Re: PIX 515e Config

From: johnsheahan@charter.net
Date: Sat Oct 01 2005 - 22:05:05 GMT-3

• Next message: Victor Cappuccio: "Re: DLSW Switch redundancy ?"
• Previous message: Thanh Nguyen: "PIX 515e Config"
• Maybe in reply to: Thanh Nguyen: "PIX 515e Config"
• Next in thread: john matijevic: "Re: PIX 515e Config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

you need to add:

static (inside,dmz) 172.17.2.0 172.17.2.0 netmask 255.255.255.255 0 0

This will allow the server on the dmz to come inside as long as you have a
rule on the dmz access-list to allow it as well.

----- Original Message -----
From: "Thanh Nguyen" <insist@insist.com.au>
To: <ccielab@groupstudy.com>
Sent: Saturday, October 01, 2005 8:41 PM
Subject: PIX 515e Config

> Hi
>
> Can some one please help me to config the pix 515e to allow traffic from
> webserver in dmz to allow access inside network.
>
> the webserver ip address is 172.18.2.4, inside network is 172.17.2.0
>
> PIX Version 7.0(1)
> names
> name 172.17.2.31 Citrix04
> name 172.17.2.30 Citrix03
> name 172.17.2.28 Citrix01
> name 172.17.2.32 Citrix05
> name 172.17.2.29 Citrix02
> name 172.18.2.2 Citrix-NFuse
> name 172.17.2.100 Citrix1
> name 172.17.2.101 Citrix2
> name 172.17.2.102 Citrix3
> name 172.17.2.103 Citrix4
> name 172.17.2.104 Citrix5
> name 172.17.2.105 Citrix6
> name 172.17.2.106 Citrix7
> name 172.17.2.107 Citrix8
> name 172.17.2.108 Citrix9
> name 172.17.2.109 Citrix10
> name 172.18.2.3 WEB-INT
> name 172.18.2.4 cag
> name 172.17.2.20 LDAPServer
> !
> interface Ethernet0
> nameif outside
> security-level 0
> ip address *.*213.98 255.255.255.224
> !
> interface Ethernet1
> nameif inside
> security-level 100
> ip address 172.17.2.2 255.255.255.0
> !
> interface Ethernet2
> nameif dmz
> security-level 15
> ip address 172.18.2.1 255.255.255.0
> !
> interface Ethernet3
> nameif intf3
> security-level 10
> no ip address
> !
> interface Ethernet4
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet5
> shutdown
> no nameif
> no security-level
> no ip address
> !
> enable password ** encrypted
> passwd ** encrypted
> hostname ****-pix
> domain-name ****.org
> boot system flash:/image.bin
> ftp mode passive
> access-list dmz_acl extended permit icmp any any
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.10 eq www
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.10 eq 8081
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.10 eq citrix-ica
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.11 eq www
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.11 eq 8081
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.11 eq citrix-ica
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.12 eq www
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.12 eq 8081
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.12 eq citrix-ica
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.13 eq www
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.13 eq 8081
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.13 eq citrix-ica
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.14 eq www
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.14 eq 8081
> access-list dmz_acl extended permit tcp host Citrix-NFuse host
> 172.18.2.14 eq citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.50 eq
> www
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.50 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.51 eq
> www
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.51 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.52 eq
> www
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.52 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.53 eq
> www
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.53 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.54 eq
> www
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.54 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.55 eq
> www
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.55 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.56 eq
> www
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.56 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.57 eq
> www
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.57 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.58 eq
> www
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.58 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.59 eq
> www
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.59 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.50 eq
> 8080
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.51 eq
> 8080
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.52 eq
> 8080
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.53 eq
> 8080
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.54 eq
> 8080
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.55 eq
> 8080
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.56 eq
> 8080
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.57 eq
> 8080
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.58 eq
> 8080
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.59 eq
> 8080
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.50 eq
> 3389
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.51 eq
> 3389
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.52 eq
> 3389
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.53 eq
> 3389
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.54 eq
> 3389
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.55 eq
> 3389
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.56 eq
> 3389
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.57 eq
> 3389
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.58 eq
> 3389
> access-list dmz_acl extended permit tcp host WEB-INT host 172.18.2.59 eq
> 3389
> access-list dmz_acl extended permit tcp host cag host 172.18.2.50 eq
> 8080
> access-list dmz_acl extended permit tcp host cag host 172.18.2.50 eq
> ldap
> access-list dmz_acl extended permit tcp host cag host 172.18.2.50 eq
> 3269
> access-list dmz_acl extended permit tcp host cag host 172.18.2.50 eq
> 2598
> access-list dmz_acl extended permit tcp host cag host 172.18.2.50 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host cag host 172.18.2.20 eq
> ldap
> access-list dmz_acl extended permit tcp host cag host 172.18.2.20 eq
> 3269
> access-list dmz_acl extended permit tcp host cag host 172.18.2.21 eq
> 3269
> access-list dmz_acl extended permit tcp host cag host 172.18.2.51 eq
> 8080
> access-list dmz_acl extended permit tcp host cag host 172.18.2.52 eq
> 8080
> access-list dmz_acl extended permit tcp host cag host 172.18.2.53 eq
> 8080
> access-list dmz_acl extended permit tcp host cag host 172.18.2.54 eq
> 8080
> access-list dmz_acl extended permit tcp host cag host 172.18.2.55 eq
> 8080
> access-list dmz_acl extended permit tcp host cag host 172.18.2.56 eq
> 8080
> access-list dmz_acl extended permit tcp host cag host 172.18.2.57 eq
> 8080
> access-list dmz_acl extended permit tcp host cag host 172.18.2.58 eq
> 8080
> access-list dmz_acl extended permit tcp host cag host 172.18.2.51 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host cag host 172.18.2.52 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host cag host 172.18.2.53 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host cag host 172.18.2.54 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host cag host 172.18.2.55 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host cag host 172.18.2.56 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host cag host 172.18.2.57 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host cag host 172.18.2.58 eq
> citrix-ica
> access-list dmz_acl extended permit tcp host cag host 172.18.2.51 eq
> 2598
> access-list dmz_acl extended permit tcp host cag host 172.18.2.52 eq
> 2598
> access-list dmz_acl extended permit tcp host cag host 172.18.2.53 eq
> 2598
> access-list dmz_acl extended permit tcp host cag host 172.18.2.54 eq
> 2598
> access-list dmz_acl extended permit tcp host cag host 172.18.2.55 eq
> 2598
> access-list dmz_acl extended permit tcp host cag host 172.18.2.56 eq
> 2598
> access-list dmz_acl extended permit tcp host cag host 172.18.2.57 eq
> 2598
> access-list dmz_acl extended permit tcp host cag host 172.18.2.58 eq
> 2598
> access-list inbound extended permit icmp any any unreachable
> access-list inbound extended permit icmp any any time-exceeded
> access-list inbound extended permit icmp any any echo-reply
> access-list inbound extended permit icmp any any source-quench
> access-list outside_acl extended permit tcp any host *.*213.100 eq https
> access-list outside_acl extended permit tcp any host *.*213.99 eq smtp
> access-list outside_acl extended permit tcp any host *.*213.99 eq pop3
> access-list outside_acl extended permit tcp any host *.*213.120 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.121 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.122 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.123 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.124 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.99 eq www
> access-list outside_acl extended permit tcp any host *.*213.125 eq https
> access-list outside_acl extended permit tcp any host *.*213.101 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.102 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.103 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.104 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.105 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.106 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.111 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.112 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.113 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.116 eq
> citrix-ica
> access-list outside_acl extended permit tcp any host *.*213.125 eq 3389
> access-list outside_acl extended permit tcp any host *.*213.113 eq https
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
> mtu intf3 1500
> no failover
> monitor-interface outside
> monitor-interface inside
> monitor-interface dmz
> monitor-interface intf3
> asdm image flash:/pdm
> no asdm history enable
> arp timeout 14400
> global (outside) 1 *.*213.108-*.*213.110 netmask 255.255.255.255
> global (outside) 1 *.*213.107 netmask 255.255.255.255
> global (dmz) 1 172.18.2.254 netmask 255.255.255.255
> nat (inside) 1 0.0.0.0 0.0.0.0
> nat (dmz) 1 172.18.2.0 255.255.255.0
> static (inside,outside) *.*213.99 172.17.2.19 netmask 255.255.255.255
> static (inside,outside) *.*213.120 Citrix01 netmask 255.255.255.255
> static (inside,outside) *.*213.121 Citrix02 netmask 255.255.255.255
> static (inside,outside) *.*213.122 Citrix03 netmask 255.255.255.255
> static (inside,outside) *.*213.123 Citrix04 netmask 255.255.255.255
> static (inside,outside) *.*213.124 Citrix05 netmask 255.255.255.255
> static (inside,outside) *.*213.101 Citrix1 netmask 255.255.255.255
> static (inside,outside) *.*213.102 Citrix2 netmask 255.255.255.255
> static (inside,outside) *.*213.103 Citrix3 netmask 255.255.255.255
> static (inside,outside) *.*213.104 Citrix4 netmask 255.255.255.255
> static (inside,outside) *.*213.105 Citrix5 netmask 255.255.255.255
> static (inside,outside) *.*213.106 Citrix6 netmask 255.255.255.255
> static (inside,outside) *.*213.111 Citrix7 netmask 255.255.255.255
> static (inside,outside) *.*213.112 Citrix8 netmask 255.255.255.255
> static (inside,outside) *.*213.116 Citrix10 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.10 Citrix01 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.11 Citrix02 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.12 Citrix03 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.13 Citrix04 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.14 Citrix05 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.50 Citrix1 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.51 Citrix2 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.52 Citrix3 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.53 Citrix4 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.54 Citrix5 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.55 Citrix6 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.56 Citrix7 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.57 Citrix8 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.58 Citrix9 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.59 Citrix10 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.20 172.17.2.45 netmask 255.255.255.255
> static (inside,dmz) 172.18.2.21 172.17.2.46 netmask 255.255.255.255
> static (dmz,outside) *.*213.100 Citrix-NFuse netmask 255.255.255.255
> static (dmz,outside) *.*213.125 WEB-INT netmask 255.255.255.255
> static (dmz,outside) *.*213.113 cag netmask 255.255.255.255
> access-group outside_acl in interface outside
> access-group dmz_acl in interface dmz
> route outside 0.0.0.0 0.0.0.0 *.*213.97 1
> route inside 172.17.0.0 255.255.0.0 172.17.2.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> username admin password ** encrypted
> http server enable
> http 172.17.0.0 255.255.0.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp
> telnet 172.17.0.0 255.255.0.0 inside
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> Cryptochecksum:**
> ****-pix#
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Victor Cappuccio: "Re: DLSW Switch redundancy ?"
• Previous message: Thanh Nguyen: "PIX 515e Config"
• Maybe in reply to: Thanh Nguyen: "PIX 515e Config"
• Next in thread: john matijevic: "Re: PIX 515e Config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:49 GMT-3