[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX Configuration

Posted on 2004-11-11
4
Medium Priority
?
262 Views
Last Modified: 2013-11-29
I'm running a PIX with the latest IOS and I'd like to set it up to use access-lists instead of conduits.

static (inside,outside) 200.200.200.158 10.1.0.104 netmask 255.255.255.255 128 5
conduit permit tcp host 200.200.200.158 eq smtp any

The above is a sample of what I have.  What I need is this:

Allow into network:, SMTP to 200.200.200.158, HTTP and HTTPS to 200.200.200.159
Allow out of network: HTTP, HTTPS, and SMTP from anyone, FTP from 10.1.0.15

The network also allows a VPN connection from various at home clients.

Can someone provide the access-list and related commands that I need to get this to work?

Thanks!
0
Comment
Question by:Robing66066
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12557880

   clear conduit  <== removes all conduit statements

   access-list outside_in permit tcp any host 200.200.200.158 eq smtp
   access-list outside_in permit tcp any host 200.200.200.159 eq http
   access-list outside_in permit tcp any host 200.200.200.159 eq https

   access-group outside_in in interface outside

Those commands assume that you have another static (inside,outside) statment for the http/https host
Be careful what you ask for in outbound control. You should permit DNS as well as the others. Without an explit access list applied to the inside interface, all outbound traffic is permitted. If you want to permit ONLY those protocols:
   access-list inside_out permit udp 10.1.0.0 255.255.255.0 any eq 53
   access-list inside_out permit tcp 10.1.0.0 255.255.255.0 any eq http
   access-list inside_out permit tcp 10.1.0.0 255.255.255.0 any eq https
   access-list inside_out permit tcp 10.1.0.0 255.255.255.0 any eq smtp
   access-list inside_out permit tcp host 10.1.0.15 any eq ftp

   access-group inside_out in interface inside




 
0
 
LVL 7

Author Comment

by:Robing66066
ID: 12557944
Good point.  I didn't think of DNS.  

I notice you have the 10.1.x.x network listed.  In fact, I'll actually need any address with a 10.x.x.x be allowed out.  Would that change things to 10.0.0.0 255.0.0.0?

I'm also assuming I'll need to add something like this:

static (inside,outside) 200.200.200.159 10.1.0.105 netmask 255.255.255.255 128 5
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12557993
Yes, on both counts.
Use whatever mask is appropriate for you.
Statics are required.
0
 
LVL 7

Author Comment

by:Robing66066
ID: 12599362
Thanks.  I'll give it a try.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question