Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 515 configuration help needed

I just inherited a PIX 515 box and have been asked to set it up. It has three interfaces: Inside, outside and a DMZ

I have done the basic interface naming, security asignments and IP addressing.

nameif gb-ethernet0 outside security0

nameif gb-ethernet1 inside security100

nameif ethernet0 dmz security50

Terminal server and web servers will be located in the DMZ

File server, MS SQL and Exchange 5.5 mail will be located inside

Could anyone help me configure the ACLs that will enable DMZ terminal server clients to access file server, MS SQL and Exchange 5.5 server inside

Also a way to keep out any undesired traffic from outside getting to DMZ or inside while allowing RAS clients from DMZ to go inside

I do not plan to use any conduits, just ACL.

Thanks

2 REPLIES
New Member

Re: PIX 515 configuration help needed

Here is a good starter link: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/index.htm

This may not give you exactly what you are looking for, however, since you just inherited a PIX it is a very good overview that will lead into ACLs that you need. From this link, you can get to almost any PIX config information you are looking for.

Hope this gets you started!!

Re: PIX 515 configuration help needed

Statics allow dmz to access the inside:

static (inside,dmz) x.x.x.x x.x.x.x netmask 255.255.255.255 (where x.x.x.x is your internal exchange)

static (inside,dmz) y.y.y.y y.y.y.y netmask 255.255.255.255 (where y.y.y.y is your internal file server)

static (inside,dmz) z.z.z.z z.z.z.z netmask 255.255.255.255 (where z.z.z.z is your internal sql server)

Access-lists limit what the dmz can access on the inside:

access-list 101 permit tcp a.a.a.0 255.255.255.0 host x.x.x.x eq 25 (where a.a.a.0 is the dmz network)

access-list 101 permit tcp a.a.a.0 255.255.255.0 host y.y.y.y range 137 139 (file is 139 but MS needs the others as well)

access-list 101 permit tcp a.a.a.0 255.255.255.0 host y.y.y.y eq 66 (sql*net)

access-list 101 permit tcp a.a.a.0 255.255.255.0 host y.y.y.y eq 118 (sql services)

Terminal server runs over TCP port 3389. If other traffic you need gets blocked, do a show log or look at your syslog server to see what it is and create an entry in the acl to allow it (following acl format as above).

Hope it helps.

Steve

88
Views
0
Helpful
2
Replies