Advertisement

07.02.2008 at 02:59PM PDT, ID: 23535281 | Points: 500
[x]
Attachment Details

Pix and internet connectivity for one IP address.

Asked by mark_robohm in Cisco PIX Firewall, Networking Hardware Firewalls

Tags: Cisco, PIX IOS, 6.2.2

We have a PIX 515 with IOS 6.2.2

IP Address in named in the ACL as SQL2005.  All the redactions with xxx.xxx.xxx.10 is the same as SQL2005
Network connectivity internally
Replication to other networks works behind PIX works ok.  I need to ftp out to another site outside the wall for data transfer to vendor.  Cannot get outside of PIX.

Just put in what I thought might be pertinant.  Please let me know.

Snippet attached
Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password aDWaYtze.ygXPuOL encrypted
passwd kFjQ3Iup8bYcrWG8 encrypted
hostname pix-xxxxxxxxxxxx
domain-name-xxxxxxxxxxxx
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name xxx.xxx.xxx.0 xxxxxxxx
name xxx.xxx.xxx.0 PIX-VPN-IP-RANGE
name xxx.xxx.xxx.10 SQL2005
access-list out2in permit tcp any host SQL2005
access-list out2in permit tcp host xxx.xxx.xxx.xxx host SQL2005 eq 1433
access-list out2in permit tcp any host SQL2005 eq 1433
access-list out2in permit tcp any host xx.xxx.xxx.10 eq 1433
access-list out2in permit tcp any host xx.xxx.xxx.10 eq ftp
access-list out2in permit tcp any host SQL2005 eq ftp
 
access-list inside_outbound_nat0_acl permit ip host SQL2005 nameredacted 255.255.
255.0
access-list outside_cryptomap_dyn_20 deny ip any PIX-VPN-IP-RANGE 255.255.255.12
8
access-list outside_cryptomap_40 permit ip host SQL2005 nameredacted 255.255.255.
0
access-list OUT2IN permit tcp host xxx.xxx.xxx.4 host SQL2005 eq 1433
pager lines 24
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.1 255.255.255.192
ip address inside xxx.xxx.xxx.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-PPTP-IP-POOL xxx.xxx.xxx.1-xxx.xxx.xxx.xxx
ip local pool ippool 
 
pdm location SQL2005 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
 
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) SQL2005 SQL2005 netmask 255.255.255.255 0 0
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 1
route inside xxxx.xxx.xxx.1 255.255.255.255 xxxxxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host xxx.xxxx.xxxx.xxxx timeout 5
aaa-server RADIUS (inside) host xxx.xxx.xxxx.xxx  xxxxxxxx timeout 5
aaa-server LOCAL protocol local
http server enable
http xxx.xxx.xxx.xxx 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer xxx.xxx.xxx.xxx
crypto map outside_map 40 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address respond
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup ciscoclients address-pool ippool
vpngroup ciscoclients split-tunnel 170
vpngroup ciscoclients idle-time 1800
vpngroup ciscoclients password ********
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local VPN-PPTP-IP-POOL
vpdn group PPTP-VPDN-GROUP client configuration dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
vpdn group PPTP-VPDN-GROUP client configuration wins xxx.xxx.xxx.xxx.xxx
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
 
Keywords: Pix and internet connectivity for one IP …
Title
1 PIX
2 Pix to Pix VPN
3 PIX NAT question
4 ASA/PIX NO NAT, DMZ access.
5 PIX VPN -> Limiting VPN users acces…
6 PIX 501 Newbie Question
 
Loading Advertisement...
 
[+][-]07.02.2008 at 11:12PM PDT, ID: 21923021

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.03.2008 at 07:02AM PDT, ID: 21925515

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 03:07PM PDT, ID: 21949069

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628