On 3/21/06, Victor Williams wrote:
> Posting your config would help.
>


Obviously, you're correct, so here it is. I'm always hesitant to do so
with these configs, however, since they are so long and I don't want
to trim/wash them to the point of being useless...here's my best
attempt:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
interface ethernet7 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security10
nameif ethernet3 dmz2 security10
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
nameif ethernet6 intf6 security12
nameif ethernet7 intf7 security14
enable password xx encrypted
passwd xx encrypted
hostname -2f1
domain-name .com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list internet-in deny ip any pub.ip.x.0 255.255.255.0
access-list internet-in deny ip any pub.ip.x.0 255.255.255.0
access-list internet-in permit icmp any any
access-list internet-in remark Start - gate(1/2) 02-20-2006
access-list internet-in permit tcp any host my.pub.ip.77 eq smtp
access-list internet-in permit tcp any host my.pub.ip.78 eq smtp
access-list internet-in permit tcp any host my.pub.ip.82 eq smtp
access-list internet-in remark Stop - gate(1/2) 02-20-2006
access-list internet-in remark Start - Proxy(1/2) 02-20-2006
access-list internet-in permit tcp any host my.pub.ip.79 eq https
access-list internet-in permit tcp any host my.pub.ip.81 eq https
access-list internet-in permit tcp any host my.pub.ip.80 eq https
access-list internet-in remark Stop - Proxy(1/2) 02-20-2006
access-list dmz2-in permit icmp any any
access-list dmz2-in remark Start - gate(1/2) 03-08-2006
access-list dmz2-in permit tcp host 10.10.63.47 any eq smtp
access-list dmz2-in permit tcp host 10.10.63.48 any eq smtp
access-list dmz2-in permit tcp host 10.10.63.52 any eq smtp
access-list dmz2-in permit tcp host 10.10.63.47 any eq www
access-list dmz2-in permit tcp host 10.10.63.48 any eq www
access-list dmz2-in permit tcp host 10.10.63.47 any eq https
access-list dmz2-in permit tcp host 10.10.63.48 any eq https
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.22.224 eq smtp
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.22.224 eq smtp
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.22.225 eq smtp
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.22.225 eq smtp
access-list dmz2-in permit udp host 10.10.63.47 host my.pub.ip.166 eq domai=
n
access-list dmz2-in permit udp host 10.10.63.48 host my.pub.ip.166 eq domai=
n
access-list dmz2-in permit udp host 10.10.63.47 host my.pub.ip.167 eq domai=
n
access-list dmz2-in permit udp host 10.10.63.48 host my.pub.ip.167 eq domai=
n
access-list dmz2-in permit udp host 10.10.63.47 host 10.10.23.239 eq 389
access-list dmz2-in permit udp host 10.10.63.48 host 10.10.23.239 eq 389
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.239 eq 3268
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.239 eq 3268
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.239 eq ldap
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.239 eq ldap
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.239 eq 88
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.239 eq 88
access-list dmz2-in permit udp host 10.10.63.47 host 10.10.23.239 eq 88
access-list dmz2-in permit udp host 10.10.63.48 host 10.10.23.239 eq 88
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.239 eq domain
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.239 eq domain
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.239 eq 135
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.239 eq 135
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.239 eq 445
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.239 eq 445
access-list dmz2-in permit udp host 10.10.63.47 host 10.10.22.24 eq 389
access-list dmz2-in permit udp host 10.10.63.48 host 10.10.22.24 eq 389
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.22.24 eq 3268
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.22.24 eq 3268
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.22.24 eq ldap
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.22.24 eq ldap
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.22.24 eq 88
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.22.24 eq 88
access-list dmz2-in permit udp host 10.10.63.47 host 10.10.22.24 eq 88
access-list dmz2-in permit udp host 10.10.63.48 host 10.10.22.24 eq 88
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.22.24 eq domain
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.22.24 eq domain
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.22.24 eq 135
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.22.24 eq 135
