10-22-2007 02:48 AM
Dear Sir,
i have PIX configured to allow internal users to access the internet, and to allow external users to access internal FTP, HTTP and email
the problem is that external users cannot access HTTP and FTP
and the mails cannot recieved
from outside
this is my configuration
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address ********
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
no ftp mode passive
access-list access-in extended permit tcp any any eq ftp
access-list access-in extended permit icmp any any
access-list access-in extended permit tcp any any eq 3389
access-list access-in extended permit tcp any any eq smtp
access-list access-in extended permit tcp any any eq http
pager lines 24
<--- More --->
logging enable
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.1.0 255.255.255.0
static (inside,outside) tcp ***** ftp 192.168.1.2 ftp netmask 255.255.255.255
static (inside,outside) tcp **** http 192.168.1.2 http netmask 255.255.255.255
static (inside,outside) tcp **** smtp 192.168.1.2 smtp netmask 255.255.255.255
access-group access-in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
<--- More --->
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
<--- More --->
inspect sip
inspect xdmcp
policy-map global_poliy
class inspection_default
!
service-policy global_policy global
prompt hostname context
10-22-2007 04:45 AM
Try this if the public address you are using is also the outside interface address...
static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface http 192.168.1.2 http netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: