Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2294
Views
0
Helpful
17
Replies

configuring pix for public ip address internal and external

Go to solution
par13
Level 1
Level 1

‎04-12-2010 01:52 PM - edited ‎03-11-2019 10:32 AM

Hello,

Just receive new subnet(s) for the network(s) behind the firewall. the addresses are public addresses.

Therefore, after entering the information for each respective internal interface, now, the internal network stop communicating to the internet.

Because of the network privacy, this time, I will not be able to reveal network addresses. Can you take a look why the internal network will not be able to go out to the internet. Again, these are public addresses, they do not need to be NAT.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password DAyT8Zy5o1YlaDcM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lvfw
domain-name lv.psu.edu
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network administrative-servers
  network-object host X.X.X.X
  network-object host X.X.X.X
  network-object host X.X.X.X
 
access-list extended permit ip any any
access-list extended permit icmp any any
access-list extended permit ip any object-group administrative-servers
access-list extended permit ip object-group administrative-servers any
access-list outside permit icmp any any
access-list outside permit tcp any any eq domain
access-list inside permit tcp any any eq www
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.128
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside C.D.E.F 255.255.255.248
ip address inside H.I.J.M 255.255.255.192
ip address intf2 A.B.C.D 255.255.255.128
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) A.B.C.D A.B.C.D netmask 255.255.255.128 0 0

static (inside,outside) H.I.J.M H.I.J.M netmask 255.255.255.192 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 T.O.P.Q 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http A.B.C.D 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
lvfw#

Labels:
0 Helpful
17 Replies 17

Go to solution
par13
Level 1
Level 1
In response to Kureli Sankar

‎04-12-2010 08:06 PM

Hello,

We run an active directory network. Behind the firewall, we have a windows server currently replicating files to other corporate network servers.

If I remove this line, does it affect internet navigation? there are no webservers behind the firewall.

fixup protocol http 80

After running this command "sh access-l outside"  there were a few hit counts in some of the networks (administrative-servers).

Does it affect Active Directory Replication and MIT Kerberos authentication?

1) access-list outside permit tcp any any eq domain  ----> you can remove this as DNS uses udp 53

2) access-list outside permit udp any any eq domain
3) access-list outside permit tcp any any eq 3389  ----> instead of any as the destination you can specify which ever host is your RDC server
4) access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.192 ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
5) access-list outside permit ip object-group administrative-servers E.F.G.H 255.255.255.128  ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
6) access-list outside permit icmp object-group administrative-servers any

If we do not have a webserver behind the firewall, do I need this line?
1) access-list outside permit tcp any any eq www ----> instead of any as the destination you can specify which ever host is your webserver.

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to par13

‎04-12-2010 08:13 PM

If I remove this line, does it affect internet navigation? there are no webservers behind the firewall.

fixup protocol http 80

[KS]No removing that line does not affect internet access. That will flow fine. fixup protocol http does extra checks on http traffic.

If we do not have a webserver behind the firewall, do I need this line?
1) access-list outside permit tcp any any eq www ----> instead of any as the destination you can specify which ever host is your webserver.

[KS]If you don't have a web server on the inside, you can remove this line.

access-list outside permit tcp any any eq domain  ----> you can remove this as DNS uses udp 53

[KS]If you have active directory servers that are running DNS and doing zone transfers then you may need the above line.

-KS

0 Helpful

Go to solution
par13
Level 1
Level 1
In response to Kureli Sankar

‎04-13-2010 04:08 AM

Standard Access-List:

In Standard ACL, filtering is based on source IP address.where as in extended ACL, filtering is bases on Source IP
address, Destination IP address, Protocol Type, Source Port Number & Destination Port Number.

Base on this information, after a standard acl list is created (access-list per, mit source destination), the communication will flow back and forth. Then, if I understand correctly, I don't have to create another access-list permit destination source.

Using one of my rules as an example: access-list outside permit icmp object-group administrative-servers any

This rule shows communication permited from the outside ( firewall interface) to the remote host.


But, this rule does not say if it trust the other way around (remote host to outside (firewall interface))

Some other firewall brands one needs to create an out going rule and an incoming rule.

Extended Access-List:

Extended ACL is basically used to block particular services like telnet. ftp, tftp, ICMP echo etc..

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card