06-11-2010 04:12 AM - edited 03-11-2019 10:58 AM
hi, i have a request of providing access for any inside user in pix. So that they can access the public ip 79.125.x.x to the port 3128 or 8080 0r 443 or 80. Although in pix from inside to outside all are accessible.
Below is the configuration we have done for that marked in blue....
PIX Version 7.2(2)
!
hostname
enable password 54KV/iNGn6iowxMX encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.18.254 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.100.2 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 54KV/iNGn6iowxMX encrypted
ftp mode passive
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp host x.x.x.x host 192.168.17.9 eq citrix-ica
access-list 101 extended permit tcp host x.x.x.x host 192.168.17.9 eq 2598
access-list 101 extended permit tcp any host 192.168.17.9 eq 2598
access-list 101 extended permit tcp any host 192.168.17.9 eq citrix-ica
access-list 101 extended permit tcp any host 79.125.8.156 eq 3128
access-list 101 extended permit tcp any host 79.125.8.156 eq 8080
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 3128
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 8080
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq www
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq https
access-list 101 extended permit tcp any interface outside eq 3128
access-list 101 extended permit tcp any interface outside eq https
access-list 101 extended permit tcp any interface outside eq 8080
access-list 101 extended permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.18.1 1
route inside 192.168.42.0 255.255.255.0 172.16.100.1 1
route inside 192.168.20.0 255.255.255.0 172.16.100.1 1
route inside 175.10.10.0 255.255.255.0 172.16.100.1 1
route inside 170.10.10.0 255.255.255.0 172.16.100.1 1
<--- More --->
route inside 192.168.17.0 255.255.255.0 172.16.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
snmp-server host inside 192.168.17.6 community xxxx version 2c
no snmp-server location
no snmp-server contact
snmp-server community xxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0c833b0c4d6d76f063dee0e1680499e2
: end
so pplease let me know whether this configuration is right or wrong ?? or i have missed something.....
Waiting for ur reply ASAP......
Solved! Go to Solution.
06-11-2010 05:10 AM
It looks like 79.125.8.156 is some sort of web proxy server/web filtering server.
Are you trying to restrict all users, so that they can only access the proxy server, and nothing else?
If that is the case, then what you need is something like the following;
access-list 102 permit tcp any host 79.125.8.156 eq http
access-list 102 permit tcp any host 79.125.8.156 eq 443
access-list 102 permit tcp any host 79.125.8.156 eq 8080
access-list 102 permit tcp any host 79.125.8.156 eq 3128
access-group 102 in interface inside
With the above configuration, your inside host may have their browser to use the proxy server, and get to browse the internet after authentication.
They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied.
The lines in blue are incorrect as mentioned by Andrew.
If I have misunderstood your intention, it will be best to provide source ip/protocol/port and destination ip/protocol/port of the traffic you want to pass though the pix. And some clarification of the host 79.125.8.156 is supposed to do, and what the subnet 208.87.137.0 255.255.255.0 represent
06-11-2010 04:31 AM
By default ALL traffic from the inside to the outside is permitted.
The config:-
access-list 101 extended permit tcp any host 79.125.8.156 eq 3128 - does nothing
access-list 101 extended permit tcp any host 79.125.8.156 eq 8080 - does nothing
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 3128- does nothing
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 8080 - does nothing
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq www- does nothing
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq https - does nothing
access-list 101 extended permit tcp any interface outside eq 3128 - allows ANY device from the outside to connec to the pix outside interface using TCP port 3128
access-list 101 extended permit tcp any interface outside eq https - allows ANY device from the outside to connec to the pix outside interface using TCP port 443
access-list 101 extended permit tcp any interface outside eq 8080 - allows ANY device from the outside to connec to the pix outside interface using TCP port 8080
access-list 101 extended permit tcp any interface outside eq www - allows ANY device from the outside to connec to the pix outside interface using TCP port 80
This config is wrong - what are you trying to do?
06-11-2010 05:10 AM
It looks like 79.125.8.156 is some sort of web proxy server/web filtering server.
Are you trying to restrict all users, so that they can only access the proxy server, and nothing else?
If that is the case, then what you need is something like the following;
access-list 102 permit tcp any host 79.125.8.156 eq http
access-list 102 permit tcp any host 79.125.8.156 eq 443
access-list 102 permit tcp any host 79.125.8.156 eq 8080
access-list 102 permit tcp any host 79.125.8.156 eq 3128
access-group 102 in interface inside
With the above configuration, your inside host may have their browser to use the proxy server, and get to browse the internet after authentication.
They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied.
The lines in blue are incorrect as mentioned by Andrew.
If I have misunderstood your intention, it will be best to provide source ip/protocol/port and destination ip/protocol/port of the traffic you want to pass though the pix. And some clarification of the host 79.125.8.156 is supposed to do, and what the subnet 208.87.137.0 255.255.255.0 represent
06-11-2010 06:11 AM
Thanks Andrew and Edadios for your support and comments. Actually this configuration has been done by our client and send it to us for checking. Also Edadios, you are absolutely correct about our requirements.
Open TCP ports: 80, 443, 3128,8080 to the following range 208.87.137.0 - 208.87.137.255 and 208.87.136.0 - 208.87.136.255 for any inside user
Open TCP ports: 3128 and 8080 to the following IP’s and IP Ranges 194.116.198.0 - 194.116.198.255 and 79.125.8.156 for any inside user.
Thanks once again for your support.
06-11-2010 07:40 AM
hi,
For the follwing....
Open TCP ports: 80, 443, 3128,8080 to the following range 208.87.137.0 - 208.87.137.255 and 208.87.136.0 - 208.87.136.255
we applied the below commands....
access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 3128
access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 8080
access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 443
access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 80
access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 3128
access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 8080
access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 443
access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 80
Please rectify the same if it is wrong...........
waiting for ur help......
06-15-2010 10:26 PM
That is correct .
Regards,
06-16-2010 12:26 AM
Hi Edadios,
Thanks for your reply and guidance.
Regards,
Tuhin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: