• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 348
  • Last Modified:

PIX 501 security configuration

Please help me with PIX 501 configuration:

I have 3 x outside addresses and I want:

1 address - NAT for local network to access internet
2 addresses - static translations to my Exchange server (192.168.2.1 and 192.168.2.3 -  2 x MX and NS records)
Inside and outside traffic (only): DNS, WWW, HTTPS, SMTP, SSH, Remote Desktop, FTP

Also, I have a router on this LAN - is any chances to telnet/ssh to it from outside (I don't have spare outside IP's) ?

Exact config would be appreciated

Cheers!
0
iliko
Asked:
iliko
  • 3
1 Solution
 
alkabelloCommented:
I think all you have to add to a "out- of- the- box- config" would be the lines below..


ip address outside <First IP and subnetmask)
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 <Next Hop to ISP>



static (inside,outside) <2'nd IP> 192.168.2.1 netmask 255.255.255.255
static (inside,outside) <3'rd IP> 192.168.2.3 netmask 255.255.255.255

access-list Outside-In permit tcp any any eq 25
access-list Outside-In permit tcp any any eq 80
access-list Outside-In permit udp any any eq 53
access-list Outside-In permit tcp any any eq 443
access-list Outside-In permit tcp any any eq 21
access-list Outside-In permit tcp any any eq 22
access-list Outside-In permit tcp any any eq 3389

access-group Outside-In in interface outside


access-list Inside-Out permit tcp any any eq 25
access-list Inside-Out permit tcp any any eq 80
access-list Inside-Out permit udp any any eq 53
access-list Inside-Out permit tcp any any eq 443
access-list Inside-Out permit tcp any any eq 21
access-list Inside-Out permit tcp any any eq 22
access-list Inside-Out permit tcp any any eq 3389

access-group Inside-Out in interface inside

---Accessing router from inet using telnet----
static (inside,outside) tcp interface 21 <Router IP> 21 netmask 255.255.255.255

---Accessing router from inet using SSH----
static (inside,outside) tcp interface 22 <Router IP> 22 netmask 255.255.255.255


Hope this gives you an idea...

/Rubeck
0
 
-Leo-Commented:
What address I will be using for telnetting to the router from outside ?

Can I telnet to the PIX from outside ? (I know how to SSH but telnet dows not work ...)

Thanks, I am going to try this later on today ...
0
 
ilikoAuthor Commented:
Great help,  alkabello, thanks a lot!

Leo: i beleve telnet to the PIX will not work from outside because of security issues ...

0
 
alkabelloCommented:
Hi iliko..

Sorry, for the brief config example.... but it seems you got it running :-)

No, telnet to is outisde interface is not an out- of- the- box option... (not saying is not possible) SSh is the way to go... generate a certificate on the PIX and put in an accepted ACL for SSH and you're good to go..


/Rubeck
0
 
alkabelloCommented:
Ups... and BTW:

The ACLs are very basic, and I would of course suggest you to edit them with more security....

Example:

Go from this:
access-list Outside-In permit tcp any any eq 25

To this:
access-list Outside-In permit tcp any host <2'nd IP>  eq 25
access-list Outside-In permit tcp any host <3'rd IP>  eq 25

(If these are the only ones accepting incomming SMTP sessions from Inet)

/Rubeck
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now