Pix 501 enable web traffic

Discussion in 'Cisco' started by oretech, Jul 18, 2007.

  1. oretech

    oretech

    Joined:
    Jul 18, 2007
    Messages:
    5
    Location:
    oregon
    i'm taking over a pix 501 that i've been told doesn't have web traffic and email enabled. it's been working for vpn connection and remote access but not every day internet usage. i need it to be able to allow web traffic and email as well as the vpn/remote access. i used password recovery to access the configuration and here's the running config:

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd gBjs7N0lKmWs8qJD encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    clock timezone PST -8
    clock summer-time PDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.xxx.xxx.252 siteXXXX
    name 172.xxx.xxx.59 dedicatedworkstation
    object-group service RDesktop tcp-udp
    port-object range 3389 3389
    access-list outside_access_in permit tcp any host 68.xxx.xxx.250 eq 3389
    access-list inside_outbond_nat0_acl permit ip any host dedicatedworkstation
    access-list inbound permit tcp any host 68.xxx.xxx.250 object-group RDesktop
    access-list inside_access_in permit ip any any
    access-list inside_outbound_nat0_acl permit ip any 172.xxx.xxx.224 255.255.255.240

    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 68.xxx.xxx.250 255.255.255.252
    ip address inside 172.xxx.xxx.251 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool smallpool 172.xxx.xxx.230-172.xxx.xxx.235
    pdm location site96srv 255.255.255.255 inside
    pdm location 172.xxx.xxx.252 255.255.255.255 inside
    pdm location 198.xxx.xxx.0 255.255.255.0 outside
    pdm location 172.xxx.xxx.224 255.255.255.240 outside
    pdm location 65.xxx.xxx.216 255.255.255.255 outside
    pdm location dedicatedworkstation 255.255.255.255 inside
    pdm location 65.xxx.xxx.175 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
    static (inside,outside) tcp 68.xxx.xxx.250 3389 dedicatedworkstation 3389 netmask
    255.255.255.255 0 0
    access-group inbound in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 68.xxx.xxx.249 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 198.xxx.xxx.0 255.255.255.0 outside
    http 65.xxx.xxx.175 255.255.255.255 outside
    http 172.xxx.xxx.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
    isakmp enable outside
    isakmp nat-traversal 20
    telnet timeout 5
    ssh 198.xxx.xxx.0 255.255.255.0 outside
    ssh 172.xxx.xxx.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication pap
    vpdn group PPTP-VPDN-GROUP ppp authentication chap
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    vpdn group PPTP-VPDN-GROUP client configuration address local smallpool
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username sitexxxx password *********
    vpdn enable outside
    dhcpd address sitexxxx-172.xxx.xxx.254 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username admin password rI/q74VpsXRiswkc encrypted privilege 15
    terminal width 80
    Cryptochecksum:e4ce041c3c9f7517a1bbe13af3d5e07b
    : end



    is the following what needs to be added:

    access-list outbound permit tcp any any eq www
    access-list outbound permit tcp any any eq ftp
    access-list outbound permit tcp any any eq domain
    access-list outbound permit tcp any any eq https
    access-list outbound permit udp any any eq domain

    if so, can this be done through the pdm?


    any help would be greatly appreciated
    oretech, Jul 18, 2007
    #1
    1. Advertising

  2. oretech

    oretech

    Joined:
    Jul 18, 2007
    Messages:
    5
    Location:
    oregon
    i just got hold of the guy that tried to get this up and running before it was handed over to me. he said that when the site96srv (172.xxx.xxx.252) went through the pix it was able to access the internet, but when the client workstations had their gateway configured to 172.xxx.xxx.251 (the router's ip) they weren't able to reach the internet or email.
    the site96srv is the VPN host and is named in the following part of the configuration:

    names
    name 172.xxx.xxx.252 site96srv
    name 172.xxx.xxx.59 dedicatedworkstation
    object-group service RDesktop tcp-udp
    port-object range 3389 3389

    what do i need to add to allow the other workstations the same access as the site96srv?


    help please
    oretech, Jul 19, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Warren Tochor
    Replies:
    9
    Views:
    4,025
    Warren Tochor
    Feb 10, 2004
  2. Andre
    Replies:
    7
    Views:
    718
    Andre
    Feb 20, 2005
  3. quentinhudson@hotmail.com
    Replies:
    0
    Views:
    3,220
    quentinhudson@hotmail.com
    May 31, 2006
  4. Evolution
    Replies:
    1
    Views:
    857
    Walter Roberson
    Feb 27, 2007
  5. waqas001

    PIX 501 [ERR]vpdn enable outside

    waqas001, Apr 22, 2008, in forum: General Computer Support
    Replies:
    0
    Views:
    1,246
    waqas001
    Apr 22, 2008
Loading...

Share This Page