PIX 515e Config

From: Thanh Nguyen (insist@insist.com.au)
Date: Sat Oct 01 2005 - 21:41:15 GMT-3

Hi
 
Can some one please help me to config the pix 515e to allow traffic from
webserver in dmz to allow access inside network.
 
the webserver ip address is 172.18.2.4, inside network is 172.17.2.0
 
PIX Version 7.0(1)
names
name 172.17.2.31 Citrix04
name 172.17.2.30 Citrix03
name 172.17.2.28 Citrix01
name 172.17.2.32 Citrix05
name 172.17.2.29 Citrix02
name 172.18.2.2 Citrix-NFuse
name 172.17.2.100 Citrix1
name 172.17.2.101 Citrix2
name 172.17.2.102 Citrix3
name 172.17.2.103 Citrix4
name 172.17.2.104 Citrix5
name 172.17.2.105 Citrix6
name 172.17.2.106 Citrix7
name 172.17.2.107 Citrix8
name 172.17.2.108 Citrix9
name 172.17.2.109 Citrix10
name 172.18.2.3 WEB-INT
name 172.18.2.4 cag
name 172.17.2.20 LDAPServer
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address *.*213.98 255.255.255.224
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.17.2.2 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 15
 ip address 172.18.2.1 255.255.255.0
!
interface Ethernet3
 nameif intf3
 security-level 10
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
enable password ** encrypted
passwd ** encrypted
hostname ****-pix
domain-name ****.org
boot system flash:/image.bin
ftp mode passive
access-list dmz_acl extended permit icmp any any
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.10 eq www
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.10 eq 8081
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.10 eq citrix-ica
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.11 eq www
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.11 eq 8081
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.11 eq citrix-ica
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.12 eq www
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.12 eq 8081
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.12 eq citrix-ica
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.13 eq www
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.13 eq 8081
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.13 eq citrix-ica
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.14 eq www
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.14 eq 8081
access-list dmz_acl extended permit tcp host Citrix-NFuse host
172.18.2.14 eq citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.50 eq
www
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.50 eq
citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.51 eq
www
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.51 eq
citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.52 eq
www
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.52 eq
citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.53 eq
www
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.53 eq
citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.54 eq
www
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.54 eq
citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.55 eq
www
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.55 eq
citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.56 eq
www
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.56 eq
citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.57 eq
www
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.57 eq
citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.58 eq
www
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.58 eq
citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.59 eq
www
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.59 eq
citrix-ica
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.50 eq
8080
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.51 eq
8080
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.52 eq
8080
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.53 eq
8080
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.54 eq
8080
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.55 eq
8080
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.56 eq
8080
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.57 eq
8080
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.58 eq
8080
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.59 eq
8080
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.50 eq
3389
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.51 eq
3389
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.52 eq
3389
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.53 eq
3389
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.54 eq
3389
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.55 eq
3389
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.56 eq
3389
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.57 eq
3389
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.58 eq
3389
access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.59 eq
3389
access-list dmz_acl extended permit tcp host cag host 172.18.2.50 eq
8080
access-list dmz_acl extended permit tcp host cag host 172.18.2.50 eq
ldap
access-list dmz_acl extended permit tcp host cag host 172.18.2.50 eq
3269
access-list dmz_acl extended permit tcp host cag host 172.18.2.50 eq
2598
access-list dmz_acl extended permit tcp host cag host 172.18.2.50 eq
citrix-ica
access-list dmz_acl extended permit tcp host cag host 172.18.2.20 eq
ldap
access-list dmz_acl extended permit tcp host cag host 172.18.2.20 eq
3269
access-list dmz_acl extended permit tcp host cag host 172.18.2.21 eq
3269
access-list dmz_acl extended permit tcp host cag host 172.18.2.51 eq
8080
access-list dmz_acl extended permit tcp host cag host 172.18.2.52 eq
8080
access-list dmz_acl extended permit tcp host cag host 172.18.2.53 eq
8080
access-list dmz_acl extended permit tcp host cag host 172.18.2.54 eq
8080
access-list dmz_acl extended permit tcp host cag host 172.18.2.55 eq
8080
access-list dmz_acl extended permit tcp host cag host 172.18.2.56 eq
