configuration PIX access

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: Paulius PostPosted: Thu Oct 19, 2006 4:26 pm    Post subject: configuration PIX access
    ----
Hello friends,


I have question about network

There are LAN1-MPLS-LAN2(have firewall pix )-Internet ;

Problem is how to configure PIX Cisco LAN1 must to use Internet

There are not any Firewall on LAN1

There are PIX firewall on 2LAN

MPLS network have default route to Cisco pix



LAN1 have Network 172.22.1.0

LAN2 have Network 172.20.0.0

I am using only counduit and outbound commands.


Thank you

Author: Sgt_BLocation: Chicago, IL US PostPosted: Wed Oct 25, 2006 11:25 pm    Post subject:
    ----
As long as the PIX knows how to get to LAN1 (routing) you shouldn't have any problems.
Code:
route <LAN1 PIX interface> 172.22.1.0 255.255.255.0 <ip of LAN2 MPLS Router>

You may have to edit your NAT rules on the PIX, but other than that you should be ok.

Author: segment PostPosted: Tue Oct 31, 2006 1:21 pm    Post subject: Re: configuration PIX access
    ----
Paulius wrote:
Hello friends,


I have question about network

There are LAN1-MPLS-LAN2(have firewall pix )-Internet ;

Problem is how to configure PIX Cisco LAN1 must to use Internet

There are not any Firewall on LAN1

There are PIX firewall on 2LAN

MPLS network have default route to Cisco pix



LAN1 have Network 172.22.1.0

LAN2 have Network 172.20.0.0

I am using only counduit and outbound commands.


Thank you


Here's a starting point. I suggest you Googe "Pix How-To" or fiddle with your Pix' in order to learn them


access-list acl_inside permit tcp 172.22.1.0 255.255.255.0 any eq 80
access-list acl_inside permit tcp 172.22.1.0 255.255.255.0 any eq 443

access-list inside_in deny ip any any

outbound 20 permit 0.0.0.0 0.0.0.0 0
apply (inside) 20 outgoing_src

access-list outside_in deny ip 0.0.0.0 255.0.0.0 any
access-list outside_in deny ip 10.0.0.0 255.0.0.0 any
access-list outside_in deny ip 127.0.0.0 255.0.0.0 any
access-list outside_in deny ip 172.16.0.0 255.240.0.0 any
access-list outside_in deny ip 192.168.0.0 255.255.0.0 any
access-list outside_in deny ip 224.0.0.0 224.0.0.0 any

access-list outside_in permit tcp any host web eq http
access-list outside_in permit tcp any host dns eq domain
access-list outside_in permit udp any host dns eq domain
object-group icmp-outside-in

access-list outside_in deny ip any any

Author: riyaz145Location: India PostPosted: Tue Nov 07, 2006 10:31 am    Post subject:
    ----
access-list outside_in deny ip 0.0.0.0 255.0.0.0 any
access-list outside_in deny ip 10.0.0.0 255.0.0.0 any
access-list outside_in deny ip 127.0.0.0 255.0.0.0 any
access-list outside_in deny ip 172.16.0.0 255.240.0.0 any
access-list outside_in deny ip 192.168.0.0 255.255.0.0 any
access-list outside_in deny ip 224.0.0.0 224.0.0.0 any


I guess this part is not required as by default the inbound access would be restricted for the above mentioned Network addresses and you don't need to deny by specifying it.

The route command, CONDUITS and ACL's should pretty much allow the LAN1 to reach the internet.

Author: Sgt_BLocation: Chicago, IL US PostPosted: Wed Nov 08, 2006 11:26 pm    Post subject:
    ----
riyaz145 wrote:
I guess this part is not required as by default the inbound access would be restricted for the above mentioned Network addresses and you don't need to deny by specifying it.

You're right its not necessary to explicitly deny these addresses as the explicit or implicit deny at the end of the ACL will drop those packets. It is, however, common practice to add those source networks at the beginning of an "external ACL". This allows the firewall to drop bogus source addresses (bogons) early in the ACL. This can speed things up if a more complex ACL is in use.

Also please refrain from using or advising others to use the conduit and outbound commands. While these commands are still available in the 6.x series they have been removed from 7.x. Please use access-lists in order to permit and deny access across interfaces.



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group