Configuration Help PIX 515

Discussion in 'Cisco' started by yaniv, Mar 2, 2010.

  1. yaniv

    yaniv

    Joined:
    Mar 2, 2010
    Messages:
    1
    Hi
    this is my first PIX i have to administrate

    i want to forward port 80 and 443 from the outside to this server
    name 10.69.1.3 KrSrv3

    i have tried these new lines
    they work but conflict with my existing configuration by killing my vpn access

    access-list Exchange permit tcp any any eq www
    static (inside,outside) tcp interface www KrSrv3 www
    access-group Exchange in interface outside

    this is my current configuration
    thank you
    Code:
    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmzside security10
    enable password ******** encrypted
    passwd ******* encrypted
    hostname pixfw
    domain-name *******
    no fixup protocol dns
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 10.69.1.0 HausLan
    name 192.168.10.0 DmzLan
    name 192.168.100.0 VpnAdminLan
    name 192.168.101.0 VpnUserLan
    name 193.110.94.32 DsaLan
    name 192.168.10.11 VirusWall
    name 10.69.1.1 KrSrv1
    name 10.69.1.2 KrSrv2
    name 10.69.1.93 Usv
    name 126.127.128.0 MspLan
    name 212.16.60.130 AmetaNet
    name 212.16.60.135 AmetaNet2
    name 10.69.1.3 KrSrv3
    name 188.20.229.25 Router
    name 188.20.229.27 MX
    object-group network DomainController
      network-object host KrSrv1
      network-object host KrSrv2
      network-object host KrSrv3
    object-group network AdminPcs
      network-object host KrSrv1
      network-object host KrSrv2
      network-object host 10.69.1.4
      network-object host KrSrv3
    object-group service UserServices tcp
      port-object eq 3128
      port-object eq https
      port-object eq ftp
      port-object eq 81
    object-group service AdmServicesTcp tcp
      port-object eq ssh
      port-object eq telnet
      port-object eq 1812
      port-object eq 10000
      port-object eq www
      port-object eq domain
      port-object eq 2301
      port-object eq 2381
      port-object eq smtp
      port-object eq 26
    object-group service AdmServicesUdp udp
      port-object eq domain
      port-object eq ntp
      port-object eq time
      port-object eq snmp
    object-group network EdiReal
      network-object host 212.16.60.140
    access-list acl_inside permit icmp any any
    access-list acl_inside permit tcp HausLan 255.255.255.0 host VirusWall object-group UserServices
    access-list acl_inside permit tcp object-group AdminPcs host VirusWall object-group AdmServicesTcp
    access-list acl_inside permit udp object-group AdminPcs host VirusWall object-group AdmServicesUdp
    access-list acl_inside permit tcp HausLan 255.255.255.0 any eq 3048
    access-list acl_inside permit tcp object-group AdminPcs host 193.80.48.89 object-group AdmServicesTcp
    access-list acl_inside permit ip host KrSrv2 host VirusWall
    access-list acl_inside permit tcp HausLan 255.255.255.0 host AmetaNet eq https
    access-list acl_inside permit tcp HausLan 255.255.255.0 host AmetaNet eq www
    access-list acl_inside permit tcp HausLan 255.255.255.0 host AmetaNet2 eq https
    access-list acl_inside permit tcp HausLan 255.255.255.0 host AmetaNet2 eq www
    access-list acl_inside permit tcp host 10.69.1.104 host 62.116.68.195 eq pop3
    access-list acl_inside permit tcp host 10.69.1.104 host 62.116.68.196 eq smtp
    access-list acl_inside permit tcp host 10.69.1.110 object-group EdiReal
    access-list acl_inside deny ip any any
    access-list acl_dmzside permit icmp any any
    access-list acl_dmzside permit tcp host VirusWall host KrSrv1 eq smtp
    access-list acl_dmzside permit tcp host VirusWall host KrSrv3 eq smtp
    access-list acl_dmzside permit ip host VirusWall host KrSrv2
    access-list acl_dmzside deny ip DmzLan 255.255.255.0 HausLan 255.255.255.0
    access-list acl_dmzside permit ip any any
    access-list acl_dmzside deny ip any any
    access-list acl_outside permit icmp any any echo-reply
    access-list acl_outside permit icmp any any time-exceeded
    access-list acl_outside permit tcp any host MX eq smtp
    access-list acl_outside permit ip MspLan 255.255.255.0 HausLan 255.255.255.0
    access-list acl_outside permit ip VpnAdminLan 255.255.255.0 HausLan 255.255.255.0
    access-list acl_outside permit ip VpnAdminLan 255.255.255.0 DmzLan 255.255.255.0
    access-list acl_outside permit tcp DsaLan 255.255.255.240 host MX eq ssh
    access-list acl_outside permit tcp DsaLan 255.255.255.240 host MX eq 1812
    access-list acl_outside permit tcp DsaLan 255.255.255.240 host MX eq 10000
    access-list acl_outside permit tcp DsaLan 255.255.255.240 host MX eq 81
    access-list acl_outside permit icmp any any
    access-list acl_outside deny ip any any
    access-list no_nat_inside permit ip HausLan 255.255.255.0 DmzLan 255.255.255.0
    access-list no_nat_inside permit ip HausLan 255.255.255.0 MspLan 255.255.255.0
    access-list no_nat_inside permit ip HausLan 255.255.255.0 VpnAdminLan 255.255.255.0
    access-list no_nat_dmzside permit ip DmzLan 255.255.255.0 VpnAdminLan 255.255.255.0
    access-list outside_cryptomap_40 permit ip HausLan 255.255.255.0 MspLan 255.255.255.0
    access-list acl_vpn_splittunnel permit ip HausLan 255.255.255.0 any
    access-list acl_vpn_splittunnel permit ip DmzLan 255.255.255.0 any
    pager lines 500
    logging on
    logging trap warnings
    logging history notifications
    logging facility 23
    logging host dmzside VirusWall
    mtu outside 1500
    mtu inside 1500
    mtu dmzside 1500
    ip address outside 188.20.229.26 255.255.0.0
    ip address inside 10.69.1.92 255.255.255.0
    ip address dmzside 192.168.10.92 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VpnAdminPool 192.168.100.1-192.168.100.254
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list no_nat_inside
    nat (inside) 1 HausLan 255.255.255.0 0 0
    nat (dmzside) 0 access-list no_nat_dmzside
    nat (dmzside) 1 DmzLan 255.255.255.0 0 0
    static (dmzside,outside) MX VirusWall netmask 255.255.255.255 0 0
    access-group acl_outside in interface outside
    access-group acl_inside in interface inside
    access-group acl_dmzside in interface dmzside
    route outside 0.0.0.0 0.0.0.0 Router 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http KrSrv1 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 199 set transform-set ESP-3DES-MD5
    crypto map outside_map 40 ipsec-isakmp
    crypto map outside_map 40 match address outside_cryptomap_40
    crypto map outside_map 40 set peer 193.110.94.42
    crypto map outside_map 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 199 ipsec-isakmp dynamic dynmap
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 193.110.94.42 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp identity address
    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash md5
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 28800
    isakmp policy 199 authentication pre-share
    isakmp policy 199 encryption 3des
    isakmp policy 199 hash md5
    isakmp policy 199 group 2
    isakmp policy 199 lifetime 86400
    vpngroup kramas-admin-clients address-pool VpnAdminPool
    vpngroup kramas-admin-clients dns-server KrSrv1
    vpngroup kramas-admin-clients wins-server KrSrv1
    vpngroup kramas-admin-clients default-domain karmas.at
    vpngroup kramas-admin-clients split-tunnel acl_vpn_splittunnel
    vpngroup kramas-admin-clients idle-time 3600
    vpngroup kramas-admin-clients password ********
    telnet HausLan 255.255.255.0 inside
    telnet timeout 5
    ssh DsaLan 255.255.255.240 outside
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:83df8ffeba6df11760053e3b5bff7bca
     
    yaniv, Mar 2, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. suru
    Replies:
    1
    Views:
    449
    Walter Roberson
    Feb 7, 2006
  2. Scott Townsend
    Replies:
    8
    Views:
    760
    Roman Nakhmanson
    Feb 22, 2006
  3. Stephen M
    Replies:
    1
    Views:
    739
    mcaissie
    Nov 14, 2006
  4. sintral
    Replies:
    6
    Views:
    1,365
    Scott Perry
    Jul 28, 2008
  5. pfrary
    Replies:
    0
    Views:
    1,118
    pfrary
    Oct 4, 2011
Loading...

Share This Page