10-12-2001 02:43 AM - edited 02-20-2020 09:52 PM
Hi, I have been having problems configuring a pix for a customers site and was wondering if anybody might be able to help. I have written down as much info below as possible but please tell me if you need any more. Any help is greatly appreciated.
cheers
Andy
inside network 192.9.200.x with 192.9.200.5 as a proxy server for all machines. This has a second nic on 10.0.0.2
Pix is configured as "inside" 10.0.0.5 and "outside" 192.19.200.1
Router is setup as 192.19.200.10 and can connect to isp ok.
Pix can "ping outside" to a dns server at isp end so I know it can get out. Pix can also ping internal ip addresses on its inside interface.
I have setup the pix like this:
interface ethernet0 10baseT
interface ethernet1 10baseT
ip address inside 10.0.0.5 255.255.255.0
ip address outside 192.19.200.1 255.255.255.0
global (outside) 192.19.200.20-192.19.200.200 netmask 255.255.255.0
nat (inside) 1 0 0 0 0
route outside 192.19.200.10
which I believe should give me access out through web?
I have tried adding "conduit permit icmp any any" to see if I can ping out but the client fails with a time out. If I use "debug icmp trace" it appears the ping goes out to the isp but nothing is coming back in ie: 10.0.0.2>192.19.200.20>158.152.1.58
but no echo reply.
The one thing I think im not sure on is the global command. Should it be set to a range on the same network as the router and pix outside interface?
The 10.0.0.2 server on the inside is really the only one that will need to access the internet as it will be a proxy server for the rest. It will be running exchange as well but I "think?" the fixup commands should already allow smtp and www out and in?
sorry for the long winded explanation.
thanks for any help.
cheers
Andy
10-12-2001 02:51 AM
Sorry it should have read.
route outside 0 0 192.19.200.10 1
also I know about the static and conduit commands but am I right in thinking that i shouldn't need them as the pix will expect and allow back in replies?
thanks
10-12-2001 03:58 AM
and one last thing.
Using ping from the 10.0.0.2 machine I now eventually get "inbound icmp unreachable (code 3) 192.19.200.10 (router) > 192.19.200.20 (global ip) > 10.0.0.2 (machine that was pinging.
Don't know if that helps or not.
cheers
Andy
10-13-2001 11:18 PM
Hi Andy,
10-15-2001 02:27 PM
If you want all your proxy traffic to pass throught the PIX firewall, you need to change the way your network is configured. The proxy server should not have an interface in the external network, but be connected only on the inside network and use the PIX firewall as its default gateway. I also would be much more restrictive in who is allowed to use nat (if your internal users uses the Proxy server, they should not be allowed to pass the firewall directly).
Email me if you would like some assistance (rob.bleeker@steeves.net).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide