adamshields
asked on
PIX 506e and opening ports
I have a new pix firewall that i am trying to configure. what do i need to do to open up ports mail & ftp to my internal server. i have already assigned ip addresses to the interfaces outside and inside.
Internet T1
|
|
outside 68.209.131.xxx
|
pixfirewall
|
inside 192.168.1.7
|
SERVER 192.168.1.7
Internet T1
|
|
outside 68.209.131.xxx
|
pixfirewall
|
inside 192.168.1.7
|
SERVER 192.168.1.7
Some usefull links :-
PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html
PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html
ASKER
yes it was a typo
static (inside,outside) tcp interface ftp 192.168.1.7 ftp netmask 255.255.255.255 0 0
^
.3 ?
is this right ? change 7 to .3 for the server ??
Internet T1
|
|
outside 68.209.131.xxx
|
pixfirewall
|
inside 192.168.1.7
|
SERVER 192.168.1.3
static (inside,outside) tcp interface ftp 192.168.1.7 ftp netmask 255.255.255.255 0 0
^
.3 ?
is this right ? change 7 to .3 for the server ??
Internet T1
|
|
outside 68.209.131.xxx
|
pixfirewall
|
inside 192.168.1.7
|
SERVER 192.168.1.3
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for the help
one more thing what does the 0 0 mean at the end of the command ?
one more thing what does the 0 0 mean at the end of the command ?
The two extra parameters which are zero above are max_conns and em_limit :-
max_conns :-
Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)
Note This option does not apply to outside NAT. The firewall only tracks connections from a higher security interface to a lower security interface. If you set max_conns for outside NAT, the max_conns option is ignored.
em_limit :-
Specifies the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections.
The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP synchronization (SYN) packets from clients to servers on a higher security level. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The PIX firewall accomplishes TCP intercept functionality using SYN cookies.
Note This option does not apply to outside NAT. The TCP intercept feature applies only to hosts or servers on a higher security level. If you set the embryonic limit for outside NAT, the embryonic limit is ignored.
max_conns :-
Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)
Note This option does not apply to outside NAT. The firewall only tracks connections from a higher security interface to a lower security interface. If you set max_conns for outside NAT, the max_conns option is ignored.
em_limit :-
Specifies the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections.
The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP synchronization (SYN) packets from clients to servers on a higher security level. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The PIX firewall accomplishes TCP intercept functionality using SYN cookies.
Note This option does not apply to outside NAT. The TCP intercept feature applies only to hosts or servers on a higher security level. If you set the embryonic limit for outside NAT, the embryonic limit is ignored.
I assume there is a typo in your diagram above as the same IP is assigned to the server and the pix internal interface.
I assume you have a single IP address and you want to redirect mail and ftp sent to the external IP address of your PIX to your server.
Add the following to the PIX configuration:-
access-list outside_in permit tcp any any eq ftp
access-list outside_in permit tcp any any eq smtp
static (inside,outside) tcp interface ftp 192.168.1.7 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.7 smtp netmask 255.255.255.255 0 0
access-group outside_in in interface outside