Question about Cisco PIX 515E Firewall

2 Answers

Pix 515 E allow few websites only.

Dear all,

we have pix firewall 515 E , in that we have configured inside,outside,circles,DMZ .
circle IP address 10.10.20.1
circle port is connected to router 3800 and its IP address is 10.10.20.2
from there it is connected to different lacations.
in that router, following are the networks advertised through eigrp
172.16.0.0
172.25.0.0
192.168.201.0
192.168.202.0
192.168.203.0
192.168.204.0
192.168.205.0

circles are allowed to use DMZ locations to all servers and some servers in the inside.
we want to give circles to access 3 websites(ex;www.yahoo.com,www.rediff.com,www.airtel.in) and remaining all should be denied from the circles.

here is the current running configuration:

sh ru
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 circle security2
nameif ethernet4 VSAT security1
nameif ethernet5 intf5 security10
enable password 3hyXimYrU7kU2XYL encrypted
passwd ekTLtKLsxhDm0lUw encrypted
hostname pixfirewall
domain-name apnpdcl
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list dmz permit ip any any
access-list dmz permit icmp any any
access-list outside permit icmp any any
access-list outside permit tcp any any
access-list outside permit ip any any
access-list circle permit ip any host 10.10.20.252
access-list circle permit icmp any any
access-list circle permit ip any any
access-list netusers permit ip host 192.168.200.123 any
access-list netusers permit ip host 192.168.200.125 any
access-list netusers permit icmp any any
access-list netusers permit tcp any any
access-list netusers permit ip host 192.168.200.140 any
access-list netusers permit ip host 192.168.200.109 any
access-list netusers permit ip host 192.168.200.142 any
access-list netusers permit ip host 192.168.200.144 any
access-list netusers permit ip host 192.168.200.146 any
access-list netusers permit ip host 192.168.200.200 any
access-list netusers permit ip host 192.168.200.234 any
access-list netusers permit ip host 192.168.200.116 any
access-list netusers permit ip host 10.10.10.103 any
access-list netusers permit ip host 192.168.200.103 any
access-list netusers permit ip host 192.168.200.166 any
access-list netusers permit ip host 192.168.200.133 any
access-list netusers permit ip host 192.168.200.122 any
access-list netusers permit ip host 192.168.200.233 any
access-list netusers permit ip host 192.168.200.182 any
access-list netusers permit ip host 192.168.200.236 any
access-list netusers permit ip host 192.168.200.167 any
access-list netusers permit ip any host 192.168.200.252
access-list netusers permit ip host 192.168.200.114 any
access-list netusers permit ip host 192.168.200.188 any
access-list netusers permit ip host 192.168.200.119 any
access-list netusers permit ip host 192.168.200.214 any
access-list netusers permit ip host 192.168.200.231 any
access-list netusers permit ip host 192.168.200.253 any
access-list netusers permit ip host 192.168.200.237 any
access-list netusers permit ip host 192.168.200.175 any
access-list netusers permit ip host 192.168.200.245 any
access-list netusers permit ip host 192.168.200.178 any
access-list netusers permit ip host 192.168.200.195 any
access-list netusers permit ip host 192.168.200.207 any
access-list netusers permit ip host 192.168.200.228 any
access-list netusers permit ip host 192.168.200.220 any
access-list netusers permit ip host 192.168.200.247 any
access-list netusers permit ip host 172.16.64.141 any
access-list netusers permit ip host 192.168.200.187 any
access-list netusers permit ip host 192.168.200.135 any
access-list netusers permit ip host 192.168.200.111 any
access-list netusers permit ip host 192.168.200.183 any
access-list netusers permit ip host 192.168.200.240 any
access-list netusers permit ip host 192.168.200.190 any
access-list netusers permit ip host 192.168.200.108 any
access-list netusers permit ip host 192.168.200.155 any
access-list netusers permit ip host 192.168.200.192 any
access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.240
access-list netuser permit ip host 192.168.200.175 any
no pager
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu circle 1500
mtu VSAT 1500
mtu intf5 1500
ip address outside 203.193.129.132 255.255.255.240
ip address inside 192.168.200.254 255.255.255.0
ip address dmz 10.10.10.1 255.255.255.0
ip address circle 10.10.20.1 255.255.255.0
no ip address VSAT
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address circle
no failover ip address VSAT
no failover ip address intf5
arp timeout 14400
global (outside) 1 203.193.129.133
global (dmz) 1 10.10.10.3
global (circle) 1 10.10.20.3
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
nat (circle) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,circle) 10.10.20.10 10.10.10.10 netmask 255.255.255.255 0 0
static (dmz,circle) 10.10.20.50 10.10.10.50 netmask 255.255.255.255 0 0
static (dmz,circle) 10.10.20.90 10.10.10.90 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.233 192.168.200.233 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.103 192.168.200.103 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0
static (inside,circle) 10.10.20.105 192.168.200.105 netmask 255.255.255.255 0 0
static (dmz,circle) 10.10.20.20 10.10.10.20 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.252 192.168.200.252 netmask 255.255.255.255 0 0
static (circle,outside) 210.212.223.1 10.10.20.2 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.114 192.168.200.114 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.119 192.168.200.119 netmask 255.255.255.255 0 0
static (inside,circle) 10.10.20.155 192.168.200.155 netmask 255.255.255.255 0 0
static (inside,outside) 203.193.129.136 192.168.200.233 netmask 255.255.255.255 0 0
static (inside,outside) 203.193.129.134 192.168.200.114 netmask 255.255.255.255 0 0
static (dmz,outside) 203.193.129.135 10.10.10.10 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group netusers in interface inside
access-group dmz in interface dmz
access-group circle in interface circle
route outside 0.0.0.0 0.0.0.0 203.193.129.129 1
route VSAT 10.15.1.222 255.255.255.255 10.15.5.129 1
route circle 172.16.0.0 255.255.0.0 10.10.20.2 1
route circle 172.25.61.0 255.255.255.0 10.10.20.1 1
route circle 172.25.91.0 255.255.255.0 10.10.20.1 1
route circle 192.9.200.0 255.255.255.0 10.10.20.1 1
route circle 192.168.50.0 255.255.255.0 10.10.20.2 1
route circle 192.168.192.0 255.255.255.0 10.10.20.2 1
route circle 192.168.193.0 255.255.255.0 10.10.20.2 1
route circle 192.168.194.0 255.255.255.0 10.10.20.2 1
route circle 192.168.195.0 255.255.255.0 10.10.20.2 1
route circle 192.168.200.0 255.255.248.0 10.10.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

