08-09-2007 11:53 AM - edited 03-11-2019 03:56 AM
I am installing a new PIX506E and want to have it wide open in the beginning and then will run a qualsys network test and shut things down from that point. My problem is this: I believe it is wide open, but when I attach it to the network external people cannot access our website. Internal users have no problems. Any ideas or pointers would be great!!!
08-09-2007 12:00 PM
Could you post a config?
08-09-2007 12:06 PM
08-09-2007 12:39 PM
You want it to be wide open from the outside?
If so you could simply do...
access-list outside_access_in permit icmp any any
access-list outside_access_in permit ip any any
access-group outside_access_in in interface outside
The inside interface is wide open by default so you could remove the inside_access_in acl completely.
Your websites are working...
Make sure the dns is resolving properly.
Some of the access-list statements for you outside_access_in are not written properly. You have the source written as your 69. address with a source port. Remove these.
access-list outside_access_in permit tcp host 69.15.136.2 eq www any
access-list outside_access_in permit tcp host 69.15.136.2 eq https any
access-list outside_access_in permit gre host 69.15.136.2 any
access-list outside_access_in permit tcp host 69.15.136.2 eq pptp any
access-list outside_access_in permit tcp host 69.15.136.3 eq www any
Typically it would be written like this...
access-list outside_access_in permit tcp any host 69.15.136.2 eq www
etc.
Hope this helps. Please rate helpful posts.
08-09-2007 01:17 PM
08-09-2007 01:36 PM
I see you have a route as:
route outside 0.0.0.0 0.0.0.0 69.15.136.1 1
which is your PIX outside interface.
who is routing your public IP block? do you have a next hop router in front of the pix? I don't think you are routing your public IP block back to the pix outside interface.
08-09-2007 01:38 PM
CBeyond handles the public IP block and we do not have a next hop router in front of the pix. What would be the best way to route this back?
08-09-2007 01:54 PM
Your outside interface must be facing touching your ISP and that is why I was puzzled as to why your default route is pointing to the PIX outside interface address as suppose to the next hop router which is the IPS provider.
The ISP know better if they gave you a public IP block they route back to your outside interface of PIX and your defualt route is the ISP providers IP.
on the ISP router facing your PIX outside they have to route back teh block as:
ip route 69.15.136.0 255.255.255.248 69.15.136.1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide