Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
0
Helpful
7
Replies

PIX 506E

tknight
Level 1
Level 1

‎08-09-2007 11:53 AM - edited ‎03-11-2019 03:56 AM

I am installing a new PIX506E and want to have it wide open in the beginning and then will run a qualsys network test and shut things down from that point. My problem is this: I believe it is wide open, but when I attach it to the network external people cannot access our website. Internal users have no problems. Any ideas or pointers would be great!!!

Labels:
0 Helpful
7 Replies 7

acomiskey
Level 10
Level 10

‎08-09-2007 12:00 PM

Could you post a config?

0 Helpful

tknight
Level 1
Level 1
In response to acomiskey

‎08-09-2007 12:06 PM

Here is my config file...

Preview file
32 KB
0 Helpful

acomiskey
Level 10
Level 10
In response to tknight

‎08-09-2007 12:39 PM

You want it to be wide open from the outside?

If so you could simply do...

access-list outside_access_in permit icmp any any

access-list outside_access_in permit ip any any

access-group outside_access_in in interface outside

The inside interface is wide open by default so you could remove the inside_access_in acl completely.

Your websites are working...

http://69.15.136.3/

http://69.15.136.2/

Make sure the dns is resolving properly.

Some of the access-list statements for you outside_access_in are not written properly. You have the source written as your 69. address with a source port. Remove these.

access-list outside_access_in permit tcp host 69.15.136.2 eq www any

access-list outside_access_in permit tcp host 69.15.136.2 eq https any

access-list outside_access_in permit gre host 69.15.136.2 any

access-list outside_access_in permit tcp host 69.15.136.2 eq pptp any

access-list outside_access_in permit tcp host 69.15.136.3 eq www any

Typically it would be written like this...

access-list outside_access_in permit tcp any host 69.15.136.2 eq www

etc.

Hope this helps. Please rate helpful posts.

0 Helpful

tknight
Level 1
Level 1
In response to acomiskey

‎08-09-2007 01:17 PM

I made the changes (I think) that you recommended, but still cannot get to our website externally. Here is the config file with the changes. Thanks for all your help and I really appreciate it!!

Preview file
31 KB
0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to tknight

‎08-09-2007 01:36 PM

I see you have a route as:

route outside 0.0.0.0 0.0.0.0 69.15.136.1 1

which is your PIX outside interface.

who is routing your public IP block? do you have a next hop router in front of the pix? I don't think you are routing your public IP block back to the pix outside interface.

Jorge Rodriguez
0 Helpful

tknight
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎08-09-2007 01:38 PM

CBeyond handles the public IP block and we do not have a next hop router in front of the pix. What would be the best way to route this back?

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to tknight

‎08-09-2007 01:54 PM

Your outside interface must be facing touching your ISP and that is why I was puzzled as to why your default route is pointing to the PIX outside interface address as suppose to the next hop router which is the IPS provider.

The ISP know better if they gave you a public IP block they route back to your outside interface of PIX and your defualt route is the ISP providers IP.

on the ISP router facing your PIX outside they have to route back teh block as:

ip route 69.15.136.0 255.255.255.248 69.15.136.1

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card