yes, the pix is between the user and the linux server. The reason for this from my understanding the pix does not support dynamic DNS on the outside interface. I would need a static ip to access my internal resources. With linux my DNS record is updated automatically upon the ip address change. Is there any other alternative to that on pix?

Now, back to the question. Why is it that I don't need an ACL on the internal interface to access Internet, but it's required for file sharing? I guess port 80 is enabled by default without the need for acl?

User-->Linux(w/DynDNS updater)-->PIX-->Internet

The PIX 501 does support DHCP client on the outside interface. That means you can hook it directly up to a cable modem/DSL/wireless/etc. link and get an address.

Why don't you run the Dynamic DNS updater on your Linux box? Most updaters check your public IP address via an external website anyway, so I doesn't matter where your NAT box is (i.e. DynDNS.org or DtDNS.com)

Now, then there is your question of the static map. On the PIX (version 6.2+ I think) you can use a keyword called "interface" instead of using your outside IP address. For example:

Old way (static IP):

static (inside,outside) 200.1.1.1 80 192.168.1.10 80

Changes into the new way (dynamic IP):

static (inside,outside) interface 80 192.168.1.10 80

Basically, the "interface" keyword is replaced with whatever IP address is assigned to your outside interface.

By default, the PIX will *PERMIT* all connections from the inside to the outside. No need to add an ACL on the inside interface. You will however need a STATIC *and* an ACL on the outside interface allowing:

UDP/137

UDP/138

TCP/139

For security reasons however, it is usually not a good idea to do CIFS/Samba across the internet. Your PIX is capable of doing an IPSec VPN or a PPTP VPN. I'd set that up so you can take advantage of encryption.

Ok, I will try to follow your advise and swap the topology setup.

However, if i were to leave the setup the way it is Linux--pix--host, then according to your initial response you suggest to apply the ACL to the INSIDE interface? Why, shouldn't it be applied to the outside int since by default everything is permited on the inside?

That wasn't my initial post.

You are correct. The ACL would be applied to the outside interface.

I've applied the acl to the outside interface even with permit ip any any and the host still could not see the network drive on the Linux server. I believe it's because the pix is performing PAT. All addresses on the inside are translated to the outside interface of the pix. Would that cause the mapping not to work? If that's the case, then i would disable PAT but I am affraid that the inside host would not connect to the Internet anymore?

Can you post your PIX config, minus passwords, etc.?

Can you also supply the IP addressing scheme you are using for the Linux box?

Have you tested to see if a host can connect to the outside interface of the Linux box directly (just to make sure the PIX is the problem)?

I will post my PIX config tonight when i get home.

In the meanwhile, here is my addressing scheme of the network:

INTERNET -- (dynamic IP)LINUX(192.168.0.1) -- (192.168.0.2)PIX(192.168.1.1) -- (192.168.1.2)WIN2K

I can connect to the Internet from the host no problem.

here is a copy of my PIX config.

PIX Version 6.3(3)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxx encrypted

passwd xxxxx encrypted

hostname pix501

domain-name somename.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list Let-Traffic-In permit ip any any

pager lines 24

icmp permit any echo outside

icmp permit any echo-reply outside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.0.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.1 255.255.255.255 outside

pdm location 192.168.1.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group Let-Traffic-In in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

I got this resolved.

As the matter of fact i was able to map the drive all along. This does not even require to create openings in the acl on the outside interface. I simply tried to map the network drive via ip address as opposed to the bios name. When i specify the Ip address of the linux host followed by the share it works beautifully well. The only outgoing connection recorded on the pix is tcp port 445. Now, to enable this connection share by name i think it needs host file properley configured. Anyhow, Thanks for all your help.

Wesley