PIX 506E

Unanswered Question

I am installing a new PIX506E and want to have it wide open in the beginning and then will run a qualsys network test and shut things down from that point. My problem is this: I believe it is wide open, but when I attach it to the network external people cannot access our website. Internal users have no problems. Any ideas or pointers would be great!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 08/09/2007 - 12:00
User Badges:
  • Green, 3000 points or more

Could you post a config?

acomiskey Thu, 08/09/2007 - 12:39
User Badges:
  • Green, 3000 points or more

You want it to be wide open from the outside?


If so you could simply do...


access-list outside_access_in permit icmp any any

access-list outside_access_in permit ip any any

access-group outside_access_in in interface outside


The inside interface is wide open by default so you could remove the inside_access_in acl completely.


Your websites are working...


http://69.15.136.3/

http://69.15.136.2/


Make sure the dns is resolving properly.


Some of the access-list statements for you outside_access_in are not written properly. You have the source written as your 69. address with a source port. Remove these.


access-list outside_access_in permit tcp host 69.15.136.2 eq www any

access-list outside_access_in permit tcp host 69.15.136.2 eq https any

access-list outside_access_in permit gre host 69.15.136.2 any

access-list outside_access_in permit tcp host 69.15.136.2 eq pptp any

access-list outside_access_in permit tcp host 69.15.136.3 eq www any


Typically it would be written like this...


access-list outside_access_in permit tcp any host 69.15.136.2 eq www

etc.


Hope this helps. Please rate helpful posts.

JORGE RODRIGUEZ Thu, 08/09/2007 - 13:36
User Badges:
  • Green, 3000 points or more

I see you have a route as:

route outside 0.0.0.0 0.0.0.0 69.15.136.1 1

which is your PIX outside interface.


who is routing your public IP block? do you have a next hop router in front of the pix? I don't think you are routing your public IP block back to the pix outside interface.

JORGE RODRIGUEZ Thu, 08/09/2007 - 13:54
User Badges:
  • Green, 3000 points or more

Your outside interface must be facing touching your ISP and that is why I was puzzled as to why your default route is pointing to the PIX outside interface address as suppose to the next hop router which is the IPS provider.



The ISP know better if they gave you a public IP block they route back to your outside interface of PIX and your defualt route is the ISP providers IP.


on the ISP router facing your PIX outside they have to route back teh block as:


ip route 69.15.136.0 255.255.255.248 69.15.136.1




Actions

This Discussion