PIX Comfiguration Help Need

StealthRiderStealthRider Member Posts: 1 ■□□□□□□□□□
in CCIE
Hello Everyone,
I'm new here and also very new to the PIX Fiewall. I'm in need of help with the configuration on my PIX 515. What I having trouble with is accessing from the outside my FTP & Web Server which is ran off of Fedora. If anyone willing to help please let me no and we will get stated.

Thanks
· Share on FacebookShare on Twitter

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    This will likely be moved to at least the CCSP forum if not the Off Topic, but anyway. You need to add a static translation between your FTP/WEB server's Private and whatever public address you are using (if you are just using the one address on the PIX you will need to also use Static PAT to forward the FTP and WEB ports to your server, if you have an extra public IP you won't need to as the Static translation will work fine. I'm guessing with a 515 you are using pre 7.x software.
    Syntax (presuming std. interface names)
    static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0 0
    where x.x.x.x = public IP, y.y.y.y = private IP

    Next up allow FTP and WEB traffic to that server (presuming it has it's own IP). Presuming you have no existing access-lists applied, if you do then just add these 2 lines substituting that access-lists name for "outside_in".
    access-list outside_in permit tcp any host x.x.x.x eq www
    access-list outside_in permit tcp any host x.x.x.x eq ftp

    lastly apply this access-list to your outside interface
    access-group outside_in in interface outside

    (and don't forget to WRITE MEM to save your changes).

    If you are using a single IP assigned to your PIX outside interface as I said you will need to use Static PAT to direct incoming WEB and FTP to that server. That's getting a bit beyond a quick reply post though, and if you do a search on Cisco.com for those keywords you'll find what you need.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • Fiber-OpticsFiber-Optics Member Posts: 14 ■□□□□□□□□□
    access-list outside-net-in extended permit icmp any any
    access-list outside-net-in extended permit tcp any any eq 80
    access-list outside-net-in extended permit tcp any any eq 21

    static (inside,outside) tcp interface 80 192.168.0.10 80 netmask 255.255.255.255
    static (inside,outside) tcp interface 21 192.168.0.11 21 netmask 255.255.255.255
    access-group outside-net-in in interface outside
    global (outside) 1 interface


    The private IP's 192.168.0.10 is the internal WEB Server replace with what you assigned
    And the other Private IP 192.168.0.11 is the FTP server put that of the internal IP of the machine.

    Apply the access group to your outside interface and you should be set if you just wanted to allow the single IP assigned from your ISP Provider to PAT to internal machines. Instead of one to one static nats that the above POST shows.

    Have fun.
    www.centauricom.com
    · Share on FacebookShare on Twitter
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I wouldn't permit all ICMP traffic, better to allow only the basics (if any at all). Also you still need a NAT statement with ID 1 (even if just to the Interface) to bind the Global too, afaik.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
    this might help a little

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/config.htm
    rm -rf /
    · Share on FacebookShare on Twitter
Sign In or Register to comment.