Hi Harry,
Comments/Answers inline:
At 04:07 PM 05/21/2000 -0700, Harry Whitehouse wrote:
>Thanks to all the list members who jumped in with suggestions. I happy to
>say I have a baseline configuration up and running.
>
>I moved way from using a hub on the private side, and instead found a switch
>with 2 or 3 terminals connected. As soon as I plugged in a line from the
>switch, the lights on the "inside" PIX card lit up! At that time I was able
>to ping terminals both on the inside and outside. (Maybe the hub was bad!)
>
>But naturally, I have a few more questions<g>!
>
>1. I mapped a single global address to an inside server target:
>
> static (inside,outside) 10.0.0.44 38.168.115.61 netmask
>255.255.255.255 0 0
>
>and then created 4 conduits so I could support port 80 and 443 transactions
>
> conduit permit tcp host 38.168.115.61 eq www any
> conduit permit tcp host 10.0.0.44 eq www any
> conduit permit tcp host 38.168.115.61 eq 443 any
> conduit permit tcp host 10.0.0.44 eq 443 any
>
>a) Do I need to create conduits to BOTH the inside and outside addresses?
>IOW do I need 4 or 2 statements?
You only need two statements. Conduits should reference ONLY the outside address.
conduit permit tcp host 38.168.115.61 eq www any
conduit permit tcp host 38.168.115.61 eq 443 any
>b) Is there a conduit command which allows me to just specify the two
>allowable addresses in one statement?
I suspect you mean services; as in "can you specify two services (both port 80 & port
443) in one conduit statement."
The answer is no. The correct configuration is as I've noted above.
>2. When I was trying various configurations, I was getting inconsistent
>results. IOW, sometimes I would be denied from reaching the inside server,
>other times I could get in after a PIX reboot. I got the impression that it
>is a good idea to have an inside terminal contact an outside resource (i.e.
>load a Web page) right after PIX reboot and before testing access from the
>outside. I also was issuing the "clear xlate" command more frequently
>toward the end (when things started stabilizing). Is there any
>configuration subtlety I'm missing here?
With a static command, 'clear xlate' should not have any effect. That operates on the
dynamic translation tables created with "global/nat" command pairs.
There is no technical reason I know of for the above behavior, and I would suspect
that possibly there were other configuration issues going on at the time. With a
static & conduit pair configured, traffic can be initiated from the outside inbound.
You need things like a default route, ip addresses on interfaces and proper masks, but
you should not need any inside connections to instigate inbound connections.
In the configuration guides, they do recommend a verification of configuration, making
sure an inside host can ping PIX, and then can ping some internet resource, to ensure
that connectivity is established, and that the inside host has a correct default
route. But that is a troubleshooting methodology, and not technically required.
>TIA
>
>Harry
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Hope that helps,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
PGP: A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F
ID: 0xB72CAF1F, DH/DSS 2048/1024
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
