Home
Certification Preparation
Cisco
CCIE
PIX Comfiguration Help Need
StealthRider
Hello Everyone,
I'm new here and also very new to the PIX Fiewall. I'm in need of help with the configuration on my PIX 515. What I having trouble with is accessing from the outside my FTP & Web Server which is ran off of Fedora. If anyone willing to help please let me no and we will get stated.
Thanks
Find more posts tagged with
Comments
Ahriakin
This will likely be moved to at least the CCSP forum if not the Off Topic, but anyway. You need to add a static translation between your FTP/WEB server's Private and whatever public address you are using (if you are just using the one address on the PIX you will need to also use Static PAT to forward the FTP and WEB ports to your server, if you have an extra public IP you won't need to as the Static translation will work fine. I'm guessing with a 515 you are using pre 7.x software.
Syntax (presuming std. interface names)
static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0 0
where x.x.x.x = public IP, y.y.y.y = private IP
Next up allow FTP and WEB traffic to that server (presuming it has it's own IP). Presuming you have no existing access-lists applied, if you do then just add these 2 lines substituting that access-lists name for "outside_in".
access-list outside_in permit tcp any host x.x.x.x eq www
access-list outside_in permit tcp any host x.x.x.x eq ftp
lastly apply this access-list to your outside interface
access-group outside_in in interface outside
(and don't forget to WRITE MEM to save your changes).
If you are using a single IP assigned to your PIX outside interface as I said you will need to use Static PAT to direct incoming WEB and FTP to that server. That's getting a bit beyond a quick reply post though, and if you do a search on Cisco.com for those keywords you'll find what you need.
Fiber-Optics
access-list outside-net-in extended permit icmp any any
access-list outside-net-in extended permit tcp any any eq 80
access-list outside-net-in extended permit tcp any any eq 21
static (inside,outside) tcp interface 80 192.168.0.10 80 netmask 255.255.255.255
static (inside,outside) tcp interface 21 192.168.0.11 21 netmask 255.255.255.255
access-group outside-net-in in interface outside
global (outside) 1 interface
The private IP's 192.168.0.10 is the internal WEB Server replace with what you assigned
And the other Private IP 192.168.0.11 is the FTP server put that of the internal IP of the machine.
Apply the access group to your outside interface and you should be set if you just wanted to allow the single IP assigned from your ISP Provider to PAT to internal machines. Instead of one to one static nats that the above POST shows.
Have fun.
Ahriakin
I wouldn't permit all ICMP traffic, better to allow only the basics (if any at all). Also you still need a NAT statement with ID 1 (even if just to the Interface) to bind the Global too, afaik.
darkuser
this might help a little
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/config.htm
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
