Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Just Internet

Hi!

Can anybody give me some link where i can find how to configure a new pix 515e just for internet access for my internal network clients?

Thanks!

18 REPLIES
New Member

Re: Just Internet

Hi! Thanks for your help. I followed the first link but internet did not work on my pc. Here is the pix config

pixfirewall(config)# sh run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password encrypted

passwd encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skin

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside (my public ip)

ip address inside 10.1.1.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 (public ip range-public ip range) netmask (net mask)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 public ip 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

am i missing something like allowing http traffic or something else?

Thanks!

Re: Just Internet

No, when going from higher security level (inside) to outside, the only thing you need in PIX 6.x is NAT.

What are you seeing in the firewall's log?

logging console 7

or

IF telnet:

logging monitor 7

terminal monitor

Regards

Farrukh

New Member

Re: Just Internet

When i try to access any website.

710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns

710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns

710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns

710005: UDP request discarded from

Re: Just Internet

That message has nothing to do with internet access, those are just netbios broadcasts.

Regards

Farrukh

New Member

Re: Just Internet

I know but then that means the http request is not even reaching pix. What is missing?

Thanks!

Re: Just Internet

I would check the routing, computer's default gateway, can it ping the PIX inside interface?

Do you have DNS properly configured on the end user machines.

Regards

Farrukh

New Member

Re: Just Internet

1. access-list outbound permit udp [Inside-LAN-Network] [Inside-Subnet] any eq 53

2. access-group outbound in interface inside

after trying the above internet started working but is it required. I did not find this anywhere on internet or on cisco website.

Thanks!

Re: Just Internet

Are you sure that is the only line you have in your ACL?

There is an implicit deny at the end of every ACL.

Regards

Farrukh

New Member

Re: Just Internet

I deleted the deny rule. I think there must be some DNS configuration on PIX outside or inside interface where i should enter my isp DNS Server address. Don't you think so?

Thanks!

Re: Just Internet

No the PIX does not need the DNS information. It just 'relays' the DNS packets/requests (after performing the configured security checks) from the users towards the DNS server on the internet, just like a router.

Regards

Farrukh

New Member

Re: Just Internet

Hi!

I left configuring PIX for Internet access. The only thing i need is using PIX to protect my Terminal Server by allowing only Remote Desktop Access to my Terminal Server so that my users can use this server. Does PIX provide maximum security with its default config and how can i configure RDP access from internet to my Terminal Server through PIX?

Thanks!

Re: Just Internet

Technically speaking RDP is not a secure protocol, on Windows you can tunnel it inside 'HTTPS' (check advanced options for the terminal services client). But it needs some extra configuration. Simple RDP can be opened like this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml

Please rate helpful posts.

Farrukh

New Member

Re: Just Internet

What can be the other option since i don't have a fixed IP in one of our branches and they are connecting through a wireless internet that can't have fixed ip?

Thanks!

Re: Just Internet

The RDP server does not have a fixed IP or the client?

You can use dynamic DNS to get the IP of the remote host dynamically but the ASA/PIX do not support ACL filtering based on hostnames.

Regards

Farrukh

New Member

Re: Just Internet

Definitely the clients do not have fixed ips.

Is there any other way i can use PIX to secure my Terminal Server instead of using RDP?

Re: Just Internet

The Clients having a dynamic IP is not the issue here. It is the server!

I already suggested RDP over HTTPs, please do a google search on that.

Regards

Farrukh

New Member

Re: Just Internet

Ok Thanks but i got two other problems. One is that Internet Access is open on my Terminal Server through PIX. I don't know how but by chance i checked it and it was opening all the websites. How can i block it?

Secondly, I have a Cisco 1841 Router in head office in which i have two IPs. One is public and one private 192.168.2.1. This router is controlled by my ISP and i don't have access to it. People coming from all other branches are able to connect to my Terminal Server 192.168.2.2 through PIX from the Public IP but people behind 192.168.2.1 are not able to connect to Terminal Server. Do i need to add something else for this network in my PIX?

Thanks!

174
Views
0
Helpful
18
Replies
CreatePlease to create content