https://community.cisco.com/t5/network-security/pix-506e/m-p/751460#M971483 tknight 2007-08-09T19:06:41Z https://community.cisco.com/t5/network-security/pix-506e/m-p/751461#M971484 <HTML><HEAD></HEAD><BODY><P>You want it to be wide open from the outside?</P><P></P><P>If so you could simply do...</P><P></P><P>access-list outside_access_in permit icmp any any </P><P>access-list outside_access_in permit ip any any </P><P>access-group outside_access_in in interface outside</P><P></P><P>The inside interface is wide open by default so you could remove the inside_access_in acl completely. </P><P></P><P>Your websites are working...</P><P></P><P> <A class="jive-link-custom" href="http://69.15.136.3/" target="_blank">http://69.15.136.3/</A></P><P> <A class="jive-link-custom" href="http://69.15.136.2/" target="_blank">http://69.15.136.2/</A></P><P></P><P>Make sure the dns is resolving properly. </P><P></P><P>Some of the access-list statements for you outside_access_in are not written properly. You have the source written as your 69. address with a source port. Remove these.</P><P></P><P>access-list outside_access_in permit tcp host 69.15.136.2 eq www any </P><P>access-list outside_access_in permit tcp host 69.15.136.2 eq https any </P><P>access-list outside_access_in permit gre host 69.15.136.2 any </P><P>access-list outside_access_in permit tcp host 69.15.136.2 eq pptp any </P><P>access-list outside_access_in permit tcp host 69.15.136.3 eq www any </P><P></P><P>Typically it would be written like this...</P><P></P><P>access-list outside_access_in permit tcp any host 69.15.136.2 eq www</P><P>etc.</P><P></P><P>Hope this helps. Please rate helpful posts.</P></BODY></HTML> Thu, 09 Aug 2007 19:39:20 GMT https://community.cisco.com/t5/network-security/pix-506e/m-p/751461#M971484 acomiskey 2007-08-09T19:39:20Z https://community.cisco.com/t5/network-security/pix-506e/m-p/751462#M971485 <HTML><HEAD></HEAD><BODY><P>I made the changes (I think) that you recommended, but still cannot get to our website externally. Here is the config file with the changes. Thanks for all your help and I really appreciate it!!</P><P></P><P> </P><P></P></BODY></HTML> Thu, 09 Aug 2007 20:17:27 GMT https://community.cisco.com/t5/network-security/pix-506e/m-p/751462#M971485 tknight 2007-08-09T20:17:27Z https://community.cisco.com/t5/network-security/pix-506e/m-p/751463#M971486 <HTML><HEAD></HEAD><BODY><P>I see you have a route as:</P><P>route outside 0.0.0.0 0.0.0.0 69.15.136.1 1</P><P>which is your PIX outside interface. </P><P></P><P>who is routing your public IP block? do you have a next hop router in front of the pix? I don't think you are routing your public IP block back to the pix outside interface. </P></BODY></HTML> Thu, 09 Aug 2007 20:36:03 GMT https://community.cisco.com/t5/network-security/pix-506e/m-p/751463#M971486 JORGE RODRIGUEZ 2007-08-09T20:36:03Z https://community.cisco.com/t5/network-security/pix-506e/m-p/751464#M971487 <HTML><HEAD></HEAD><BODY><P>CBeyond handles the public IP block and we do not have a next hop router in front of the pix. What would be the best way to route this back?</P></BODY></HTML> Thu, 09 Aug 2007 20:38:53 GMT https://community.cisco.com/t5/network-security/pix-506e/m-p/751464#M971487 tknight 2007-08-09T20:38:53Z https://community.cisco.com/t5/network-security/pix-506e/m-p/751465#M971488 <HTML><HEAD></HEAD><BODY><P>Your outside interface must be facing touching your ISP and that is why I was puzzled as to why your default route is pointing to the PIX outside interface address as suppose to the next hop router which is the IPS provider. </P><P></P><P></P><P>The ISP know better if they gave you a public IP block they route back to your outside interface of PIX and your defualt route is the ISP providers IP. </P><P></P><P>on the ISP router facing your PIX outside they have to route back teh block as:</P><P></P><P>ip route 69.15.136.0 255.255.255.248 69.15.136.1 </P><P></P><P> </P><P></P><P></P></BODY></HTML> Thu, 09 Aug 2007 20:54:04 GMT https://community.cisco.com/t5/network-security/pix-506e/m-p/751465#M971488 JORGE RODRIGUEZ 2007-08-09T20:54:04Z