Numptyboy
asked on
Cable Modem with fixed IP using NAT to PIX501 firewall using NAT - limited outbound access
Cable Modem with fixed IP using NAT to PIX501 firewall using NAT - linited outbound access
Problem: Currently I can only obtain access beyond the PIX from the server at 192.168.1.10 with config file below.
I have been struggling with this off and on for 4 weeks (never configed PIX before :/ ), we have a network configuration as follows.
ISP fixed IP - 89-xxx-xxx-xx --- ADSL Modem --- Nat Internal to - 192.168.0.1
PIX501 connected to ADSL Modem - outside network is 192.168.0.2, inside network is 192.168.1.0/12
PIX Version 6.3
We need unfettered access for all internal PC/Macs through the PIX (ie. not to be routed through the server)
We need all external requests from the PIX to be routed to the server eg. POP/SMTP/FTP/SQLNET/HTTP/H TTPS/Filem akerServer
PDM + Console access to just one machine - 192.168.1.11
And finally we have one machine outside the PIX on a shared switch before the ADSL Modem which needs to be regarded as a Trusted address - 192.168.0.101
Any help with a functioning config file for the above would be appreciated, alas it is beyond me.
'A man has to know his limitations'
----snip----
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxxxx encrypted
> passwd xxxxx encrypted
> hostname pix
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> object-group network WORLD
> description The world
> network-object 0.0.0.0 0.0.0.0
> object-group network EXTERNAL
> network-object host 192.168.0.2
> object-group network INTERNAL
> description INSIDE
> network-object 192.168.1.0 255.255.255.0
> object-group service INBOUND-TCP tcp
> description Static Inbound Services
> port-object eq 110
> port-object eq smtp
> port-object eq 21
> port-object eq 80
> port-object eq 443
> port-object eq 53
> object-group service INBOUND-UDP udp
> description Static Inbound Services
> port-object eq 53
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-TCP
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-UDP
> access-list OUTSIDE permit icmp any any echo-reply
> access-list OUTSIDE permit icmp any any traceroute
> access-list OUTSIDE permit icmp any any time-exceeded
> access-list OUTSIDE permit icmp any any unreachable
> pager lines 24
> logging on
> logging buffered info
> ip address outside 192.168.0.2 255.255.255.0
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> http server enable
> http 192.168.1.11 255.255.255.255 inside
> global (outside) 1 interface
> nat (inside) 1 192.168.1.0 255.255.255.0
> static (inside,outside) 192.168.0.2 192.168.1.10
> access-group OUTSIDE in interface outside
> route outside 0.0.0.0 0.0.0.0 192.168.0.1
> telnet 192.168.1.11 255.255.255.255 inside
> ----snip----
Problem: Currently I can only obtain access beyond the PIX from the server at 192.168.1.10 with config file below.
I have been struggling with this off and on for 4 weeks (never configed PIX before :/ ), we have a network configuration as follows.
ISP fixed IP - 89-xxx-xxx-xx --- ADSL Modem --- Nat Internal to - 192.168.0.1
PIX501 connected to ADSL Modem - outside network is 192.168.0.2, inside network is 192.168.1.0/12
PIX Version 6.3
We need unfettered access for all internal PC/Macs through the PIX (ie. not to be routed through the server)
We need all external requests from the PIX to be routed to the server eg. POP/SMTP/FTP/SQLNET/HTTP/H
PDM + Console access to just one machine - 192.168.1.11
And finally we have one machine outside the PIX on a shared switch before the ADSL Modem which needs to be regarded as a Trusted address - 192.168.0.101
Any help with a functioning config file for the above would be appreciated, alas it is beyond me.
'A man has to know his limitations'
----snip----
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxxxx encrypted
> passwd xxxxx encrypted
> hostname pix
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> object-group network WORLD
> description The world
> network-object 0.0.0.0 0.0.0.0
> object-group network EXTERNAL
> network-object host 192.168.0.2
> object-group network INTERNAL
> description INSIDE
> network-object 192.168.1.0 255.255.255.0
> object-group service INBOUND-TCP tcp
> description Static Inbound Services
> port-object eq 110
> port-object eq smtp
> port-object eq 21
> port-object eq 80
> port-object eq 443
> port-object eq 53
> object-group service INBOUND-UDP udp
> description Static Inbound Services
> port-object eq 53
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-TCP
> access-list OUTSIDE permit tcp object-group WORLD object-group EXTERNAL
> object-group INBOUND-UDP
> access-list OUTSIDE permit icmp any any echo-reply
> access-list OUTSIDE permit icmp any any traceroute
> access-list OUTSIDE permit icmp any any time-exceeded
> access-list OUTSIDE permit icmp any any unreachable
> pager lines 24
> logging on
> logging buffered info
> ip address outside 192.168.0.2 255.255.255.0
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> http server enable
> http 192.168.1.11 255.255.255.255 inside
> global (outside) 1 interface
> nat (inside) 1 192.168.1.0 255.255.255.0
> static (inside,outside) 192.168.0.2 192.168.1.10
> access-group OUTSIDE in interface outside
> route outside 0.0.0.0 0.0.0.0 192.168.0.1
> telnet 192.168.1.11 255.255.255.255 inside
> ----snip----
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad to help..
ASKER