PIX 515E Firewall

Discussion in 'Cisco' started by graeme.hendry@whitehallsystems.com, Jan 12, 2005.

  1. Guest

    We currently have a Cisco PIX 515E Firewall. We were having problems
    with the old one so had to replace it. Now we are having trouble
    configuring it so that people can access the net etc. What correct
    access rules and translation rules should be applied so that this can
    happen ? The details of the internal/external interface are listed
    below.

    Interface 1 (Internal): Security level 100
    This interface connects with the 192.168.0.x network

    Interface 2 (External): Security level 0
    This interface is assigned the address 217.218.219.1
    Many thanks in advance
     
    , Jan 12, 2005
    #1
    1. Advertising

  2. Mike W. Guest

    <> wrote in message
    news:...
    > We currently have a Cisco PIX 515E Firewall. We were having problems
    > with the old one so had to replace it. Now we are having trouble
    > configuring it so that people can access the net etc. What correct
    > access rules and translation rules should be applied so that this can
    > happen ? The details of the internal/external interface are listed
    > below.
    >
    > Interface 1 (Internal): Security level 100
    > This interface connects with the 192.168.0.x network
    >
    > Interface 2 (External): Security level 0
    > This interface is assigned the address 217.218.219.1
    > Many thanks in advance



    Are you sure it's not a problem with people's PCs configured wrong?

    Otherwise, you should have commands like this in the PIX....


    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    ip address outside 217.218.219.1 x.x.x.x [Subnet here]
    ip address inside 192.168.0.1 255.255.255.0
    global (outside) 1 interface
    nat (inside) 0 access-list XXX
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    route outside 0.0.0.0 0.0.0.0 [Gateway here] 1


    Remember, from the Cisco PIX documentation: " When a PIX firewall is
    configured initially, it has a default security policy: everyone on the
    inside can get out, and nobody from the outside can get in."

    Have you changed that in any way?

    Let me know if this helps....
     
    Mike W., Jan 12, 2005
    #2
    1. Advertising

  3. BradReeseCom Guest

    BradReeseCom, Jan 12, 2005
    #3
  4. In article <UWdFd.643020$>,
    Mike W. <> wrote:
    :Otherwise, you should have commands like this in the PIX....

    :nameif ethernet0 outside security0
    :nameif ethernet1 inside security100
    :ip address outside 217.218.219.1 x.x.x.x [Subnet here]
    :ip address inside 192.168.0.1 255.255.255.0
    :global (outside) 1 interface

    :nat (inside) 0 access-list XXX

    That command doesn't make sense unless you are doing VPNs
    and the access-list XXX has been set to match the VPN traffic.
    [There are other uses too, but they get increasingly obscure.]


    :Remember, from the Cisco PIX documentation: " When a PIX firewall is
    :configured initially, it has a default security policy: everyone on the
    :inside can get out, and nobody from the outside can get in."

    That really only applies to the PIX 501 and newer 506E
    (since 6.2 something.) The documentation you refer to does exist,
    and does on it's face apply to all models, but it is actually
    wrong. The 501 and later 506E are the only models that come
    from the factory ('configured initially') with ip address and
    nat/global statements set up, so they are the only ones that
    -initially- allow anyone outside. For all other models, you
    need to specifically configure addresses and nat/global or static
    or whatever, and the choice of whether to use nat/global or
    static etc is part of establishing your security policy: thus
    the default "security policy" for the other models is no access
    for anyone in either direction.

    What -is- true is that the default access list behaviour is as
    they describe, allowing all access out and no access in, once the
    translations have been appropriately configured.
    --
    Rump-Titty-Titty-Tum-TAH-Tee -- Fritz Lieber
     
    Walter Roberson, Jan 12, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sean McGrath
    Replies:
    0
    Views:
    1,995
    Sean McGrath
    Dec 29, 2003
  2. Kilgore Troute
    Replies:
    1
    Views:
    2,340
    Martin Bilgrav
    Aug 26, 2004
  3. Replies:
    0
    Views:
    380
  4. asj
    Replies:
    6
    Views:
    10,205
    Williams
    Jan 13, 2011
  5. saxophobe
    Replies:
    2
    Views:
    436
    Trendkill
    Sep 19, 2007
Loading...

Share This Page