10-15-2002 01:42 PM - edited 02-20-2020 10:18 PM
I just inherited a PIX 515 box and have been asked to set it up. It has three interfaces: Inside, outside and a DMZ
I have done the basic interface naming, security asignments and IP addressing.
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif ethernet0 dmz security50
Terminal server and web servers will be located in the DMZ
File server, MS SQL and Exchange 5.5 mail will be located inside
Could anyone help me configure the ACLs that will enable DMZ terminal server clients to access file server, MS SQL and Exchange 5.5 server inside
Also a way to keep out any undesired traffic from outside getting to DMZ or inside while allowing RAS clients from DMZ to go inside
I do not plan to use any conduits, just ACL.
Thanks
10-15-2002 02:51 PM
Here is a good starter link: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/index.htm
This may not give you exactly what you are looking for, however, since you just inherited a PIX it is a very good overview that will lead into ACLs that you need. From this link, you can get to almost any PIX config information you are looking for.
Hope this gets you started!!
10-15-2002 03:07 PM
Statics allow dmz to access the inside:
static (inside,dmz) x.x.x.x x.x.x.x netmask 255.255.255.255 (where x.x.x.x is your internal exchange)
static (inside,dmz) y.y.y.y y.y.y.y netmask 255.255.255.255 (where y.y.y.y is your internal file server)
static (inside,dmz) z.z.z.z z.z.z.z netmask 255.255.255.255 (where z.z.z.z is your internal sql server)
Access-lists limit what the dmz can access on the inside:
access-list 101 permit tcp a.a.a.0 255.255.255.0 host x.x.x.x eq 25 (where a.a.a.0 is the dmz network)
access-list 101 permit tcp a.a.a.0 255.255.255.0 host y.y.y.y range 137 139 (file is 139 but MS needs the others as well)
access-list 101 permit tcp a.a.a.0 255.255.255.0 host y.y.y.y eq 66 (sql*net)
access-list 101 permit tcp a.a.a.0 255.255.255.0 host y.y.y.y eq 118 (sql services)
Terminal server runs over TCP port 3389. If other traffic you need gets blocked, do a show log or look at your syslog server to see what it is and create an entry in the acl to allow it (following acl format as above).
Hope it helps.
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide