01-14-2003 11:09 PM - edited 03-09-2019 01:41 AM
I have a PIX 506E. The configuration is basic and mostly like it came out of the box.
The other day I wanted to add a static mapping to allow inbound access to a web server (port 80). I added a static statement, an access-list statement, and an access group statement. When I did that the inside computers could no longer access the internet. I removed all three statments and did a clear xlate so I could find out which statement caused the problem. I re-entered the static statement and it turns out that it was the static statment causing the problem.
I was using one external IP address for PAT and another to do the static mapping with. The static statement looked like:
static (inside,outside) 10.0.0.15 192.168.0.55 netmask 255.255.255.255.
I found this statement on one of the cisco support pages:
"If you specify an access-list command statement and bind it to an interface with the access-group command statement, by default, all traffic inbound to that interface is denied. You must explicitly permit traffic. Note that "inbound" in this context means traffic passing through the interface, rather than the more typical PIX Firewall usage of inbound meaning traffic passing from a lower security level interface to a higher security level interface."
In another document I found the following statement:
"By default, there are no access restrictions on outbound connections through the PIX. This means that if there is no ACL configured for the source interface, then, by default, the outbound connection will be allowed if there is a translation method configured. "
I am curious if both of these are telling me that I need to add two statements like:
access-list acl_outbound permit ip any any AND
access-group acl_outbound in interface inside.
I don't see why I would need to do this since the static statement alone killed the outbound connection. Or is it something else
Also (and unrelated to the above) what about the statement:
"IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. [snip]. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently."
Can someone explain that to me.
thanks
01-15-2003 09:20 AM
Frank,
Assuming that 10.0.0.15 is the IP address provided to you by your service provider, your 'static' statement is corrent. I don't mind helping you by checking your configuration. You can send it to me to my email address (rob.bleeker@nexinnovations.com). Just replace your real addresses with bogus addresses and remove username/password information.
01-15-2003 08:30 PM
The external addresses come from a router outside the pix that I am using to create a DMZ since the 506E only has two interfaces.
The configuration follows:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
hostname XXXXXXXX
domain-name XXXXXXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit deny icmp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide