RE: PIX static map question [7:15983]
Assuming you have a static statement for each server, *that part* is correct. However - the conduit lines will need a port# ... web tcp/80 ... smtp/pop 25/110. Conduit permit tcp host __extIPaddress__ eq __port#__ any External address of each server Port# for service Also - make sure the server(s) has(have) been patched, etc ... ... another note - I am sure someone will mention that you should use ACL's instead of conduits as they are being deprecated ... not really related - but directions for blocking code-red propagation attempts on routers: http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#1 Thanks! TJ -Original Message- From: Munzir Khan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 3:45 To: [EMAIL PROTECTED] Subject:PIX static map question [7:15983] I want to add another global outside ip address in pix firewall for outlook web server, basically i want to seperate exchange server and outlook web in different machines, outlook web & exchange Servers are intsalled inside the network, I also want alow outside users to access their e-mails connecting with any internet provider thru outlook web, so this would be like this??? static (inside,outside) 212.x.x.10 192.168.0.30 netmask 255.255.255.255. 0.0 (is this correct) conduit permit tcp host 192.168.0.30 any conduit permit tcp host 212.x.x.10 any Please help!!! ** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16000&t=15983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX static map question [7:15983]
I would like to Thank to all of you for your kind response and time to clear this issue ... Do your best to others, The best will come to you Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16020&t=15983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX static map question [7:15983]
Question for MAJDI & EVANS just a quick question, Is it really require to restart the pix firewall to take effect the new settings?? another question is defining static map for INSIDE/DMZ/OUTSIDE should be in sequence or it does not mater whatever sequence you make. for example static (inside,outside) 212.x.x.10 192.168.0.30 netmask 255.255.255.255. 0.0 static (inside, DMZ) static (inside) static (inside,outisde) see above it is not in sequence i have the same case, I applied the settings you have suggested but it is not even ping to that IP from outside ... also tell me Conduit need to be also arranged by the Ip addresses ??? please suggest!!! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16256&t=15983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX static map question [7:15983]
clear xlate to make your changes in affect sequence doesnt matter Best Regards Have A Good Day!! *** Farhan Ahmed* MCSE+I, MCP Win2k, CCDA, CCNA, CSE Network Engineer Mideast Data Systems Abudhabi Uae. *** Privileged/Confidential Information may be contained in this message or Attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, Conclusions and other information in this message that do not relate to the Official business of this company shall be understood as neither given nor Endorsed by it. > -Original Message- > From: Munzir Khan [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 16, 2001 10:12 AM > To: [EMAIL PROTECTED] > Subject: RE: PIX static map question [7:15983] > > > Question for MAJDI & EVANS > > just a quick question, Is it really require to restart the > pix firewall to > take effect the new settings?? > > another question is defining static map for > INSIDE/DMZ/OUTSIDE should be in > sequence or it does not mater whatever sequence you make. > > for example > > static (inside,outside) 212.x.x.10 192.168.0.30 netmask > 255.255.255.255. 0.0 > > static (inside, DMZ) > static (inside) > static (inside,outisde) > > see above it is not in sequence i have the same case, I > applied the settings > you have suggested but it is not even ping to that IP from > outside ... also > tell me Conduit need to be also arranged by the Ip addresses ??? > > please suggest!!! [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Farhan Ahmed.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16258&t=15983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX static map question [7:15983]
The only config that needs a restart (that I can think of) is IPSec tunnels so they can authenticate. I've never tried without it but cisco recommended it somewhere in the documentation. Most of the time clear xlate will clear everything right up for you. However, that drops any streaming connections such as telnet passing through the firewall when you do. Then again...so would rebooting ;) - Original Message - From: "Munzir Khan" To: Sent: Thursday, August 16, 2001 1:11 AM Subject: RE: PIX static map question [7:15983] > Question for MAJDI & EVANS > > just a quick question, Is it really require to restart the pix firewall to > take effect the new settings?? > > another question is defining static map for INSIDE/DMZ/OUTSIDE should be in > sequence or it does not mater whatever sequence you make. > > for example > > static (inside,outside) 212.x.x.10 192.168.0.30 netmask 255.255.255.255. 0.0 > > static (inside, DMZ) > static (inside) > static (inside,outisde) > > see above it is not in sequence i have the same case, I applied the settings > you have suggested but it is not even ping to that IP from outside ... also > tell me Conduit need to be also arranged by the Ip addresses ??? > > please suggest!!! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16292&t=15983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX static map question [7:15983]
With regards to reload - almost never required, a good "wr mem" and sometimes a "clear xlate" . With regards to ordering - within an individual portion they are just sorted by order of entry ... With regards to ping-ability - you have not listed a conduit permitting ping ... so by default it is blocked . Thanks! TJ - Original Message - From: "Munzir Khan" To: Sent: Thursday, August 16, 2001 1:11 AM Subject: RE: PIX static map question [7:15983] > Question for MAJDI & EVANS > > just a quick question, Is it really require to restart the pix firewall to > take effect the new settings?? > > another question is defining static map for INSIDE/DMZ/OUTSIDE should be in > sequence or it does not mater whatever sequence you make. > > for example > > static (inside,outside) 212.x.x.10 192.168.0.30 netmask 255.255.255.255. 0.0 > > static (inside, DMZ) > static (inside) > static (inside,outisde) > > see above it is not in sequence i have the same case, I applied the settings > you have suggested but it is not even ping to that IP from outside ... also > tell me Conduit need to be also arranged by the Ip addresses ??? > > please suggest!!! ** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16307&t=15983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
