Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
2
Replies

PIX 515 configuration help needed

ukay
Level 1
Level 1

‎10-15-2002 01:42 PM - edited ‎02-20-2020 10:18 PM

I just inherited a PIX 515 box and have been asked to set it up. It has three interfaces: Inside, outside and a DMZ

I have done the basic interface naming, security asignments and IP addressing.

nameif gb-ethernet0 outside security0

nameif gb-ethernet1 inside security100

nameif ethernet0 dmz security50

Terminal server and web servers will be located in the DMZ

File server, MS SQL and Exchange 5.5 mail will be located inside

Could anyone help me configure the ACLs that will enable DMZ terminal server clients to access file server, MS SQL and Exchange 5.5 server inside

Also a way to keep out any undesired traffic from outside getting to DMZ or inside while allowing RAS clients from DMZ to go inside

I do not plan to use any conduits, just ACL.

Thanks

0 Helpful
2 Replies 2

b-pelphrey
Level 1
Level 1

‎10-15-2002 02:51 PM

Here is a good starter link: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/index.htm

This may not give you exactly what you are looking for, however, since you just inherited a PIX it is a very good overview that will lead into ACLs that you need. From this link, you can get to almost any PIX config information you are looking for.

Hope this gets you started!!

0 Helpful

steve.barlow
Level 7
Level 7

‎10-15-2002 03:07 PM

Statics allow dmz to access the inside:

static (inside,dmz) x.x.x.x x.x.x.x netmask 255.255.255.255 (where x.x.x.x is your internal exchange)

static (inside,dmz) y.y.y.y y.y.y.y netmask 255.255.255.255 (where y.y.y.y is your internal file server)

static (inside,dmz) z.z.z.z z.z.z.z netmask 255.255.255.255 (where z.z.z.z is your internal sql server)

Access-lists limit what the dmz can access on the inside:

access-list 101 permit tcp a.a.a.0 255.255.255.0 host x.x.x.x eq 25 (where a.a.a.0 is the dmz network)

access-list 101 permit tcp a.a.a.0 255.255.255.0 host y.y.y.y range 137 139 (file is 139 but MS needs the others as well)

access-list 101 permit tcp a.a.a.0 255.255.255.0 host y.y.y.y eq 66 (sql*net)

access-list 101 permit tcp a.a.a.0 255.255.255.0 host y.y.y.y eq 118 (sql services)

Terminal server runs over TCP port 3389. If other traffic you need gets blocked, do a show log or look at your syslog server to see what it is and create an entry in the acl to allow it (following acl format as above).

Hope it helps.

Steve

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card