Re: 506 Config - Page 2

srberg5219 · ‎03-21-2007

I think I am on the right track but unsure. Again, I am running PIX 506 (only 2 interfaces-stuck with 5.1(2) software) on a small network.

Here is what I am trying to achieve:

1) Allow unrestricted internet access from the inside interface.

2) Allow incoming connections to my web server.

Here is what I have so far:

PIX Version 5.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

hostname itfw1

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_in permit tcp any host 10.0.0.5 eq www

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.1 255.0.0.0

ip address inside 192.168.254.1 255.255.255.0

arp timeout 14400

global (outside) 1 10.0.0.3 netmask 255.0.0.0

global (outside) 1 10.0.0.20-10.0.0.100 netmask 255.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.0.0.5 192.168.254.20 netmask 255.255.255.255 0 0

access-group acl_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

isakmp identity hostname

telnet timeout 5

terminal width 80

Cryptochecksum:xxx

You are all saints...my deepest gratitude for helping me learn!

srberg5219 · ‎03-22-2007

Sorry, I didn't get into managed firewall appliances until about a week ago and I am in my 40's so things don't sink in quite as well as they did when I was in my 20's...

acomiskey · ‎03-22-2007

No, not you, it seemed like everything I said was just getting repeated.

Anyway, it's cool, we're all here just trying to help.

srberg5219 · ‎03-22-2007

Which, by the way, I do not take for granted and I appreciate more than I can say...

acomiskey · ‎03-22-2007

Ok, as abinjola and I were trying to say, there are a few things you need to figure out. The most major of which I would say is where do you want to NAT?

abinjola · ‎03-22-2007

do you have the router access,? so that we check if the router is configured for natting

I hope i am making sense that the router needs to further PAT or NAT the traffic (to a public ip )coming out of the firewall private outside IP

the fw config looks good..

acomiskey · ‎03-22-2007

This is 1 solution, like I was trying to say before...but requires 2 more public ip addresses.

DSL ROUTER

|

PAT/NAT here.

PIX

<10.0.0.0 network>

OR this which doesn't

DSL MODEM

|

NAT/PAT here

PIX

<10.0.0.0 network>

srberg5219 · ‎03-22-2007

Yes I do. Prior to purchasing this firewall, the ISP's router was configured to port forward requests to the appropriate server...

port 80: to 192.168.254.20 (web server)

port 25: to 192.168.254.50 (email server)