05-24-2008 05:16 PM - edited 03-05-2019 11:12 PM
Ok, so I posted before about the basic syntax. I'm trying to get the basic principle of what to do:
I have two WAN statics. One I've assigned to the outside interface of the firewall. The other I assume I don't actually assign to the LAN server, but instead I forward traffic en-route to this second WAN address *to* the LAN server? Is this correct?
So I assigned the outside interface of the PIX the first WAN address (I'll refer to it as 12.12.12.12)
My LAN server is 10.1.1.5.
So: Would a static entry look like this?
static (inside,outside) tcp 12.12.12.13 pop3 10.1.1.5 pop3 netmask 255.255.255.255 0 0
And would my access list look like this?
access-list if_outside permit tcp any host 12.12.12.13 eq pop3
Then I would apply it like this?
access-group if_outside in interface outside
If someone could please point me in the right direction or correct any misconceptions I have about the syntax.
Also, could someone elaborate on that "access-group" syntax?
access-group <pre-defined ACL> ?in? interface ?outside?
How should I think of the "in" and the "outside" ?
Thanks for any help
05-25-2008 01:03 AM
Scott,
That is correct - the syntax looks 100%
as far as the access-group is concerend...
In - coming in to the interface
Out - going out of the interface
so you could have
access-group
access-group
access-group
access-group
HTH.
05-26-2008 05:33 PM
Thanx Andrew,
This part particularly helped *tons*:
"access-group
access-group
access-group
access-group
Thinking of it like that makes it seem so much more clear.
If you, or anyone, has a free moment, please take a look at the attached config file. It is what I have done so far and I'm going to take it to the office and try it out. Right now my goal is to be able to plug in the WAN interface "0" so all workstations on the LAN can get out to the internet and do whatever (email, www, etc).
The VPN stuff is me playing around and learning. I've never set up VPN on a PIX and am just doing trial & errors. For right now, my main goal is to just implement the firewall, I'll worry about the VPN stuff later.
So if I plug this in, will it work?
Thanks!
05-27-2008 12:35 AM
Scott,
I would double check your IP addressing:-
ip address outside 16.39.45.62 255.255.255.248
but you have an acl:-
access-list if_outside permit tcp any host 216.139.145.163 eq smtp
access-list if_outside permit tcp any host 216.139.145.163 eq www
access-list if_outside permit tcp any host 216.139.145.163 eq https
access-list if_outside permit tcp any host 216.139.145.163 eq pop3
access-list if_outside permit tcp any host 216.139.145.163 eq ssh
access-list if_outside permit tcp any host 216.139.145.163 eq 993
access-list if_outside permit udp any host 216.139.145.163 eq 993
access-list if_outside permit tcp any host 216.139.145.163 eq 3283
access-list if_outside permit tcp any host 216.139.145.163 eq 5900
access-list if_outside permit udp any host 216.139.145.163 eq 3283
access-list if_outside permit udp any host 216.139.145.163 eq 5900
and a static translation:-
static (inside,outside) 16.39.45.63 10.1.1.5 netmask 255.255.255.255 0 0
The IP's don't match. Other than that it's good to go - should work right off the bat.
Just to give you a little more info - your acl:-
access-list if_inside permit ip 10.1.1.0 255.255.255.0 any
is already covered - in the PIX another little nugget is traffic from a higher interface to a lower interface is automatically permittted - not need for an ACL! But it still helps to have the acl for troubleshooting!
HTH.
05-27-2008 03:35 PM
Hmm, all those IP changes were just me messing around. I didn't mean to post that version of the text. The real config had it set correctly.
So mission success. Successfully implemented the firewall today. Didn't work initially, but after checking, rechecking, and double rechecking my end, I called the ISP and it was an issue with them. A quick setting change and boom, all is well.
Thanks for your help, Andrew. Much appreciated. That "PIX nuggett" is interesting. I've never heard of the higher/lower interface rule. Care to elaborate what constitutes a higher or lower? Is that the "security0" vs "security100"?
Anyhow, I have two goals now:
Setting up VPN accounts.
And being able to telnet into the PIX from home, lol.
I'll make separate posts for these. Thanks again, Andrew.
05-27-2008 10:49 PM
Yes - it's the security interface number - the higher the number the more trusted. So the inside has 100 as default - the outside has 0 as default. Anything on the inside will be allowed out - without any configuration. As the outside is 0 - you have to write a permit acl to allow traffic to the inside as it's higher.
Setting up VPN is quite easy - for a newbie like you I would suggest you do it thu the PDM.
Telnet access from home is dangerous - I suggest you use SSH for that if you must. create a crypto key and then allow access:-
give the device a domain name:- domain-name blah.com
Generate your key:- crypto key generate rsa modulus 1024
wait until your key is generated then allow access:- ssh 0.0.0.0 outside
HTH.
05-28-2008 01:20 AM
Have a look here for some really good config guides:-
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
HTH.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: