Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
2
Replies

Pix Help

nuno
Level 1
Level 1

‎10-16-2011 07:38 AM - edited ‎03-11-2019 02:38 PM

Hi Guys

Im very new to this,

Below is a config im working on with a PIX. Its really basic just for VPN purposes but now i wanna put a web server on the DMZ interface.

How do i do that ?

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security30

enable password hMfEmR.SqzHjLIz9 encrypted

passwd hMfEmR.SqzHjLIz9 encrypted

hostname tc-legion01-jhb

domain-name bright.co.za

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 196.35.41.82 255.255.255.248

ip address inside 10.0.1.1 255.255.255.0

ip address dmz 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn 192.168.1.1-192.168.1.25

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 196.35.41.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpn outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn3000-all address-pool vpn

vpngroup vpn3000-all dns-server 10.0.1.2

vpngroup vpn3000-all wins-server 10.0.1.2

vpngroup vpn3000-all default-domain password

vpngroup vpn3000-all idle-time 1800

vpngroup vpn3000-all password ********

telnet timeout 5

ssh 10.0.1.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local vpn

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username test *****

vpdn enable outside

username srvadmin password IOhWN8so9gNl2f.c encrypted privilege 2

username estellev password f4RTpgxM/Xmz0x0m encrypted privilege 2

username reinierb password 4dWfOyRAZ5lkN8ek encrypted privilege 2

terminal width 80

Cryptochecksum:86e54c4b35696ca47ca3fef936b43045

: end

tc-legion01-jhb#

tc-legion01-jhb# conf t

tc-legion01-jhb(config)# int ethernet2 auto

tc-legion01-jhb(config)#

tc-legion01-jhb# wr mem

Building configuration...

Cryptochecksum: 9f575ee5 ec636024 938627cf 0a86bdc8

[OK]

Labels:
0 Helpful
2 Replies 2

varrao
Level 10
Level 10

‎10-16-2011 11:17 AM

Hi Nuno,

Nothing much just a couple of commands:

Lets say you have a free public ip for your dmz server 196.35.41.82 and the real ip of the server is 192.168.0.20

Then you would need a static:

static (dmz,outside) 196.35.41.82 192.168.0.20

Also an access-list to allow access to the server:

access-list outside_access_in extended permit tcp any host 196.35.41.82

access-group outside_access_in in interface outside

Let me know if you have any questions.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎10-16-2011 11:21 AM

Hi,

1) first create a static PAT :

static(dmz,outside) tcp interface 80 x.x.x.x 80 where x.x.x.x is your web server ip address.

2) allow traffic from outside to this webserver

    access-list 102 permit tcp any 196.35.41.82 eq 80

    access-group 102 in interface outside

if you want to enable https access do the same for port 443

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card