Justin, My understanding is that the PIX default configuration allows for connection to the PDM or Telnet from the simple "initial" config questions you are prompted with via the console cable when you first power it up out of the box. Those same simple config questions ONLY define the networks that are associated with the inside and outside interfaces, and I think Auto-Generates the first access-list (Not sure on this one though).
>From there, you have to actually connect to the PDM via your web browser, and make further config changes/adds; alternatively, you can connect via Telnet to the inside interface (you can't telnet to the outside interface), and manually key in your config info. Just like a Cisco Router, you have to configure access-lists specifying what is allow, as there is an implicit DENY at the end of the Auto-Generated access list created by the PIX Initial-Config questions that prompted definition of the Inside and Outside networks... the only difference being that Routers don't Auto-Gen the Access-List, but rather you have to define it, and then the implicit deny is created (but not shown). If the Outside interface has a Public Address, and the Inside interface has a Pvt. Address, then you will further have to configure NAT to allow traffic both directions. As far as allowing traffic back and forth beyond what I've just mentioned, I believe you can create a blanket rule that allows all traffic (IP, TCP, UDP, ICMP, etc.) outbound with out granularity. For traffic coming in (Originating from the Outside), You would need to specify by Port what you want to allow in. If you do the same thing to the Outside as you did for the inside, what's the point of having the Firewall!?! :) Beyond that, I'm just as "wet" behind the ears as you ... and still learning. I've also got several years' experience working with Guantlet, CheckPoint, and when the first PIX Model came out, I worked with it for a little while. Now, I'm re-acclimating myself with this FW since it's many changes from 2.x to 6.x. The unfortunate thing is that the 501 doesn't come with a PIX Firewall and VPN Configuration guide in Book form... so reading the CD may become annoying to you.... I know it was for me. I just simply purchased the books off of ebay for 6.1 to solve that problem, and you might want to do the same. That's just my oppinion of course. Also, one drawback to the PDM is that you don't have the ability to configure VPNs... you have to do that manually via console, telnet, or ssh. :( This is one thing that many other GUI-Based Firewalls I've worked with did have. HINT, HINT Cisco Systems :) I hope I answered your questions, and answered them correctly... I'm sure someone will correct me if I'm wrong :) Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Justin C Sent: Thursday, March 14, 2002 12:43 PM To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 [7:38246] Mark, My original question that I sent to the group somehow got lost. Ole was kind enough to respond to a direct query regarding to some fun I am having with installing a Pix (501) for the first time. My firewall background is SonicWall and Watchguard, both are very simple in configuration and work directly out of the box. I was under the impression it was pretty much plug and play, so I decided to test it by putting it between my PC and the rest of the LAN. However, after the initial setup, the Pix passed no information through it. So I went to a ping to start the troubleshooting. The curious (to me) issue was that from the console or the PDM of the Pix I can ping network addresses on both sides of the Pix. From the inside of the Pix, I cannot ping (or browse the web) through the Pix. I cannot even ping the outside interface of the Pix from the inside interface. The specific question is this ... is additional configuration of the Pix required to permit access from the inside interface to the outside interface and beyond? To expand on the topic you and Ole are discussing, is the use of the conduits (or access-lists) required for each and every type of service I want to send from the inside to the outside? I have no problem researching the commands to learn how it is done, I just want to make certain I am on the right path. Thanks, Justin From: "Mark Odette II" Reply-To: "Mark Odette II" To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 [7:38246] Date: Thu, 14 Mar 2002 12:45:59 -0500 Forgive me for not reading the book yet, as I've been quite busy too.... ... but, I have a question in regards to the config line you gave. I've used the PDM so far to most of the configuration of my PIX, and it creates access-lists rather than conduits. I know from others I've talked with, that Cisco is moving from conduits to access-lists on the PIX configs... this is the question I configure to allow ICMP any(Outside) any(Inside) = Echo Reply ICMP any(Outside) any(Inside) = Time Exceeded ICMP any(Outside) any(Inside) = Unreachable Does this do the same thing as what you were saying about "conduit permit any any X"?? I think it does, but just want to make sure that I haven't opened up ICMP completely with it being initiated from the outside. Thanks! Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ole Drews Jensen Sent: Thursday, March 14, 2002 10:42 AM To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 [7:38246] Hi Justin, When you ping, you use the ICMP protocol. When A pings B, A sends ICMP echo-request (number 8) to B, and B sends ICMP echo-reply (number 0) back to A. The PIX does not allow ICMP traffic to come from the outside to the inside, so to change that, you will need to open up for ICMP number 0 (echo-reply). The command for that is: conduit permit icmp any any 0 This is a good way to do it, because then you allow outside devices to reply to your request, but they are not allowed to do a PING themself. If you want PING to work both ways, simply use this command: conduit permit icmp any any Hth, Ole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.RouterChief.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: Justin C [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 Ole, Thanks for the reply. I understand being busy. I normally try to solve these things all on my own, but I just don't have the available time. I spent six hours on it yesterday. Justin From: Ole Drews Jensen To: 'Justin C' Subject: RE: Question on PIX 501 Date: Thu, 14 Mar 2002 08:08:30 -0600 I did receive the message - I do not know why groupstudy did not. I appologize for not getting back with you yesterday, but I am so busy these days, as there are many projects I have to finish. I will see if I can find a couple of minutes to read your entire e-mail from yesterday, and help you out. Try the [EMAIL PROTECTED] again. Ole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.RouterChief.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: Justin C [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 8:14 AM To: [EMAIL PROTECTED] Subject: Question on PIX 501 Ole, I apologize in advance for yet another direct message. I am just wondering if you did get the message regarding the Pix 501 as groupstudy has not. I dislike having to message direct, but I am really scratching my head over this, so anything help you can offer would be greatly appreciated. In a nutshell, have you worked with a 501. If so, was it plug and play or did you have to perform additional configurations to get it to work. My thanks in advance for your time. Justin Cluer _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38281&t=38246 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
