08-17-2003 03:24 AM - edited 02-20-2020 10:56 PM
I am just started to configure the PIX Firewall.
But I am in confusion.
Here is the conf file.
PIX Version 6.2(2)
nameif ethernet0 backbone_251 security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
hostname dmg-fw
domain-name mos.com.np
access-list 101 permit icmp any any
acess-list 110 permit tcp host 202.52.227.18 host 202.52.227.2 eq smtp
access-list 111 permit tcp host 202.52.227.10 host 202.52.227.18 eq smtp
access-list 111 permit tcp host 202.52.227.10 host 202.52.227.2 eq smtp
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 10baset
interface ethernet3 10baset
interface ethernet4 10baset shutdown
interface ethernet5 10baset shutdown
mtu backbone_251 1500
ip address backbone_251 202.52.251.3 255.255.255.0
ip address inside 202.52.227.1 255.255.255.248
ip address intf2 202.52.227.9 255.255.255.248
ip address intf3 202.52.227.17 255.255.255.248
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (intf3,backbone_251) 202.52.227.16 202.52.227.16 netmask 255.255.255.248 0 0
static (intf3,intf2) 202.52.227.16 202.52.227.16 netmask 255.255.255.248 0 0
static (intf2,backbone_251) 202.52.227.8 202.52.227.8 netmask 255.255.255.248 0 0
static (inside,intf2) 202.52.227.0 202.52.227.0 netmask 255.255.255.248 0 0
static (inside,intf3) 202.52.227.0 202.52.227.0 netmask 255.255.255.248 0 0
access-group 101 in interface backbone_251
access-group 111 in interface intf2
access-group 110 in interface intf3
route backbone_251 0.0.0.0 0.0.0.0 202.52.251.1 1
But as soon as I apply the 110 in interface intf3
It obey the rule
cess-list 110 permit tcp host 202.52.227.18 host 202.52.227.2 eq smtp
But it close the connection to lower interface.For example I can not Browse from intf3.Now should I add the access-list to permit in lower interface??
Please help me
Ishwar
08-17-2003 06:28 AM
Hi Ishwar,
To your question, yes, you must configure access-list to lower interface. At the moment, you use access-list on an interface, you must specify all rules to permit/deny any traffic passing through this interface.
Ben
08-17-2003 08:21 PM
Hi Ben,
Thanks a lot.
Now is there any way to configure PIX that
It does not affect the default behavior when I apply the rule to access in higher interface so that I do not have to add long access-list again.
Ishwar
08-18-2003 03:49 AM
Unfortunately, ACL affects default behavior. Then, you use it or not. But, since your access-list only apply to SMTP servers between inside and DMZ, you can use "NAT 0 access-list id" between those servers. The "NAT 0 access-list id" is apply to inside interface and leaves incoming or outgoing traffics that match the access-list specified. That way, i suppose you can simply remove your ACL 110 applied to int3, to keep default behavior (browsing), and permit traffics between your SMTP servers.
Hope this help
Ben
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: