06-16-2008 09:32 AM - edited 03-11-2019 06:00 AM
Hi!
Can anybody give me some link where i can find how to configure a new pix 515e just for internet access for my internal network clients?
Thanks!
06-16-2008 10:10 AM
06-17-2008 01:01 AM
Hi! Thanks for your help. I followed the first link but internet did not work on my pc. Here is the pix config
pixfirewall(config)# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password encrypted
passwd encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skin
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside (my public ip)
ip address inside 10.1.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 (public ip range-public ip range) netmask (net mask)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 public ip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
am i missing something like allowing http traffic or something else?
Thanks!
06-17-2008 02:09 AM
No, when going from higher security level (inside) to outside, the only thing you need in PIX 6.x is NAT.
What are you seeing in the firewall's log?
logging console 7
or
IF telnet:
logging monitor 7
terminal monitor
Regards
Farrukh
06-17-2008 02:54 AM
When i try to access any website.
710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns
710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns
710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns
710005: UDP request discarded from
06-17-2008 03:18 AM
That message has nothing to do with internet access, those are just netbios broadcasts.
Regards
Farrukh
06-17-2008 03:22 AM
I know but then that means the http request is not even reaching pix. What is missing?
Thanks!
06-17-2008 03:44 AM
I would check the routing, computer's default gateway, can it ping the PIX inside interface?
Do you have DNS properly configured on the end user machines.
Regards
Farrukh
06-17-2008 04:57 AM
1. access-list outbound permit udp [Inside-LAN-Network] [Inside-Subnet] any eq 53
2. access-group outbound in interface inside
after trying the above internet started working but is it required. I did not find this anywhere on internet or on cisco website.
Thanks!
06-17-2008 05:05 AM
Are you sure that is the only line you have in your ACL?
There is an implicit deny at the end of every ACL.
Regards
Farrukh
06-17-2008 06:40 AM
I deleted the deny rule. I think there must be some DNS configuration on PIX outside or inside interface where i should enter my isp DNS Server address. Don't you think so?
Thanks!
06-17-2008 06:43 AM
No the PIX does not need the DNS information. It just 'relays' the DNS packets/requests (after performing the configured security checks) from the users towards the DNS server on the internet, just like a router.
Regards
Farrukh
06-21-2008 01:41 AM
Hi!
I left configuring PIX for Internet access. The only thing i need is using PIX to protect my Terminal Server by allowing only Remote Desktop Access to my Terminal Server so that my users can use this server. Does PIX provide maximum security with its default config and how can i configure RDP access from internet to my Terminal Server through PIX?
Thanks!
06-21-2008 02:08 AM
Technically speaking RDP is not a secure protocol, on Windows you can tunnel it inside 'HTTPS' (check advanced options for the terminal services client). But it needs some extra configuration. Simple RDP can be opened like this:
Please rate helpful posts.
Farrukh
06-21-2008 11:15 PM
What can be the other option since i don't have a fixed IP in one of our branches and they are connecting through a wireless internet that can't have fixed ip?
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide