Dear all,
we have pix firewall 515 E , in that we have configured inside,outside,circles,DMZ .
circle IP address 10.10.20.1
circle port is connected to router 3800 and its IP address is 10.10.20.2
from there it is connected to different lacations.
in that router, following are the networks advertised through eigrp
172.16.0.0
172.25.0.0
192.168.201.0
192.168.202.0
192.168.203.0
192.168.204.0
192.168.205.0
circles are allowed to use DMZ locations to all servers and some servers in the inside.
we want to give circles to access 3 websites(ex;www.yahoo.com,www.rediff.com,www.airtel.in) and remaining all should be denied from the circles.
here is the current running configuration:
sh ru
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 circle security2
nameif ethernet4 VSAT security1
nameif ethernet5 intf5 security10
enable password 3hyXimYrU7kU2XYL encrypted
passwd ekTLtKLsxhDm0lUw encrypted
hostname pixfirewall
domain-name apnpdcl
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list dmz permit ip any any
access-list dmz permit icmp any any
access-list outside permit icmp any any
access-list outside permit tcp any any
access-list outside permit ip any any
access-list circle permit ip any host 10.10.20.252
access-list circle permit icmp any any
access-list circle permit ip any any
access-list netusers permit ip host 192.168.200.123 any
access-list netusers permit ip host 192.168.200.125 any
access-list netusers permit icmp any any
access-list netusers permit tcp any any
access-list netusers permit ip host 192.168.200.140 any
access-list netusers permit ip host 192.168.200.109 any
access-list netusers permit ip host 192.168.200.142 any
access-list netusers permit ip host 192.168.200.144 any
access-list netusers permit ip host 192.168.200.146 any
access-list netusers permit ip host 192.168.200.200 any
access-list netusers permit ip host 192.168.200.234 any
access-list netusers permit ip host 192.168.200.116 any
access-list netusers permit ip host 10.10.10.103 any
access-list netusers permit ip host 192.168.200.103 any
access-list netusers permit ip host 192.168.200.166 any
access-list netusers permit ip host 192.168.200.133 any
access-list netusers permit ip host 192.168.200.122 any
access-list netusers permit ip host 192.168.200.233 any
access-list netusers permit ip host 192.168.200.182 any
access-list netusers permit ip host 192.168.200.236 any
access-list netusers permit ip host 192.168.200.167 any
access-list netusers permit ip any host 192.168.200.252
access-list netusers permit ip host 192.168.200.114 any
access-list netusers permit ip host 192.168.200.188 any
access-list netusers permit ip host 192.168.200.119 any
access-list netusers permit ip host 192.168.200.214 any
access-list netusers permit ip host 192.168.200.231 any
access-list netusers permit ip host 192.168.200.253 any
access-list netusers permit ip host 192.168.200.237 any
access-list netusers permit ip host 192.168.200.175 any
access-list netusers permit ip host 192.168.200.245 any
access-list netusers permit ip host 192.168.200.178 any
access-list netusers permit ip host 192.168.200.195 any
access-list netusers permit ip host 192.168.200.207 any
access-list netusers permit ip host 192.168.200.228 any
access-list netusers permit ip host 192.168.200.220 any
access-list netusers permit ip host 192.168.200.247 any
access-list netusers permit ip host 172.16.64.141 any
access-list netusers permit ip host 192.168.200.187 any
access-list netusers permit ip host 192.168.200.135 any
access-list netusers permit ip host 192.168.200.111 any
access-list netusers permit ip host 192.168.200.183 any
access-list netusers permit ip host 192.168.200.240 any
access-list netusers permit ip host 192.168.200.190 any
access-list netusers permit ip host 192.168.200.108 any
access-list netusers permit ip host 192.168.200.155 any
access-list netusers permit ip host 192.168.200.192 any
access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.240
access-list netuser permit ip host 192.168.200.175 any
no pager
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu circle 1500
mtu VSAT 1500
mtu intf5 1500
ip address outside 203.193.129.132 255.255.255.240
ip address inside 192.168.200.254 255.255.255.0
ip address dmz 10.10.10.1 255.255.255.0
ip address circle 10.10.20.1 255.255.255.0
no ip address VSAT
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address circle
no failover ip address VSAT
no failover ip address intf5
arp timeout 14400
global (outside) 1 203.193.129.133
global (dmz) 1 10.10.10.3
global (circle) 1 10.10.20.3
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
nat (circle) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,circle) 10.10.20.10 10.10.10.10 netmask 255.255.255.255 0 0
static (dmz,circle) 10.10.20.50 10.10.10.50 netmask 255.255.255.255 0 0
static (dmz,circle) 10.10.20.90 10.10.10.90 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.233 192.168.200.233 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.103 192.168.200.103 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0
static (inside,circle) 10.10.20.105 192.168.200.105 netmask 255.255.255.255 0 0
static (dmz,circle) 10.10.20.20 10.10.10.20 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.252 192.168.200.252 netmask 255.255.255.255 0 0
static (circle,outside) 210.212.223.1 10.10.20.2 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.114 192.168.200.114 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.119 192.168.200.119 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.155 192.168.200.155 netmask 255.255.255.255 0 0
static (inside,outside) 203.193.129.136 192.168.200.233 netmask 255.255.255.255 0 0
static (inside,outside) 203.193.129.134 192.168.200.114 netmask 255.255.255.255 0 0
static (dmz,outside) 203.193.129.135 10.10.10.10 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group netusers in interface inside
access-group dmz in interface dmz
access-group circle in interface circle
route outside 0.0.0.0 0.0.0.0 203.193.129.129 1
route VSAT 10.15.1.222 255.255.255.255 10.15.5.129 1
route circle 172.16.0.0 255.255.0.0 10.10.20.2 1
route circle 172.25.61.0 255.255.255.0 10.10.20.1 1
route circle 172.25.91.0 255.255.255.0 10.10.20.1 1
route circle 192.9.200.0 255.255.255.0 10.10.20.1 1
route circle 192.168.50.0 255.255.255.0 10.10.20.2 1
route circle 192.168.192.0 255.255.255.0 10.10.20.2 1
route circle 192.168.193.0 255.255.255.0 10.10.20.2 1
route circle 192.168.194.0 255.255.255.0 10.10.20.2 1
route circle 192.168.195.0 255.255.255.0 10.10.20.2 1
route circle 192.168.200.0 255.255.248.0 10.10.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
Do the nslookup for the three websites and write an access list to permit the traffic only to the said website ip addresses
Eg.
1. go to dos prompt
2. type "nslookup"
3. type "www.rediff.com
Note : You will get the ip address of the websites
4. Create an object group for these websites
5. Add ip addresses of the websites
6. create an access-control list element to permit the traffic from your circle office to this object group for port tcp 80 and 443
You are done
Yeah, you are given good information.
1,350 views
Usually answered in minutes!
×