PIX 506E config and rules
Hello
I have a pix 506e that i need to have SMTP, WWW, and other services. i have been given an IP allocation of xxx.xxx.140.119/24 and a subnetted network address of xxx.xxx.183.128/28 as my usable IP's.
i configured my firewall and was able to get all of the servers behind to have 3389 working (for testing) since then i have tried to apply additional rules, such as FTP, 1433, www, smtp, imap, and others. each time i do so i get an error where i am unable to add due to a network error. re:u cant assign an ip address of xxx.xxx.183.131 becuase the mask is not correct.
any ideas?
I have a pix 506e that i need to have SMTP, WWW, and other services. i have been given an IP allocation of xxx.xxx.140.119/24 and a subnetted network address of xxx.xxx.183.128/28 as my usable IP's.
i configured my firewall and was able to get all of the servers behind to have 3389 working (for testing) since then i have tried to apply additional rules, such as FTP, 1433, www, smtp, imap, and others. each time i do so i get an error where i am unable to add due to a network error. re:u cant assign an ip address of xxx.xxx.183.131 becuase the mask is not correct.
any ideas?
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
hostname
domain-name
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type icmp-grp
description ICMP Types allowed into the PIX
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service Email tcp
description Http-RPC,
port-object range 3389 3389
port-object range 6003 6003
port-object eq imap4
port-object eq www
port-object eq telnet
port-object eq smtp
port-object range 6001 6001
port-object eq pop3
port-object range 6002 6002
port-object eq https
port-object eq nntp
access-list outside_in permit icmp any any object-group icmp-grp
access-list inside_in deny ip any any
access-list inside_in deny icmp any any
access-list outside_access_in remark DC01
access-list outside_access_in permit tcp any host xxx.xxx.183.129 eq 3389
access-list outside_access_in remark DC02
access-list outside_access_in permit tcp any host xxx.xxx.183.130 eq 3389
access-list outside_access_in remark Email01
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 3389
access-list outside_access_in permit tcp any host xxx.xxx.183.133 eq 3389
access-list outside_access_in permit tcp any host xxx.xxx.183.134 eq 3389
access-list outside_access_in permit tcp any host xxx.xxx.183.135 eq 3389
access-list outside_access_in permit tcp any host xxx.xxx.183.136 eq 3389
access-list outside_access_in permit tcp any host xxx.xxx.183.137 eq 3389
access-list outside_access_in permit tcp any host xxx.xxx.183.138 eq 3389
access-list outside_access_in permit tcp any host xxx.xxx.183.139 eq 3389
access-list outside_access_in permit tcp any host xxx.xxx.183.140 eq 3389
access-list outside_access_in permit tcp any host xxx.xxx.183.141 eq 3389
access-list inside_access_in permit tcp interface inside object-group Email interface outside object-group Email
pager lines 24
logging on
logging timestamp
logging standby
logging console notifications
logging monitor notifications
logging buffered notifications
logging history emergencies
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.140.119 255.255.255.0
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.11.21 255.255.255.255 inside
pdm location 10.10.11.22 255.255.255.255 inside
pdm location 10.10.11.23 255.255.255.255 inside
pdm location 10.10.11.25 255.255.255.255 inside
pdm location 10.10.11.26 255.255.255.255 inside
pdm location 10.10.11.27 255.255.255.255 inside
pdm location 10.10.11.28 255.255.255.255 inside
pdm location 10.10.11.29 255.255.255.255 inside
pdm location 10.10.11.30 255.255.255.255 inside
pdm location 10.10.11.31 255.255.255.255 inside
pdm location 10.10.11.32 255.255.255.255 inside
pdm location 10.10.11.33 255.255.255.255 inside
pdm location xxx.xxx.183.128 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.133 3389 10.10.11.25 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.134 3389 10.10.11.26 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.135 3389 10.10.11.27 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.136 3389 10.10.11.28 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.137 3389 10.10.11.29 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.138 3389 10.10.11.30 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.139 3389 10.10.11.31 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.140 3389 10.10.11.32 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.183.141 3389 10.10.11.33 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.140.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http xxx.xxx.140.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
snmp-server
snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp enable outside
telnet 0.0.0.0 0.0.0.0 outside
telnet xxx.xxx.140.0 255.255.255.0 outside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15
terminal width 80
Cryptochecksum:ab5e9ccf12761249efa4f3fb81e95507
: end
[OK]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks