Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515 - 4.4 to 6.3 upgrade 1

Status
Not open for further replies.
nix45

nix45

MIS
Nov 21, 2002
478
US
I'm about to upgrade the software on a PIX 515 from 4.4 to 6.3. I have a very basic set up. All I need is to allow hosts behind the PIX to be able to get out to the Internet, and I need for outside users to be able to access our web and mail server. Does this config look okay for the 6.3 software (only non-defaults shown)? Please let me know if I'm missing anything.


nameif ethernet0 inside security0
nameif ethernet1 inside security100

enable password cisco encrypted
passwd cisco
hostname PIX515

ip address outside 12.12.12.210 255.255.255.240
ip address inside 192.0.30.1 255.255.255.0

global (outside) 1 12.12.12.222
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

telnet 192.0.1.0 255.255.255.0 inside
telnet password cisco

static (inside,outside) 12.12.12.211 192.0.30.10
static (inside,outside) 12.12.12.212 192.0.30.20

conduit permit tcp host 12.12.12.211 eq 80 any
conduit permit tcp host 12.12.12.212 eq 25 any
conduit permit icmp any any

route outside 0 0 12.12.12.209
route inside 0 0 192.0.1.0 255.255.255.0 192.0.30.2


Thanks,
Chris
 
Sort by date Sort by votes
That config looks like it will port over fine.

When you upgrade to 6.3, you should change your conduit list to an access-list.

Change:
conduit permit tcp host 12.12.12.211 eq 80 any
conduit permit tcp host 12.12.12.212 eq 25 any
conduit permit icmp any any

To:
access-list 101 permit tcp any host 12.12.12.211 eq 80
access-list 101 permit tcp any host 12.12.12.212 eq 25
access-group 101 in interface outside

Access-lists run faster than conduits. Definatly worth the conversion.
 
Upvote 0 Downvote
Thanks. I read that conduit and access-lists do the same thing, but I wasn't sure if there was any difference between the two.

Chris
 
Upvote 0 Downvote
...what about the ICMP statement? Can I do something like this...

access-list 101 permit any any eq icmp

I want to allow pings to go through the PIX.


Thanks,
Chris
 
Upvote 0 Downvote
..or this..

access-list 101 permit icmp any host 12.12.12.209 echo

...where 12.12.12.209 is the outside interface of the PIX.
 
Upvote 0 Downvote
"access-list 101 permit icmp any host 12.12.12.209 echo"

That should work fine.
 
Upvote 0 Downvote
You'll need to allow for the echo-reply to come back through the PIX.

access-list in permit icmp any any echo-reply

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
819
Johnkite
Johnkite
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
266
brownmab53
brownmab53
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
781
nnaarrnn
nnaarrnn
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
428
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top