Lano,
No offense intended, but I think you need to do some research. I _strongly_
recommend that if you intend to setup and administer your companies PIX
firewall, you read at least:
Building Internet Firewalls - Chapman and Zwicky
The PIX configuration guide - cisco systems
(you can probably knock these out in a weekend)
Also, TCP/IP Illustrated vol 1 is excellent.
You need to understand what the commands are that people are supplying you
and why they work. Its pretty clear from your question that you don't know
how DNS works and you've never configured a PIX. Everyone has to learn
somewhere so I'm not trying to bash you, just offering a little constructive
criticism.
Security is very critical and if you've been charged with maintaining your
companies security perimeter you need to get up to speed very quickly on at
least the basics.
Having said that, if all you want to do is allow inside users access to
HTTP, FTP and SMTP on the Internet, all you have to do is make sure the PIX
interfaces are up, routing is in place and create appropriate NAT and GLOBAL
statements.
The default mode on the PIX is to allow everything from the inside interface
out and only replies from the outside back in. This would include things
like DNS, HTTP, FTP, SMTP, etc.
Assuming that you have an IP address range given to you by your ISP:
nat (inside) 1 0 0 (allow all users on the inside to get global addresses)
global (outside) 1 start_ip-end_ip netmask x.x.x.x
I don't know what you mean when you say "I opened all the TCP ports", but if
your saying that you created a conduit or an access-list to allow all TCP
ports in the outside interface, _you don't need to do that and it's VERY
dangerous_! This is why I say you need to understand what your doing and
not just have people give you configs.
If you read the PIX docs it goes step by step through an initial simple PIX
configuration, which is what it sounds like you have. My advice would be to
read it and follow it to the letter. If you follow the instructions you
should end up with a simple working config.
If you want to start creating access-lists later and applying them to limit
outbound traffic once you understand how things work you can always do that.
Until you fully understand how the PIX works and all of its commands, its
best to start simple and build up your config.
Let me say again, based on what you've stated, it doesn't sound like you
need any conduit or access-list statements. If you have them and your
explicitly allowing traffic in the outside interface, you have likely opened
up large security holes. If you need more help contact me offline and send
me your config.
Again, I cannot stress enough, read the PIX setup doc, it tells you
everything you need to get started with a simple configuration.
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 1:55 AM
To: [EMAIL PROTECTED]
Subject: Ports with PIX Firewall [7:12605]
I configured my PIX Firewall and opened all the TCP ports, I found that i
can ping yahoo or cisco by ip address but not with name i.e ping cisco.com
doesn't worked, then I opened all the UDP Ports also and my Surfing started
also I was been able to PING by name.
I just want to allow port 80 (HTTP), FTP , SMTP access to my users.
Which all Ports do I need to Open??????
DO I Need to open a port for DNS Name Resolution ?????
I am using DNS Server of ISP as I don't have resources to set-up my own DNS.
Please Help
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12657&t=12605
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