Posted by on

2 Answers

  • Level 2:

    An expert who has achieved level 2 by getting 100 points

    MVP:

    An expert that got 5 achievements.

    Governor:

    An expert whose answer got voted for 20 times.

    Hot-Shot:

    An expert who has answered 20 questions.

  • Expert
  • 73 Answers

Do the nslookup for the three websites and write an access list to permit the traffic only to the said website ip addresses

Eg.

1. go to dos prompt

2. type "nslookup"

3. type "www.rediff.com

Note : You will get the ip address of the websites

4. Create an object group for these websites

5. Add ip addresses of the websites

6. create an access-control list element to permit the traffic from your circle office to this object group for port tcp 80 and 443

You are done

Posted on Mar 17, 2009

  • Level 2:

    An expert who has achieved level 2 by getting 100 points

    MVP:

    An expert that got 5 achievements.

    Habit-Forming:

    Visited the website for 3 consecutive days.

    Hot-Shot:

    An expert who has answered 20 questions.

  • Expert
  • 136 Answers

Yeah, you are given good information.

Posted on May 08, 2015

Add Your Answer

Uploading: 0%

my-video-file.mp4

Complete. Click "Add" to insert your video. Add

×

Loading...
Loading...

Related Questions:

1 Answer

How to configure MAC access list at PIX 515


The PIX is a layer 3 device, I cant say that I have ever tried to filter a mac address. I'm pretty sure you cant

Jan 02, 2010 | Cisco PIX 515E Firewall

1 Answer

I want to block an outside IP-address and some sites on PIX 515E


Assuming you are running the latest version.
Short answer:
# access-list acl-outside line 1 deny ip IPYOUWANTTOBLOCK 255.255.255.255 any # write memory
The link below contains a longer helpful explanation: http://www.velocityreviews.com/forums/t35733-how-to-block-external-ip-address-on-pix-515e.html
I hope this helps.

Nov 09, 2009 | Cisco PIX 515E Firewall

1 Answer

Cisco pix 515 workstations cant get outside pix can


You have to create a route statement to allow workstations to get online.

Below is the command:
route interface_name ip_address netmask gateway_ip

Example:
route outside 0.0.0.0 0.0.0.0 200.200.200.1
or
route outside 0 0 200.200.200.1

When there is already a route statement but still cannot get online, check the DNS settings.

