?
Solved

PIX Newbie - how to set up 501

Posted on 2007-07-20
5
Medium Priority
?
216 Views
Last Modified: 2013-11-30
Have PIX 501.
Need to set it to static IP, internal interface to 192... Only one internal machine to be routed to.
Need to set up ACLs to allow for PC Anywhere, outgoing mail, web browsing and ftp.
How do I do it, or where is a good source to find out?

Scenario - restaurant.
broadband modem comes into Pix.
Pix set for external static IP
Pix connects to switch.
Manager's PC, 192.168.1.100 and other terminals connect to same switch.
PC needs to send email from internal smtp server, collect from POP3 server.
Need to ftp outbound
Need to operate as PC Anywhere Host

Thanks.
0
Comment
Question by:bparkbpark
  • 3
  • 2
5 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19535846
ip address outside w.x.y.z 255.255.255.250  <--set ip and mask to your assigned ones
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface  <-- may give warning as it actually should exist already
nat (inside) 1 0 0        <-- may give warning as it actually should exist already
static (inside,outside) tcp interface <<pc anywhere port>> <<private ip of pc anywhere host>> <<pc anywhere port>>
static (inside,outside) tcp interface 25 <<private ip of mail server>> 25
access-list outside-in permit tcp any interface outside eq <<pc anywhere port>>
access-list outside-in permit tcp any interface outside eq smtp
access-group outside-in interface outside
access-list inside-in permit tcp host <<mail server ip>> any eq smtp
access-list inside-in deny tcp any any eq smtp
access-list inside-in permit tcp any any eq 21
access-list inside-in permit tcp any any eq 80
access-list inside-in permit tcp any any eq 443
access-list inside-in permit udp any any eq 53
fixup protocol ftp 21
no fixup protocol smtp 25

that will allow your mail server to send email and block others from doing so (protects your IP from being blacklisted by any potentially infected hosts mass mailing out).  allows dns lookups, ftp and web and blocks all other outgoing traffic.  allows pc anywhere to host you need and smtp to mail server and blocks everything else coming in.  let me know if i missed anything
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19539164
Cyclops - in your inside-in acl you forgot to allow PCA out, and isn't there 2 ports one TCP and one UDP for PCA?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19540482
I'm actually not familiar with PC Anywhere as I've never even seen it in use or looked into it; just know what it does.  I guess I assumed it worked like RDP or VNC where you just allow the one port in and your good.
Do you really have to allow a port out for PCA?  Again I'm not familiar with it so assumed that the pix would allow the return traffic after the acl allowed the syn and the xlate entry was created.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 750 total points
ID: 19540794
>Do you really have to allow a port out for PCA?
Only if you are creating a list to restrict outbound as you were demonstrating above.

PCA does use two ports TCP/5631 and UDP/5632
http://service1.symantec.com/SUPPORT/pca.nsf/pfdocs/1998122810210812
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 750 total points
ID: 19541427
you're right, you need two port but only on the outside-in acl, nothing more on the inside-in acl and after that the conn table takes care of things. or am i missing something.
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question