Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
237
Views
0
Helpful
2
Replies

pix - 4 easy questions...

joaquimlopes
Level 1
Level 1

‎09-26-2005 03:08 PM - edited ‎02-21-2020 12:25 AM

hi,

i have:

1 pix with 2 interfaces

2 lan, net1 & net2

default gateway is the pix

my 4 basic question:

1- how can i, in the pix define a static route, so that in the end packets that arrive from net1 in the inside interface

destined to net2 are directaly routed to the internal ip of that router. ( i added one static route in the pix to net2,

from the pix cli i can ping some net2 server, my problems is that from the desktops i can't ping any net2)

2- i want only strictc http/https access to external sites

i create in the pdm this rules

access-list inside_access_in permit tcp any eq www any log

access-list inside_access_in permit tcp any eq https any log

access-list inside_access_in permit udp any eq domain any log

access-list inside_access_in permit tcp any eq domain any log

with these ones i can access the sites by ip but no dns resolution, when i add

access-list inside_access_in permit tcp any any log

access-list inside_access_in permit udp any any log

things work, but i have access to other things like messenger in the inside lan, what are the minimum protocols

should i give acces to, for http browsing only.

3- how can i sincronize the pix clock with a external time server, for example time.gov

4- what parser should i use to read the syslog logs

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎09-26-2005 07:45 PM

1. If both net1 and net2 are off the inside interface of the PIX (let's say net1 is directly connected to the PIX and net2 is behind a router off the net1 subnet), then you can't set your default gateway to the PIX. The PIX won't route traffic back out the same interface it came in on, so if a packet destined for net2 comes in on the net1 interface, and needs to be routed back out the net1 interface, the PIX will drop the packet.

To get this to work set the default gateway of all the net1 PC's to the router that connects to net2. On the router define a default gateway of the PIX interface. For packets from net1 destined to net2 these will be sent straight to the router and will work fine. For packets from net1 to the Internet they'll be routed to the router first, which will then forward them to the PIX. The router will also then issue an ICMP redirect to the PC telling it to send all Internet based packets straight to the PIX from then on.

2. You have your source and destination ports around the wrong way, I'm surprised you can get any HTTP traffic out with that. Do the following:

access-list inside_access_in permit tcp any any eq www log

access-list inside_access_in permit tcp any any eq https log

access-list inside_access_in permit udp any any eq domain log

access-list inside_access_in permit tcp any any eq domain log

access-group inside_access_in in interface inside

3. Upgrade to 6.3 and use the "ntp" commands. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1186068 for details. Config is the same as for an IOS router.

4. Any syslog server software will do. There's a free one you can load onto any Windows PC here:

http://www.kiwisyslog.com/

0 Helpful

joaquimlopes
Level 1
Level 1
In response to gfullage

‎09-27-2005 12:44 AM

hi Glenn,

thanks for your reply, regarding my

first question, i did think putting the router as default gw is the right choice, but in my case this is not an option, i was expecting that i could create some kind of a virtual interface for this kind of lan configurations.

second question, this was the configuration created by the pdm! why is this wrong?

once again thanks so much

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card