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.22.24 eq 445
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.22.24 eq 445
access-list dmz2-in permit udp host 10.10.63.47 host 10.10.23.26 eq 389
access-list dmz2-in permit udp host 10.10.63.48 host 10.10.23.26 eq 389
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.26 eq 3268
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.26 eq 3268
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.26 eq ldap
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.26 eq ldap
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.26 eq 88
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.26 eq 88
access-list dmz2-in permit udp host 10.10.63.47 host 10.10.23.26 eq 88
access-list dmz2-in permit udp host 10.10.63.48 host 10.10.23.26 eq 88
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.26 eq domain
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.26 eq domain
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.26 eq 135
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.26 eq 135
access-list dmz2-in permit tcp host 10.10.63.47 host 10.10.23.26 eq 445
access-list dmz2-in permit tcp host 10.10.63.48 host 10.10.23.26 eq 445
access-list dmz2-in remark Stop - gate(1/2) 03-08-2006
access-list dmz2-in remark Start - Proxy(1/2) 03-08-2006
access-list dmz2-in permit tcp host 10.10.63.49 any eq www
access-list dmz2-in permit tcp host 10.10.63.50 any eq www
access-list dmz2-in permit tcp host 10.10.63.51 any eq www
access-list dmz2-in permit tcp host 10.10.63.49 any eq https
access-list dmz2-in permit tcp host 10.10.63.50 any eq https
access-list dmz2-in permit tcp host 10.10.63.51 any eq https
access-list dmz2-in permit udp host 10.10.63.49 host my.pub.ip.166 eq domai=
n
access-list dmz2-in permit udp host 10.10.63.50 host my.pub.ip.166 eq domai=
n
access-list dmz2-in permit udp host 10.10.63.49 host my.pub.ip.167 eq domai=
n
access-list dmz2-in permit udp host 10.10.63.50 host my.pub.ip.167 eq domai=
n
access-list dmz2-in permit tcp host 10.10.63.49 host 10.10.23.244 eq https
access-list dmz2-in permit tcp host 10.10.63.50 host 10.10.23.244 eq https
access-list dmz2-in permit tcp host 10.10.63.49 host 10.10.23.245 eq https
access-list dmz2-in permit tcp host 10.10.63.50 host 10.10.23.245 eq https
access-list dmz2-in remark Stop - Proxy(1/2) 03-08-2006
access-list internet-out permit tcp host 10.10.30.21 any range aol 5193
access-list internet-out permit udp host 10.10.30.21 any range 5190 5193
access-list internet-out deny tcp any any range aol 5193
access-list internet-out deny udp any any range 5190 5193
access-list internet-out permit tcp any any eq ftp-data
access-list internet-out permit tcp any any eq ftp
access-list internet-out permit tcp any any eq telnet
access-list internet-out permit tcp any any eq www
access-list internet-out permit tcp any any eq https
access-list internet-out permit ip any any
no pager
logging on
logging timestamp
logging monitor debugging
logging buffered warnings
logging trap debugging
logging history warnings
logging host inside 10.10.2.22
logging host inside 10.10.2.50
logging host inside 10.10.2.16
logging host inside 10.10.2.52
logging host inside 10.10.2.57
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu intf7 1500
ip address outside my.pub.ip.15 255.255.255.224
ip address inside 10.10.3.10 255.0.0.0
ip address dmz1 my.pub.ip.33 255.255.255.224
ip address dmz2 10.10.63.1 255.255.255.0
no ip address intf4
no ip address intf5
no ip address intf6
no ip address intf7
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside my.pub.ip.16
failover ip address inside 10.10.3.11
failover ip address dmz1 my.pub.ip.34
failover ip address dmz2 10.10.63.2
no failover ip address intf4
no failover ip address intf5
no failover ip address intf6
no failover ip address intf7
pdm history enable
arp outside my.pub.ip.1 0000.0000.0000 alias
arp inside 10.10.3.1 0000.0000.0000 alias
arp timeout 14400
global (outside) 1 my.pub.ip.30
nat (inside) 1 10.10.0.0 255.255.0.0 0 0
alias (inside) my.pub.ip.82 10.10.63.52 255.255.255.255
alias (inside) my.pub.ip.81 10.10.63.51 255.255.255.255
alias (inside) my.pub.ip.80 10.10.63.50 255.255.255.255
alias (inside) my.pub.ip.79 10.10.63.49 255.255.255.255
alias (inside) my.pub.ip.78 10.10.63.48 255.255.255.255
alias (inside) my.pub.ip.77 10.10.63.47 255.255.255.255
alias (dmz2) my.pub.ip.82 10.10.63.52 255.255.255.255
alias (dmz2) my.pub.ip.81 10.10.63.51 255.255.255.255
alias (dmz2) my.pub.ip.80 10.10.63.50 255.255.255.255
alias (dmz2) my.pub.ip.79 10.10.63.49 255.255.255.255
alias (dmz2) my.pub.ip.78 10.10.63.48 255.255.255.255
