Simple Pix question

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Hopefully this is trivial, but I'm a beginner so please humour me! I
have a corporate network behind a Cisco pix 515 firewall. At the
moment all users connect to the Internet via a MS Proxy Server. This
machine is about to die, so I want to reconfigure the pix so users can
connect to the Internet directly. Is there a simple pix command to
allow this?

Thanks in advance,

Stuart Edwards.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

couple things you would have to do.

1. have your dhcp give out the PIX internal interface IP as their
gateway, or change the machines manually if set for static IP.

2. add an access-list to your internal interface to allow the specific
access you want allowed out. Since currently you probably only have
the proxy server out.

ex. if internal scheme is 10.10.10.0/24 and internal access-list is
called "internal"

access-list internal permit tcp 10.10.10.0 255.255.2550 any eq http

repeat the access-list for any additional services, https, smtp..etc

That should be it. If you are using routable IP's internaly then you
will need to add a static on the firewall to keep the translation of
the internal hosts.


On 4 May 2004 09:27:37 -0700, sjse@ediplc.com (Stuart Edwards) wrote:

>Hopefully this is trivial, but I'm a beginner so please humour me! I
>have a corporate network behind a Cisco pix 515 firewall. At the
>moment all users connect to the Internet via a MS Proxy Server. This
>machine is about to die, so I want to reconfigure the pix so users can
>connect to the Internet directly. Is there a simple pix command to
>allow this?
>
>Thanks in advance,
>
>Stuart Edwards.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Another statement that I want to add to Michael's note was that:
Make sure you have your nat/global statement in place as well

nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 x.x.x.x --->your global address (public IP)
(if you want to use your outside interface address as your global address
for your PAT- then
the global statement would be
global (outside) 1 interface

Hope this helps.

Binh
"Michael Sherman" <please@ask.com> wrote in message
news:bvmh9055o4jrgqtt2oq19bpfoc9s0nulj1@4ax.com...
> couple things you would have to do.
>
> 1. have your dhcp give out the PIX internal interface IP as their
> gateway, or change the machines manually if set for static IP.
>
> 2. add an access-list to your internal interface to allow the specific
> access you want allowed out. Since currently you probably only have
> the proxy server out.
>
> ex. if internal scheme is 10.10.10.0/24 and internal access-list is
> called "internal"
>
> access-list internal permit tcp 10.10.10.0 255.255.2550 any eq http
>
> repeat the access-list for any additional services, https, smtp..etc
>
> That should be it. If you are using routable IP's internaly then you
> will need to add a static on the firewall to keep the translation of
> the internal hosts.
>
>
> On 4 May 2004 09:27:37 -0700, sjse@ediplc.com (Stuart Edwards) wrote:
>
> >Hopefully this is trivial, but I'm a beginner so please humour me! I
> >have a corporate network behind a Cisco pix 515 firewall. At the
> >moment all users connect to the Internet via a MS Proxy Server. This
> >machine is about to die, so I want to reconfigure the pix so users can
> >connect to the Internet directly. Is there a simple pix command to
> >allow this?
> >
> >Thanks in advance,
> >
> >Stuart Edwards.
>

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Stuart Edwards" <sjse@ediplc.com> wrote in message
news:142447c7.0405040827.75977e67@posting.google.com...
> Hopefully this is trivial, but I'm a beginner so please humour me!

Simple and PIX do not go hand in hand!