Hi Neil
No problem. I just wanted to avoid wasting my expensive and little time for
people that not even try to get a grip on a manual. Pixes are still quiet
complicated if you're new to it. Not long ago I had to configre the VPDN so
Win2k clients could access the VPN via PPTP. The particular docu on this
matter was so bad nobody really could understand it. However I tried to get
it working and finally it does. Next time I'll just have to spend five
minutes on it.
But be careful with the access-lists (...)
Have a nice weekend everybody
--------------------------------------
Boris Pavalec
Gesch�ftsf�hrer, VRP
Network / System Engineer MCSE & MCT
HCS - Highend Computing Systems AG
Hohlstrasse 216
CH-8004 Z�rich
Phone: + 41-1 240 29 50
Fax: + 41-1 240 29 59
eMail: [EMAIL PROTECTED]
--------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Neil H.
Sent: Saturday, September 22, 2001 3:58 AM
To: [EMAIL PROTECTED]
Subject: Re: Passing Traffic through a Pix - or... Can anybody do my job
please?
Well let me say I sincerely appreciate everyone's help with the situation
and it appears to be passing traffic now. It wasn't that I wasn't reading
the documentation. It was that every piece of documentation had a different
scenario than what I was working with in real life.
Again thanks to everyone...
Neil
p.s. Boris: sorry if I wasted your time.........I was only trying to get
help.... I appreciate the help I received and its refreshing not to receive
RTFM
----- Original Message -----
From: "BorisP_Maillistdude" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 21, 2001 9:33 PM
Subject: RE: Passing Traffic through a Pix - or... Can anybody do my job
please?
> Usually contributors on mailing-lists shouldn't answers that are TOO
> obvious. It's YOUR job to get the firewall running and not ours. If you're
> not able to create a basic installation then you'll be in trouble to
> understand what's running and how INsecure it is. However here you've got
a
> couple of pointers.
>
> You'll find everything here:
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/
>
>
> Basic steps:
>
> - Attach network cables
> - Attach serial cable
> - Open the terminal emulation wiht 9600 baud, 8databits no parity, 1 stop
> bit. Usually this is default
> - set interfaces, set ip's, tftp etc. to update software
> - ...
>
> And then... you'll have to put in something similar like this:
>
> -----------------------------------------------------------------
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable SomePassword
> passwd Somepassword2
> hostname PIX
>
> interface ethernet0 auto
> interface ethernet1 auto
>
> ip address outside 200.200.200.2 255.255.255.0
> ip address inside 192.168.100.1 255.255.255.0
>
> global (outside) 1 200.200.200.3 netmask 255.255.255.0
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> rip outside passive version 1
> rip inside default version 1
> route outside 0.0.0.0 0.0.0.0 200.200.200.1 1
> timeout xlate 0:05:00
> floodguard enable
> telnet 192.168.100.0 255.255.255.0 inside
> -----------------------------------------------------------------
>
> At the end type
>
> WRITE MEM
> RELOAD
> Y
>
> Certainly every config is different. By default all internal clients can
get
> onto the internet (unless you use access-group to bind an access-list to a
> net interface). No external hosts can get into the lan. In this example I
> used:
>
> external router: 200.200.200.1
> external interface of firewall 200.200.200.2
> global PAT address for internal clients going onto the internet:
> 200.200.200.3
> internal network-id: 192.168.100.0
> internal default gateway: 192.168.100.1
>
> Later if you want to have some more control you could put in commands such
> as these:
>
> access-list ACL_IN permit icmp any any
> access-list ACL_OUT permit icmp any any
> access-list ACL_OUT permit tcp 192.168.100.0 255.255.255.0 any
> access-list ACL_OUT permit udp 192.168.100.0 255.255.255.0 any
>
> access-group ACL_IN in interface outside
> access-group ACL_OUT in interface inside
>
>
> You always need to bind an access-list to an interface using the
> access-group command.
>
> The ruleset above allows all LAN-hosts from 192.168.100.0 to get TCP and
UDP
> traffic onto the internet.
>
>
> Cheers
>
> --------------------------------------
> Boris Pavalec
> Gesch�ftsf�hrer, VRP
> Network / System Engineer MCSE & MCT
>
> HCS - Highend Computing Systems AG
> Hohlstrasse 216
> CH-8004 Z�rich
>
> Phone: + 41-1 240 29 50
> Fax: + 41-1 240 29 59
> eMail: [EMAIL PROTECTED]
> --------------------------------------
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Neil H.
> Sent: Thursday, September 20, 2001 2:41 AM
> To: [EMAIL PROTECTED]
> Subject: Passing Traffic through a Pix
>
>
> Could someone please help me to put a PIX on my network and pass normal
> traffic through it. I want to use no filters at this point. I also want
> all the addresses on the server to be available on the other side
(outside)
> of the pix.
>
> Thanks,
>
> Neil
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
