If you want to control who gets out try using an outbound access list and
apply it to your outside interface
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, October 31, 2000 8:40 PM
To: [EMAIL PROTECTED]
Subject: PIX question
Hi everybody,
I have one PIX firewall running v 4.2(4). Based on the config, i've
specified only a few user can go
out to internet.
But, my problem is when a user running on NT w/s or server, they can go out
to internet while not
for users running on win95.
Anybody experienced the problem before??. Can you share with me?.
Here is the config of firewall :
PIX Version 4.2(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
enable password mRF4kA2yGoAg24KE encrypted
passwd mRF4kA2yGoAg24KE encrypted
hostname PIX
<--- More --->
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
no fixup protocol smtp 25
names
name 172.21.1.65 Adachi
name 172.21.1.111 ECT
name 172.21.1.78 Inagaki
name 172.21.1.75 Kato
name 172.21.1.201 Konishi
name 172.21.1.92 Lim_Tiong_
name 172.21.1.113 TKL
name 172.21.1.67 Taishi
name 172.21.1.50 Kobayashi
name 172.21.1.3 MY_NT5
name 172.21.1.6 MY_99
name 172.21.1.17 S1019
name 172.21.1.5 MY01
name 172.21.1.1 MY00
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
<--- More --->
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
pager lines 24
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 10baset
ip address outside 202.x.x.x 255.255.255.248
ip address inside 172.21.1.12 255.255.255.0
ip address dmz1 172.21.253.101 255.255.255.0
arp timeout 14400
global (outside) 1 202.x.x.x
nat (inside) 1 MY_NT5 255.255.255.0 0 0
nat (inside) 1 172.21.1.4 255.255.255.0 0 0
nat (inside) 1 MY_99 255.255.255.0 0 0
nat (inside) 1 Kobayashi 255.255.255.0 0 0
nat (inside) 1 Adachi 255.255.255.0 0 0
nat (inside) 1 Taishi 255.255.255.0 0 0
nat (inside) 1 Inagaki 255.255.255.0 0 0
nat (inside) 1 Lim_Tiong_ 255.255.255.0 0 0
<--- More --->
nat (inside) 1 ECT 255.255.255.0 0 0
nat (inside) 1 TKL 255.255.255.0 0 0
nat (inside) 1 Konishi 255.255.255.0 0 0
static (inside,outside) 202.x.x.x MY_99 netmask 255.255.255.255 0 0
static (inside,dmz1) 172.21.253.17 S1019 netmask 255.255.255.255 0 0
static (inside,dmz1) 172.21.253.5 MY01 netmask 255.255.255.255 0 0
static (inside,dmz1) 172.21.253.1 MY00 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 202.x.x.x eq smtp any
conduit permit ip host 172.21.253.17 any
conduit permit ip host 172.21.253.5 any
conduit permit ip host 172.21.253.1 any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip dmz1 passive
no rip dmz1 default
route outside 0.0.0.0 0.0.0.0 202.x.x.x 1
route dmz1 172.21.252.0 255.255.255.0 172.21.253.102 1
route dmz1 192.168.42.0 255.255.255.0 172.21.253.102 1
route dmz1 172.21.254.0 255.255.255.0 172.21.253.102 1
timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
<--- More --->
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet 172.21.1.116 255.255.255.255
telnet 172.21.1.12 255.255.255.255
telnet ECTan 255.255.255.255
telnet timeout 5
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
floodguard 1
Thanks.
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
