PIX 506E

Unanswered Question

I am installing a new PIX506E and want to have it wide open in the beginning and then will run a qualsys network test and shut things down from that point. My problem is this: I believe it is wide open, but when I attach it to the network external people cannot access our website. Internal users have no problems. Any ideas or pointers would be great!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 08/09/2007 - 12:39

You want it to be wide open from the outside?

If so you could simply do...

access-list outside_access_in permit icmp any any

access-list outside_access_in permit ip any any

access-group outside_access_in in interface outside

The inside interface is wide open by default so you could remove the inside_access_in acl completely.

Your websites are working...

http://69.15.136.3/

http://69.15.136.2/

Make sure the dns is resolving properly.

Some of the access-list statements for you outside_access_in are not written properly. You have the source written as your 69. address with a source port. Remove these.

access-list outside_access_in permit tcp host 69.15.136.2 eq www any

access-list outside_access_in permit tcp host 69.15.136.2 eq https any

access-list outside_access_in permit gre host 69.15.136.2 any

access-list outside_access_in permit tcp host 69.15.136.2 eq pptp any

access-list outside_access_in permit tcp host 69.15.136.3 eq www any

Typically it would be written like this...

access-list outside_access_in permit tcp any host 69.15.136.2 eq www

etc.

Hope this helps. Please rate helpful posts.

JORGE RODRIGUEZ Thu, 08/09/2007 - 13:36

I see you have a route as:

route outside 0.0.0.0 0.0.0.0 69.15.136.1 1

which is your PIX outside interface.

who is routing your public IP block? do you have a next hop router in front of the pix? I don't think you are routing your public IP block back to the pix outside interface.

JORGE RODRIGUEZ Thu, 08/09/2007 - 13:54

Your outside interface must be facing touching your ISP and that is why I was puzzled as to why your default route is pointing to the PIX outside interface address as suppose to the next hop router which is the IPS provider.

The ISP know better if they gave you a public IP block they route back to your outside interface of PIX and your defualt route is the ISP providers IP.

on the ISP router facing your PIX outside they have to route back teh block as:

ip route 69.15.136.0 255.255.255.248 69.15.136.1

Actions

This Discussion