alias (dmz2) my.pub.ip.77 10.10.63.47 255.255.255.255
static (dmz1,outside) my.pub.ip.32 my.pub.ip.32 netmask 255.255.255.224 0 0
static (inside,dmz2) 10.10.2.0 10.10.2.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.3.0 10.10.3.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.5.0 10.10.5.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.6.0 10.10.6.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.7.0 10.10.7.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.8.0 10.10.8.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.9.0 10.10.9.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.19.0 10.10.19.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.20.0 10.10.20.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.21.0 10.10.21.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.22.0 10.10.22.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.23.0 10.10.23.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.24.0 10.10.24.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.30.0 10.10.30.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.40.0 10.10.40.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.62.0 10.10.62.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.128.0 10.10.128.0 netmask 255.255.128.0 0 0
static (dmz2,outside) my.pub.ip.74 10.10.63.44 netmask 255.255.255.255 0 0
static (inside,dmz2) 192.168.255.0 192.168.255.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.72.0 10.10.72.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.77.0 10.10.77.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 10.10.78.0 10.10.78.0 netmask 255.255.255.0 0 0
static (inside,dmz2) 170.40.0.0 170.40.0.0 netmask 255.255.128.0 0 0
static (inside,dmz2) 170.40.128.0 170.40.128.0 netmask 255.255.224.0 0 0
static (inside,dmz2) 170.40.192.0 170.40.192.0 netmask 255.255.192.0 0 0
static (dmz2,outside) my.pub.ip.77 10.10.63.47 netmask 255.255.255.255 0 0
static (dmz2,outside) my.pub.ip.78 10.10.63.48 netmask 255.255.255.255 0 0
static (dmz2,outside) my.pub.ip.79 10.10.63.49 netmask 255.255.255.255 0 0
static (dmz2,outside) my.pub.ip.80 10.10.63.50 netmask 255.255.255.255 0 0
static (dmz2,outside) my.pub.ip.81 10.10.63.51 netmask 255.255.255.255 0 0
static (dmz2,outside) my.pub.ip.82 10.10.63.52 netmask 255.255.255.255 0 0
access-group internet-in in interface outside
access-group internet-out in interface inside
access-group dmz2-in in interface dmz2
route outside 0.0.0.0 0.0.0.0 my.pub.ip.1 1
route inside 10.10.0.0 255.255.0.0 10.10.3.1 1
route dmz2 10.10.1.0 255.255.255.0 10.10.63.5 1
route dmz2 10.10.126.0 255.255.255.248 10.10.63.42 1
route dmz2 10.10.126.8 255.255.255.248 10.10.63.43 1
route dmz2 10.10.127.0 255.255.255.0 10.10.63.5 1
route dmz2 10.230.226.240 255.255.255.240 10.10.63.5 1
route dmz2 pub.ip.x.81 255.255.255.255 10.10.63.5 1
route inside pub.ip.x.0 255.255.128.0 10.10.3.1 1
route inside pub.ip.x.0 255.255.224.0 10.10.3.1 1
route inside pub.ip.x.0 255.255.192.0 10.10.3.1 1
route dmz2 pub.ip.x.0 255.255.255.0 10.10.63.5 1
route inside 192.168.255.0 255.255.255.0 10.10.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:=
00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server authpix protocol radius
aaa-server authpix max-failed-attempts 3
aaa-server authpix deadtime 10
aaa-server authpix (inside) host 10.10.2.30 ahs timeout 5
aaa-server authpix (inside) host 10.10.2.31 ahs timeout 5
aaa-server acctpix protocol tacacs+
aaa-server acctpix max-failed-attempts 3
aaa-server acctpix deadtime 10
aaa-server acctpix (inside) host 10.10.2.30 cisco timeout 5
aaa-server acctpix (inside) host 10.10.2.31 cisco timeout 5
url-server (inside) vendor websense host 10.10.22.211 timeout 5
protocol UDP version 4
aaa authentication serial console authpix
aaa authentication telnet console authpix
filter url http
http server enable
http 10.10.2.16 255.255.255.255 inside
http 10.10.2.50 255.255.255.255 inside
snmp-server host inside 10.10.2.16
snmp-server host inside 10.10.2.21
snmp-server host inside 10.10.2.22
snmp-server host inside 10.10.2.38 poll
snmp-server host inside 10.10.2.50
snmp-server host inside 10.10.2.55
snmp-server host inside 10.10.2.59 poll
snmp-server host inside 10.10.249.29
snmp-server location Data Center
snmp-server contact
snmp-server community
snmp-server enable traps
floodguard enable
telnet 10.10.2.0 255.255.255.0 inside
telnet 10.10.1.248 255.255.255.248 inside
telnet 10.10.2.0 255.255.255.0 dmz2
telnet 10.10.1.248 255.255.255.248 dmz2
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 132
:end
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards