Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

pix config problem

hi, am having trouble configuring a 506e firwall which is currently setup in a lab, i think there is a problem with the acl's or the static routing but not sure so here is the config.

thanks

Alex

3 REPLIES

Re: pix config problem

Could you please elaborate as to what you are trying to achieve and where are you facing the problem?

Narayan

New Member

Re: pix config problem

sorry, am trying to allow icmp and www through the firewall to start with. currently i can ping both interfaces from there sides of the pix but cannot ping through the pix.

thanks

Alex

Gold

Re: pix config problem

Try the modified configuration (attached) - I have included only www and smtp access. By defult the PIX will allow all connection outbound (Higher Security Interface to Lower Security Interface) but if you need any services such as smtp/www allowed into your internal network then you'll need ACL and static for this process.

Make sure that your MX record is pointing to the correct public IP address which is bound to the outside interface for smtp also for www access.

Also, note - if you only have the one public IP address and this is being used by the outside interface then you can substitute the ACLs and statics as such:

access-list outside_in permit tcp any host 194.74.152.163 eq smtp

access-list outside_in permit tcp any host 194.74.152.163 eq www

access-group outside_in in interface outside

static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www www netmask 255.255.255.255 0 0

After the modifications issue: write mem and also issue clear xlate.

To test for connectivity via the PIX configure the following on the outside interface:

access-list outside_in permit tcp any host 194.74.152.163 eq smtp

access-list outside_in permit tcp any host 194.74.152.163 eq www

access-list outside_in permit icmp any any echo-reply

access-list outside_in permit icmp any any unreachable

access-list outside_in permit icmp any any time-exceeded

access-group outside_in in interface outside

You should take out the icmp commands out when have finished testing.

Again, save with: write mem and also issue: clear xlate

Hope this helps and if you need any further help then let us know.

Please rate posts if it helps!!!

132
Views
9
Helpful
3
Replies