?
Solved

URGENT PIX Config Assist

Posted on 2005-04-27
5
Medium Priority
?
250 Views
Last Modified: 2010-05-18
Im normally quite confident with pix configuration but my brain has melted and i need some detailed Specific assistance.

I need to modify an access list, and other areas so a command line by command line guide would be great.

Situation. Need to reconfigure the PIX ACL to do the following. Allow all UDP and TCP traffic on all ports from any internal IP address list to go out side to a specific IP address list.

This Specific Address is of course NAT for a different networks internal IP address.

That same Specific Address must be allowed to come back using all TCP and UDP ports or ANY communication channels or ports back into the INTERNAL network of the main site.

EG my pc has to ping an ip address of a computer on the internal network of a remote site and vica-versa. Of course all the relvant chatter between thoose 2 different IP address on differing subnets are hidden behind NAT.

At the moment both sites can ping the public address which is great however due to the PIX this side nobody can ping or be pinged on an internal network. I need to change that for this 1 specific Address.

I would use PDM but this PIX doesnt have it and i have to use Command Line.. and as i said my brain is in a current state of melt DOWN.

A rating will be awarded. maximum amount of points for an URGENT ACCURATE response.

Thank you for your time.
0
Comment
Question by:rabelle
  • 4
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13875034
Do you have extra public IP addresses?
Yes ->Go to steps below
 |
No
 |
 Sorry, no such luck

Steps:
1. assign a static 1-1 nat xlate
   static (inside,outside) <public ip> <your pc ip> netmask 255.255.255.255
2. Create access-list entry (use existing inbound acl)
  access-list outside_access_in permit ip host <their public ip> host <your nat static public ip>

Done
0
 

Author Comment

by:rabelle
ID: 13875056
ok slight revision to the above.

there is a box in whats basically the dmz. It plugs into the network directly,  and also into a dirty switch

because it plugs into the dirty switch it has a public and private address.
the public address can be pinged
the private address for that box alone can be pinged too
but nothing else on the network

its still the pix preventing everything because the pix is the default gateway for the network. i just need to configure the pix so that all traffic going to say 192.168.1.x goes to 172.30.0.100 which then throughs it straight out into the remote site and to allow all traffic from 172.30.0.100 to access the internal network.
0
 

Author Comment

by:rabelle
ID: 13875060
oh that still works regardless... hmm ill get right on to it i think that will work fine just going to test.. brb..

told you... brain is fried
0
 

Author Comment

by:rabelle
ID: 13875192
Seems ok..... is it alright if i leave this open just a little longer? just to doubly make sure... then ill accept
0
 

Author Comment

by:rabelle
ID: 13884109
Ok im not sure. here is the deal

Router with public address.
Dirty Switch DMZ basically
VSR box plugged into DS with a public addy of 62.190.160.166 on wan port
VSR box plugged into Safe Switch with IP addy of 172.30.0.100
the PIX box is obviously protecting all the safe switches.
I can ping their public address
they can ping the public address and the private address of the VSR box but nothing else.

What commands do i need to put in to allow their internal network which is a 192.168.1.X network to go through that configuration and ping something on the 172.30.X.X network without problems
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering cloud tradeoffs and determining the right mix for your organization.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month15 days, 6 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question