Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
253
Views
7
Helpful
3
Replies

PIx Configuration

ishwar
Level 1
Level 1

‎08-17-2003 03:24 AM - edited ‎02-20-2020 10:56 PM

I am just started to configure the PIX Firewall.

But I am in confusion.

Here is the conf file.

PIX Version 6.2(2)

nameif ethernet0 backbone_251 security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

hostname dmg-fw

domain-name mos.com.np

access-list 101 permit icmp any any

acess-list 110 permit tcp host 202.52.227.18 host 202.52.227.2 eq smtp

access-list 111 permit tcp host 202.52.227.10 host 202.52.227.18 eq smtp

access-list 111 permit tcp host 202.52.227.10 host 202.52.227.2 eq smtp

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 10baset

interface ethernet3 10baset

interface ethernet4 10baset shutdown

interface ethernet5 10baset shutdown

mtu backbone_251 1500

ip address backbone_251 202.52.251.3 255.255.255.0

ip address inside 202.52.227.1 255.255.255.248

ip address intf2 202.52.227.9 255.255.255.248

ip address intf3 202.52.227.17 255.255.255.248

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (intf3,backbone_251) 202.52.227.16 202.52.227.16 netmask 255.255.255.248 0 0

static (intf3,intf2) 202.52.227.16 202.52.227.16 netmask 255.255.255.248 0 0

static (intf2,backbone_251) 202.52.227.8 202.52.227.8 netmask 255.255.255.248 0 0

static (inside,intf2) 202.52.227.0 202.52.227.0 netmask 255.255.255.248 0 0

static (inside,intf3) 202.52.227.0 202.52.227.0 netmask 255.255.255.248 0 0

access-group 101 in interface backbone_251

access-group 111 in interface intf2

access-group 110 in interface intf3

route backbone_251 0.0.0.0 0.0.0.0 202.52.251.1 1

But as soon as I apply the 110 in interface intf3

It obey the rule

cess-list 110 permit tcp host 202.52.227.18 host 202.52.227.2 eq smtp

But it close the connection to lower interface.For example I can not Browse from intf3.Now should I add the access-list to permit in lower interface??

Please help me

Ishwar

0 Helpful
3 Replies 3

bdube
Level 2
Level 2

‎08-17-2003 06:28 AM

Hi Ishwar,

To your question, yes, you must configure access-list to lower interface. At the moment, you use access-list on an interface, you must specify all rules to permit/deny any traffic passing through this interface.

Ben

ishwar
Level 1
Level 1
In response to bdube

‎08-17-2003 08:21 PM

Hi Ben,

Thanks a lot.

Now is there any way to configure PIX that

It does not affect the default behavior when I apply the rule to access in higher interface so that I do not have to add long access-list again.

Ishwar

0 Helpful

bdube
Level 2
Level 2
In response to ishwar

‎08-18-2003 03:49 AM

Unfortunately, ACL affects default behavior. Then, you use it or not. But, since your access-list only apply to SMTP servers between inside and DMZ, you can use "NAT 0 access-list id" between those servers. The "NAT 0 access-list id" is apply to inside interface and leaves incoming or outgoing traffics that match the access-list specified. That way, i suppose you can simply remove your ACL 110 applied to int3, to keep default behavior (browsing), and permit traffics between your SMTP servers.

Hope this help

Ben

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card