Oct 08, 2009 | Cisco PIX 515E Firewall

1 Answer

How to connect to my PIX 501 and use Windows Remote Desktop?


Here's a real simple problem to your remote access problems.
Go to: http://www.logmein.com
Sign up for a free acct, download/install their free software on your Server.
Now go over to your laptop, login to your new logmein acct.
In the next page, you'll see your Server listed. Click on it - follow instructions to connect.
This will tunnel through whatever stuff you have on your network!
Trust me - esp. in your scenario, this is *by far* the *simplest remote connect you'll ever perform! And it just .... works! Everytime.

gurutim

Mar 16, 2009 | Cisco PIX 501 Firewall

1 Answer

Pix 515E inside to outside translation problem


Dear Kiran,

What is the name assigned for isp 1 as well as isp2.

for your reference kindly find the sample configuration......
ISP 1:
interface ethernet 0 100 full
nameif outside security-lvl 0
ip address outside 203.193.129.132 255.255.255.240.
nat (inisde) 1 (local network)
global (outside) 1 203.193.129.133
route outside 0 0 203.193.129.129.1.

regards,
mani.S

Mar 09, 2009 | Cisco PIX 515E Firewall

1 Answer

Ploblems with dmz-outside (webpage). pix


Remove this line:

static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

You don't need a translation going from a lower security level to a higher one. You will also need a nat line for the dmz so that pc's on the dmz will be translated outbound. The only connection that will work on the dmz is the webserver when he's sending traffic outbound with a source port of 80. Something like:

nat (DMZ) 101 10.10.0.0 255.255.255.0

Other than that, it looks like it should be working. You've got permission, a route, and a translation. Maybe "clear local-host 10.10.0.2" to get rid of any bad xlates and try again. Check debg level syslogs, run packet captures, "clear asp drop" then "show asp drop" after an attempt?

Feb 28, 2009 | Cisco PIX Firewall 506

2 Answers

Restricting websites at router or firewall level


Hello,

The pix does not allow you to block urls except if you use it in conjunction with websense for example. You could however deny all outgoing traffic to port 80 except for the ip address of the websites you want to be able to access.

To do that you would setup an access-list allowing you internal network to access certain ips on port 80 and deny all other traffic outgoing.

Let me know if you need more information on how to accomplish this.

Jan 04, 2009 | Cisco PIX 515E Firewall

1 Answer

Cyberguard SG300


From the main configuration screen select Network Setup, and then click on the Connections Tab. In the tabline below that click on Aliases.

At this point you input the Alias IP address and the netmask and add it, selecting port 25. The firewall now knows that it is to forward all traffic on port 25 to the computer that has the IP address you put in.

You should be aware that doing the above opens a direct access point into your network! Port 25 is the port used for SMTP (Sendmail) and it is the most vulnerable and most hacked service on the Internet! You should seriously consider not doing this.

A better option would be to goto the DMZ tab and configure a DMZ net on your firewall - you will need to obtain a second routable IP address from your ISP to do this though. By creating the DMZ and then routing port 25 to a machine inside the DMZ you isolate the machine running SMTP from all of the other machines inside your protected network and so make a compromise much less likely.

All of the systems inside your protected network will still have demand access to the machine in our DMZ, but the machine in your DMZ would be unable to initialize access to the protected network, which is a much safer setup.

Oct 19, 2007 | Cyberguard SG300 (00852503000366) Firewall

2 Answers

All Public IPs


In order to use your DFL-200 as a firewall, and not a router, you will need to put it into "transparent mode." This will allow you to use only public IP addresses and you will not be using NAT.

Jun 20, 2007 | D-Link NetDefend DFL-200 Firewall

1 Answer

DMZ setup


Is there a setting in the software to select the IP address for the DMZ? I'm not sure about the firewall, but most routers need you to configure the software to actually show which IP on your network is allowed DMZ.

Aug 24, 2006 | HotBrick SoHo 401 Firewall

Not finding what you are looking for?
Cisco PIX 515E Firewall Logo

Related Topics:

1,236 people viewed this question

Ask a Question

Usually answered in minutes!

Top Cisco Network Security & Firewall Devices Experts

Mark Taylor
Mark Taylor

Level 3 Expert

728 Answers

Candy

Level 2 Expert

82 Answers

Huseyin Huseyin
Huseyin Huseyin

Level 3 Expert

3462 Answers

Are you a Cisco Network Security and Firewall Device Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides

Loading...