8080
access-list dmz_acl extended permit tcp host cag host 172.18.2.57 eq
8080
access-list dmz_acl extended permit tcp host cag host 172.18.2.58 eq
8080
access-list dmz_acl extended permit tcp host cag host 172.18.2.51 eq
citrix-ica
access-list dmz_acl extended permit tcp host cag host 172.18.2.52 eq
citrix-ica
access-list dmz_acl extended permit tcp host cag host 172.18.2.53 eq
citrix-ica
access-list dmz_acl extended permit tcp host cag host 172.18.2.54 eq
citrix-ica
access-list dmz_acl extended permit tcp host cag host 172.18.2.55 eq
citrix-ica
access-list dmz_acl extended permit tcp host cag host 172.18.2.56 eq
citrix-ica
access-list dmz_acl extended permit tcp host cag host 172.18.2.57 eq
citrix-ica
access-list dmz_acl extended permit tcp host cag host 172.18.2.58 eq
citrix-ica
access-list dmz_acl extended permit tcp host cag host 172.18.2.51 eq
2598
access-list dmz_acl extended permit tcp host cag host 172.18.2.52 eq
2598
access-list dmz_acl extended permit tcp host cag host 172.18.2.53 eq
2598
access-list dmz_acl extended permit tcp host cag host 172.18.2.54 eq
2598
access-list dmz_acl extended permit tcp host cag host 172.18.2.55 eq
2598
access-list dmz_acl extended permit tcp host cag host 172.18.2.56 eq
2598
access-list dmz_acl extended permit tcp host cag host 172.18.2.57 eq
2598
access-list dmz_acl extended permit tcp host cag host 172.18.2.58 eq
2598
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any source-quench
access-list outside_acl extended permit tcp any host *.*213.100 eq https
access-list outside_acl extended permit tcp any host *.*213.99 eq smtp
access-list outside_acl extended permit tcp any host *.*213.99 eq pop3
access-list outside_acl extended permit tcp any host *.*213.120 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.121 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.122 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.123 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.124 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.99 eq www
access-list outside_acl extended permit tcp any host *.*213.125 eq https
access-list outside_acl extended permit tcp any host *.*213.101 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.102 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.103 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.104 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.105 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.106 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.111 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.112 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.113 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.116 eq
citrix-ica
access-list outside_acl extended permit tcp any host *.*213.125 eq 3389
access-list outside_acl extended permit tcp any host *.*213.113 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
monitor-interface intf3
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
global (outside) 1 *.*213.108-*.*213.110 netmask 255.255.255.255
global (outside) 1 *.*213.107 netmask 255.255.255.255
global (dmz) 1 172.18.2.254 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 172.18.2.0 255.255.255.0
static (inside,outside) *.*213.99 172.17.2.19 netmask 255.255.255.255
static (inside,outside) *.*213.120 Citrix01 netmask 255.255.255.255
static (inside,outside) *.*213.121 Citrix02 netmask 255.255.255.255
static (inside,outside) *.*213.122 Citrix03 netmask 255.255.255.255
static (inside,outside) *.*213.123 Citrix04 netmask 255.255.255.255
static (inside,outside) *.*213.124 Citrix05 netmask 255.255.255.255
static (inside,outside) *.*213.101 Citrix1 netmask 255.255.255.255
static (inside,outside) *.*213.102 Citrix2 netmask 255.255.255.255
static (inside,outside) *.*213.103 Citrix3 netmask 255.255.255.255
static (inside,outside) *.*213.104 Citrix4 netmask 255.255.255.255
static (inside,outside) *.*213.105 Citrix5 netmask 255.255.255.255
static (inside,outside) *.*213.106 Citrix6 netmask 255.255.255.255
static (inside,outside) *.*213.111 Citrix7 netmask 255.255.255.255
static (inside,outside) *.*213.112 Citrix8 netmask 255.255.255.255
static (inside,outside) *.*213.116 Citrix10 netmask 255.255.255.255
static (inside,dmz) 172.18.2.10 Citrix01 netmask 255.255.255.255
static (inside,dmz) 172.18.2.11 Citrix02 netmask 255.255.255.255
static (inside,dmz) 172.18.2.12 Citrix03 netmask 255.255.255.255
static (inside,dmz) 172.18.2.13 Citrix04 netmask 255.255.255.255
static (inside,dmz) 172.18.2.14 Citrix05 netmask 255.255.255.255
static (inside,dmz) 172.18.2.50 Citrix1 netmask 255.255.255.255
static (inside,dmz) 172.18.2.51 Citrix2 netmask 255.255.255.255
static (inside,dmz) 172.18.2.52 Citrix3 netmask 255.255.255.255
static (inside,dmz) 172.18.2.53 Citrix4 netmask 255.255.255.255
static (inside,dmz) 172.18.2.54 Citrix5 netmask 255.255.255.255
static (inside,dmz) 172.18.2.55 Citrix6 netmask 255.255.255.255
static (inside,dmz) 172.18.2.56 Citrix7 netmask 255.255.255.255
static (inside,dmz) 172.18.2.57 Citrix8 netmask 255.255.255.255
static (inside,dmz) 172.18.2.58 Citrix9 netmask 255.255.255.255
static (inside,dmz) 172.18.2.59 Citrix10 netmask 255.255.255.255
static (inside,dmz) 172.18.2.20 172.17.2.45 netmask 255.255.255.255
static (inside,dmz) 172.18.2.21 172.17.2.46 netmask 255.255.255.255
static (dmz,outside) *.*213.100 Citrix-NFuse netmask 255.255.255.255
static (dmz,outside) *.*213.125 WEB-INT netmask 255.255.255.255
static (dmz,outside) *.*213.113 cag netmask 255.255.255.255
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 *.*213.97 1
route inside 172.17.0.0 255.255.0.0 172.17.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password ** encrypted
http server enable
http 172.17.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet 172.17.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
Cryptochecksum:**
****-pix#

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:49 GMT-3