02-12-2004 06:06 AM - edited 03-09-2019 06:24 AM
Hey guys I need a help please check out my configuration and help how to permit selected pc to user messenger programs.
thanks
soldier
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
clock timezone AST 3
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.16.1.14 Proxy_Server
name 172.16.1.12 DNS_Server
name 172.16.1.87 SysLogServer
name 172.16.1.15 A3MX
name 192.168.1.1 MailGateway
name 172.19.1.14 D3MX
access-list compiled
access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list outside_authentication_csnt deny tcp any host 212.102.23.36 eq smtp
access-list outside_authentication_csnt permit ip any any
access-list outside_authorization_csnt deny tcp any host 212.102.23.36 eq smtp
access-list outside_authorization_csnt permit ip any any
access-list outside_accounting_csnt deny tcp any host 212.102.23.36 eq smtp
access-list outside_accounting_csnt permit ip any any
access-list outside_access_in permit tcp any host 212.102.23.36 eq smtp
access-list outside_access_in permit tcp any host 212.102.23.38 eq www
access-list outside_access_in permit tcp any host 212.102.23.39 eq www
access-list vpngroup_splitTunnelAcl permit ip 172.16.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 10.10.10.0 255.255.255.0
access-list dmz_access_in permit udp host MailGateway any eq domain
access-list dmz_access_in permit tcp host MailGateway any eq smtp
access-list dmz_access_in permit tcp host MailGateway host 192.168.1.15
access-list dmz_access_in permit tcp host MailGateway host 192.168.1.14
access-list inside_access_in permit tcp host Proxy_Server any
access-list inside_access_in permit tcp host A3MX host MailGateway
access-list inside_access_in permit tcp host Ar3MX any eq www
access-list inside_access_in permit udp host DNS_Server any
access-list inside_access_in permit tcp host DSvr3MX host MailGateway
access-list inside_access_in permit tcp host DSvr3MX any eq www
pager lines 24
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any redirect outside
icmp permit any time-exceeded outside
ip address outside 212.102.23.34 255.255.255.240
ip address inside 172.16.1.2 255.255.0.0
ip address dmz 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool poolname 10.10.10.1-10.10.10.254
pdm location 172.16.1.1 255.255.255.255 inside
pdm location Proxy_Server 255.255.255.255 inside
pdm location 172.16.1.34 255.255.255.255 inside
pdm location SysLogServer 255.255.255.255 inside
pdm location 172.16.1.1 255.255.255.255 dmz
pdm location 172.16.0.0 255.255.0.0 dmz
pdm location DNS_Server 255.255.255.255 inside
pdm location A3MX 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm location MailGateway 255.255.255.255 dmz
pdm location 172.16.1.11 255.255.255.255 inside
pdm location D3MX 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
static (inside,outside) 212.102.23.35 Proxy_Server netmask 255.255.255.255 500 300
static (inside,outside) 212.102.23.37 DNS_Server netmask 255.255.255.255 0 0
static (inside,outside) 212.102.23.38 A3MX netmask 255.255.255.255 500 250
static (inside,dmz) 192.168.1.15 AMX netmask 255.255.255.255 0 0
static (dmz,outside) 212.102.23.36 MailGateway netmask 255.255.255.255 500 250
static (inside,dmz) 192.168.1.14 D3MX netmask 255.255.255.255 0 0
static (inside,outside) 212.102.23.39 D3MX netmask 255.255.255.255 500 250
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 212.102.23.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server csnt protocol tacacs+
aaa-server csnt (inside) host DNS_Server secretkey timeout 5
aaa authentication http console csnt
aaa authentication ssh console csnt
aaa authentication telnet console csnt
aaa authentication match outside_authentication_csnt outside csnt
aaa authorization match outside_authorization_csnt outside csnt
aaa accounting match outside_accounting_csnt outside csnt
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex 8080 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 8080 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside SysLogServer \cisco
floodguard enable
sysopt connection permit-ipsec
auth-prompt prompt Authentication process from the Firewall...
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication csnt
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroup address-pool poolname
vpngroup vpngroup split-tunnel vpngroup_splitTunnelAcl
vpngroup vpngroup idle-time 1800
telnet SysLogServer 255.255.255.255 inside
telnet 172.16.1.34 255.255.255.255 inside
telnet 172.16.1.1 255.255.255.255 inside
telnet 172.16.1.11 255.255.255.255 inside
telnet timeout 60
ssh 172.16.1.2 255.255.255.255 inside
ssh timeout 5
console timeout 0
02-12-2004 06:18 AM
Hi -
What kind of messenger programs, i.e. MSN/AOL etc ?
And have you got any syslog messages that you can provide.
Thanks - Jay.
02-12-2004 07:02 AM
Since you have an access-lists bound to the inside interface you will have to permit the tcp/udp portnumbers that are used from the internal subnet to any.
So, you would have to add something like this:
access-list inside_access_in permit tcp
This one would be for MSN messenger. Other messenger do use other ports. Here's a good link where you will find ports used for several kinds of messengers:
Kind regards,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide