Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
4
Helpful
2
Replies

Validate PIX 515e Configuration

ryanwilhelm
Level 1
Level 1

‎10-01-2004 04:37 AM - edited ‎02-20-2020 11:39 PM

Hello all,

I'm trying to validate my configuration before going live and would appreciate if anyone could take a look and make recommendations.

I would like to accomplish the following:

1. Any External user connects to DMZ web server on port 80 (though ultimately 443 will be used), the dmz web server makes a connection to oracle (sqlnet) which sends packets and should be able to receive the replies back

2. smtp connections come in through a public address to a dmz box which in turn sends the message to an internal (inside interface) smtp box for delivery

3. Remote workers may connect to a public ip (204.50.125.138 in the example) on port 443 which will then allow a connection into the inside interface to connect to an internal web server (not a good idea, but i'm working with what i have).

4. I would like to pretty much allow all packets routed from a higher security level (100) to route out the outside interface without being blocked and receive replies back. Do I have it set up correctly?

5. Support VPN users connecting to the Inside nework via the Cisco Secure VPN client.

I've attached my config (with entries changed to protect the innocent). Any feedback would be appreciated!

Preview file
5 KB
0 Helpful
2 Replies 2

Patrick Iseli
Level 7
Level 7

‎10-04-2004 09:01 AM

Feedback config:

1.) Never publish public IPs in your config examples.

2.) You used a VPN IP pool that has the same range as the internal interface. This works but might give problems in routing. I usually uses another IP Range for that.

3.) Everything else look good, You could use instead of this:

static (inside,dmz) tcp 10.20.x.y smtp 192.168.0.z smtp netmask 255.255.255.255 0 0

a NAT0 or static for the whole network so that no translation occours for all inside to dmz or web interface traffic. But this should work like that.

sincerely

Patrick

ryanwilhelm
Level 1
Level 1
In response to Patrick Iseli

‎10-04-2004 11:49 AM

Patrick - Thanks for the reply. I've changed the VPN Pool which should also help with security if I choose to place more restrictive rights on it in the future. Thanks for the tip.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card