Solved: Configuring my Pix 506E

eto · ‎02-03-2004

How can I setup the following scenario. My Pix is seperating an internal and external network. For outbound, I would like to allow only http related traffic. There will be no inbound traffic. For simplicity, I am using PDM ver3 to configure my Pix 506E. Should be easy to configure, I thought.

On my access rules, I permit http, nameserver, and https on the inside and outside interfaces. On the translation rules, I setup NAT using a range of real IPs on the outside interface. I didn't use PAT just in case of H323.

However, the above config doesn't work. I cannot get any http traffic from my internal network. What am I missing?

Thanks for your help,

ET.

bfl1 · ‎02-03-2004

It would appear you are defining rules that say the source AND destination must be the same:

access-list inside_access_in permit udp any eq domain any eq domain

access-list inside_access_in permit udp any eq ntp any eq ntp

access-list inside_access_in permit udp any eq nameserver any eq nameserver

access-list inside_access_in permit tcp any eq domain any eq domain

access-list inside_access_in permit tcp any eq www any eq www

access-list inside_access_in permit tcp any eq https any eq https

You need to change this, since the source is probably going to be 1024 or higher. Try something like this:

access-list inside_access_in permit udp any any eq domain

access-list inside_access_in permit udp any any eq ntp

access-list inside_access_in permit udp any any eq nameserver

access-list inside_access_in permit tcp any any eq domain

access-list inside_access_in permit tcp any any eq www

access-list inside_access_in permit tcp any any eq https

access-group inside_access_in in interface inside

this says allow any source ip/source port to access any destination IP as long as it's for www, dns, ssl, etc...

Your access-list acl_web is not being used, as it's not assigned to an interface. Remember that each interface can only have one acl.

Also, you said you're not using PAT..

global (outside) 1 xxx.xxx.YYY.54-xxx.xxx.YYY.55 netmask 255.255.255.0

global (outside) 1 xxx.xxx.YYY.53

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

This tells the firewall to use the range xxx.xxx.YYY.54-xxx.xxx.YYY.55 for address assignment, but when it runs out, start PAT'ng with xxx.xxx.YYY.53...

hope this helps

View solution in original post

jason.drury · ‎02-03-2004

Sounds like you have everything. It's probably something small. Why don't you post your config (excluding all pertinent info of course) which will make it much easier to help you.

eto · ‎02-03-2004

Here is my config.

: Saved

: Written by enable_15 at 23:51:01.009 UTC Tue Feb 3 2004

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ********* encrypted

passwd ******** encrypted

hostname pixfirewall

domain-name some.company.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside_access_in permit udp any eq domain any eq domain

access-list inside_access_in permit udp any eq ntp any eq ntp

access-list inside_access_in permit udp any eq nameserver any eq nameserver

access-list inside_access_in permit tcp any eq domain any eq domain

access-list inside_access_in permit tcp any eq www any eq www

access-list inside_access_in permit tcp any eq https any eq https

access-list acl_web permit tcp any any eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.YYY.53 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 xxx.xxx.YYY.54-xxx.xxx.YYY.55 netmask 255.255.255.0

global (outside) 1 xxx.xxx.YYY.53

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.YYY.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.254 inside

dhcpd dns xxx.xxx.xxx.xxx

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain some.company.com

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:*****************

: end

Thanks,

ET

bfl1 · ‎02-03-2004