Archived from groups: comp.security.firewalls (
More info?)
Another statement that I want to add to Michael's note was that:
Make sure you have your nat/global statement in place as well
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 x.x.x.x --->your global address (public IP)
(if you want to use your outside interface address as your global address
for your PAT- then
the global statement would be
global (outside) 1 interface
Hope this helps.
Binh
"Michael Sherman" <please@ask.com> wrote in message
news:bvmh9055o4jrgqtt2oq19bpfoc9s0nulj1@4ax.com...
> couple things you would have to do.
>
> 1. have your dhcp give out the PIX internal interface IP as their
> gateway, or change the machines manually if set for static IP.
>
> 2. add an access-list to your internal interface to allow the specific
> access you want allowed out. Since currently you probably only have
> the proxy server out.
>
> ex. if internal scheme is 10.10.10.0/24 and internal access-list is
> called "internal"
>
> access-list internal permit tcp 10.10.10.0 255.255.2550 any eq http
>
> repeat the access-list for any additional services, https, smtp..etc
>
> That should be it. If you are using routable IP's internaly then you
> will need to add a static on the firewall to keep the translation of
> the internal hosts.
>
>
> On 4 May 2004 09:27:37 -0700, sjse@ediplc.com (Stuart Edwards) wrote:
>
> >Hopefully this is trivial, but I'm a beginner so please humour me! I
> >have a corporate network behind a Cisco pix 515 firewall. At the
> >moment all users connect to the Internet via a MS Proxy Server. This
> >machine is about to die, so I want to reconfigure the pix so users can
> >connect to the Internet directly. Is there a simple pix command to
> >allow this?
> >
> >Thanks in advance,
> >
> >Stuart Edwards.
>