What is wrong with this PIX 501 config?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2002 12:05 AM - edited 02-20-2020 10:17 PM
I am experimenting with a Cisco PIX 501. In the future I want to connect about 35 to our central (now 3600) router using VPN tunnels.
First I want to understand the basic functions.
(I will ask the tunnel questions later)
This is what I want::
1. Do nat from in to outside
2. Forward some ports (WWW, SMTP, FTP NNTP and some other) to an internal
host.
Problems:
- Somehow only www forwarding seems to work.
- It looks like the PIX does not use "statefull inspection" because as soon
as I make a connection with a remote system, suddenly all protocols are
forwarded to my redirect system. (and all ports are open?)
This is what I do:
clear conf all
hostname MyHostinterface ethernet0 10baset
interface ethernet0 10baseT
ip address outside 123.187.1.204 255.255.248.0
route outside 0.0.0.0 0.0.0.0 123.187.0.1 1
ip address inside 172.16.4.43 255.255.255.248
nat 1 0.0.0.0 0.0.0.0
global 1 interface
http server enable
http 172.16.4.0 255.255.255.0
pdm loggin informational
access-list outside_in permit icmp any host 123.187.1.204
access-list outside_in permit tcp any host 123.187.1.204 eq 20
access-list outside_in permit tcp any host 123.187.1.204 eq 21
access-list outside_in permit tcp any host 123.187.1.204 eq 22
access-list outside_in permit tcp any host 123.187.1.204 eq 25
access-list outside_in permit tcp any host 123.187.1.204 eq 80
access-list outside_in permit tcp any host 123.187.1.204 eq 110
access-list outside_in permit tcp any host 123.187.1.204 eq 113
access-list outside_in permit tcp any host 123.187.1.204 eq 119
access-list outside_in permit tcp any host 123.187.1.204 eq 443
access-list inside_access_in permit ip any any
access-group outside_in in interface outside
access-group inside_access_in in interface inside
static tcp interface 20 172.16.4.41 20 netmask 255.255.255.255 0 0static tcp
interface 21 172.16.4.41 21 netmask 255.255.255.255 0 0static tcp interface
22 172.16.4.41 22 netmask 255.255.255.255 0 0static tcp interface 25
172.16.4.41 25 netmask 255.255.255.255 0 0static tcp interface 80
172.16.4.41 80 netmask 255.255.255.255 0 0static tcp interface 110
172.16.4.41 110 netmask 255.255.255.255 0 0static tcp interface 113
172.16.4.41 113 netmask 255.255.255.255 0 0static tcp interface 119
172.16.4.41 119 netmask 255.255.255.255 0 0static tcp interface 443
172.16.4.41 443 netmask 255.255.255.255 0 0
- Labels:
-
Other Network Security Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2002 07:52 AM
PIX does stateful inspection.
May be few tips on this page will help you to fix your problem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2002 09:42 AM
In your access-list statements, you use 123.187.1.204 as a host, this is your PIX firewall's outside interface. This should be a host matched to 172.16.4.41 in a static statement.
