• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

configuration PIX access

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
Paulius
Just Arrived
Just Arrived


Joined: 19 Oct 2006
Posts: 0


Offline

PostPosted: Thu Oct 19, 2006 4:26 pm    Post subject: configuration PIX access Reply with quote

Hello friends,


I have question about network

There are LAN1-MPLS-LAN2(have firewall pix )-Internet ;

Problem is how to configure PIX Cisco LAN1 must to use Internet

There are not any Firewall on LAN1

There are PIX firewall on 2LAN

MPLS network have default route to Cisco pix



LAN1 have Network 172.22.1.0

LAN2 have Network 172.20.0.0

I am using only counduit and outbound commands.


Thank you
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Wed Oct 25, 2006 11:25 pm    Post subject: Reply with quote

As long as the PIX knows how to get to LAN1 (routing) you shouldn't have any problems.
Code:
route <LAN1 PIX interface> 172.22.1.0 255.255.255.0 <ip of LAN2 MPLS Router>

You may have to edit your NAT rules on the PIX, but other than that you should be ok.
Back to top
View user's profile Send private message Visit poster's website
segment
Just Arrived
Just Arrived


Joined: 31 Oct 2006
Posts: 0


Offline

PostPosted: Tue Oct 31, 2006 1:21 pm    Post subject: Re: configuration PIX access Reply with quote

Paulius wrote:
Hello friends,


I have question about network

There are LAN1-MPLS-LAN2(have firewall pix )-Internet ;

Problem is how to configure PIX Cisco LAN1 must to use Internet

There are not any Firewall on LAN1

There are PIX firewall on 2LAN

MPLS network have default route to Cisco pix



LAN1 have Network 172.22.1.0

LAN2 have Network 172.20.0.0

I am using only counduit and outbound commands.


Thank you


Here's a starting point. I suggest you Googe "Pix How-To" or fiddle with your Pix' in order to learn them


access-list acl_inside permit tcp 172.22.1.0 255.255.255.0 any eq 80
access-list acl_inside permit tcp 172.22.1.0 255.255.255.0 any eq 443

access-list inside_in deny ip any any

outbound 20 permit 0.0.0.0 0.0.0.0 0
apply (inside) 20 outgoing_src

access-list outside_in deny ip 0.0.0.0 255.0.0.0 any
access-list outside_in deny ip 10.0.0.0 255.0.0.0 any
access-list outside_in deny ip 127.0.0.0 255.0.0.0 any
access-list outside_in deny ip 172.16.0.0 255.240.0.0 any
access-list outside_in deny ip 192.168.0.0 255.255.0.0 any
access-list outside_in deny ip 224.0.0.0 224.0.0.0 any

access-list outside_in permit tcp any host web eq http
access-list outside_in permit tcp any host dns eq domain
access-list outside_in permit udp any host dns eq domain
object-group icmp-outside-in

access-list outside_in deny ip any any
Back to top
View user's profile Send private message Visit poster's website
riyaz145
Just Arrived
Just Arrived


Joined: 21 Apr 2004
Posts: 0
Location: India

Offline

PostPosted: Tue Nov 07, 2006 10:31 am    Post subject: Reply with quote

access-list outside_in deny ip 0.0.0.0 255.0.0.0 any
access-list outside_in deny ip 10.0.0.0 255.0.0.0 any
access-list outside_in deny ip 127.0.0.0 255.0.0.0 any
access-list outside_in deny ip 172.16.0.0 255.240.0.0 any
access-list outside_in deny ip 192.168.0.0 255.255.0.0 any
access-list outside_in deny ip 224.0.0.0 224.0.0.0 any


I guess this part is not required as by default the inbound access would be restricted for the above mentioned Network addresses and you don't need to deny by specifying it.

The route command, CONDUITS and ACL's should pretty much allow the LAN1 to reach the internet.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Wed Nov 08, 2006 11:26 pm    Post subject: Reply with quote

riyaz145 wrote:
I guess this part is not required as by default the inbound access would be restricted for the above mentioned Network addresses and you don't need to deny by specifying it.

You're right its not necessary to explicitly deny these addresses as the explicit or implicit deny at the end of the ACL will drop those packets. It is, however, common practice to add those source networks at the beginning of an "external ACL". This allows the firewall to drop bogus source addresses (bogons) early in the ACL. This can speed things up if a more complex ACL is in use.

Also please refrain from using or advising others to use the conduit and outbound commands. While these commands are still available in the 6.x series they have been removed from 7.x. Please use access-lists in order to permit and deny access across interfaces.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register