?
Solved

PIX 501 security configuration

Posted on 2005-04-11
5
Medium Priority
?
346 Views
Last Modified: 2012-05-05
Please help me with PIX 501 configuration:

I have 3 x outside addresses and I want:

1 address - NAT for local network to access internet
2 addresses - static translations to my Exchange server (192.168.2.1 and 192.168.2.3 -  2 x MX and NS records)
Inside and outside traffic (only): DNS, WWW, HTTPS, SMTP, SSH, Remote Desktop, FTP

Also, I have a router on this LAN - is any chances to telnet/ssh to it from outside (I don't have spare outside IP's) ?

Exact config would be appreciated

Cheers!
0
Comment
Question by:iliko
  • 3
5 Comments
 
LVL 2

Accepted Solution

by:
alkabello earned 1000 total points
ID: 13761670
I think all you have to add to a "out- of- the- box- config" would be the lines below..


ip address outside <First IP and subnetmask)
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 <Next Hop to ISP>



static (inside,outside) <2'nd IP> 192.168.2.1 netmask 255.255.255.255
static (inside,outside) <3'rd IP> 192.168.2.3 netmask 255.255.255.255

access-list Outside-In permit tcp any any eq 25
access-list Outside-In permit tcp any any eq 80
access-list Outside-In permit udp any any eq 53
access-list Outside-In permit tcp any any eq 443
access-list Outside-In permit tcp any any eq 21
access-list Outside-In permit tcp any any eq 22
access-list Outside-In permit tcp any any eq 3389

access-group Outside-In in interface outside


access-list Inside-Out permit tcp any any eq 25
access-list Inside-Out permit tcp any any eq 80
access-list Inside-Out permit udp any any eq 53
access-list Inside-Out permit tcp any any eq 443
access-list Inside-Out permit tcp any any eq 21
access-list Inside-Out permit tcp any any eq 22
access-list Inside-Out permit tcp any any eq 3389

access-group Inside-Out in interface inside

---Accessing router from inet using telnet----
static (inside,outside) tcp interface 21 <Router IP> 21 netmask 255.255.255.255

---Accessing router from inet using SSH----
static (inside,outside) tcp interface 22 <Router IP> 22 netmask 255.255.255.255


Hope this gives you an idea...

/Rubeck
0
 
LVL 11

Expert Comment

by:-Leo-
ID: 13762167
What address I will be using for telnetting to the router from outside ?

Can I telnet to the PIX from outside ? (I know how to SSH but telnet dows not work ...)

Thanks, I am going to try this later on today ...
0
 

Author Comment

by:iliko
ID: 13762230
Great help,  alkabello, thanks a lot!

Leo: i beleve telnet to the PIX will not work from outside because of security issues ...

0
 
LVL 2

Expert Comment

by:alkabello
ID: 13764516
Hi iliko..

Sorry, for the brief config example.... but it seems you got it running :-)

No, telnet to is outisde interface is not an out- of- the- box option... (not saying is not possible) SSh is the way to go... generate a certificate on the PIX and put in an accepted ACL for SSH and you're good to go..


/Rubeck
0
 
LVL 2

Expert Comment

by:alkabello
ID: 13764593
Ups... and BTW:

The ACLs are very basic, and I would of course suggest you to edit them with more security....

Example:

Go from this:
access-list Outside-In permit tcp any any eq 25

To this:
access-list Outside-In permit tcp any host <2'nd IP>  eq 25
access-list Outside-In permit tcp any host <3'rd IP>  eq 25

(If these are the only ones accepting incomming SMTP sessions from Inet)

/Rubeck
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 19 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question