Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1828
Views
0
Helpful
3
Replies

Pix question

kefah
Level 1
Level 1

‎08-13-2001 11:28 PM - edited ‎02-20-2020 09:49 PM

I want to add another global outside ip address in pix firewall for outlook web server, basically i want to seperate exchange server and outlook web in different machines, outlook web & exchange Servers are intsalled inside the network, I also want alow outside users to access their e-mails connecting with any internet provider thru outlook web, so this would be like this???

static (inside,outside) 212.x.x.10 192.168.0.30 netmask 255.255.255.255. 0.0 (is this correct)

conduit permit tcp host 192.168.0.30 any

conduit permit tcp host 212.x.x.10 any

Please help!!!

0 Helpful
3 Replies 3

bducharm
Level 1
Level 1

‎08-14-2001 09:02 AM

This is what you can do. Have a static and conduit pair for each server. If your exchange server was 192.168.0.30 and your outlook web server was 192.168.0.31, then do this:

static (inside,outside) 212.X.X.10 192.168.0.30

static (inside,outside) 212.X.X.11 192.168.0.31

conduit permit tcp host 212.X.X.10 eq (protocol) any

conduit permit tcp host 212.X.X.11 eq (protocol) any

The (protocol) would be smtp, http, etc., whatever you want to permit to get to that server.

0 Helpful

kefah
Level 1
Level 1

‎08-15-2001 01:20 AM

Thanks for your reply, just a quick question, Is it really require to restart the pix firewall to take effect the new settings??

another question is defining static map for INSIDE/DMZ/OUTSIDE should be in sequence or it does not mater whatever sequence you make.

for example

static (inside,outside) 212.x.x.10 192.168.0.30 netmask 255.255.255.255. 0.0

static (inside, DMZ)

static (inside)

static (inside,outisde)

see above it is not in sequence i have the same case, I applied the settings you have suggested but it is not even ping to that IP from outside ...

please suggest!!!

0 Helpful

jekrauss
Level 1
Level 1
In response to kefah

‎08-15-2001 04:00 AM

The pix will allow outbound icmp packets from a higher security interface to a lower security interface, as long as you have a translation. In your case, if the static (inside, outside) statement is correct, then it will allow the echo request to go out.

The echo reply (the response to your ping) will, by default, be dropped by the pix. To allow it to return, you will need to apply a conduit or an ACL specifically permitting it.

For test purposes, you can apply a conduit permit icmp any any.

I recommend that you refer to the command reference for further clarification of the use of the commands.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm

Hope this helps

Jeff

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card