Solved

Cisco 506E Firewall config with NAT enabled

Posted on 2003-11-07
11
1,273 Views
Last Modified: 2008-03-10
Still very new to the whole Cisco networking world, although I am learning.

My problem:

I have a Cisco PIX 506E that I would like to setup to protect one of our remote offices that is connected via DSL.

I have configured pieces of this firewall but can't seem to get this working, not routing traffic at all.

I have a few devices behind the firewall that I will need to have access to. I have a barcode printer (port 515), laser printer (port 9100) and a webcam (port 80). Can this be NATed to work off one IP address or will I need multiple addresses?

Could someone please provide a complete solution that I can just copy and paste into the CLI.

Yes I know about the sample configs on Cisco's site, but I haven't been able to make them work with me just replacing my info.

This site has 2 IP addresses available for use.

IP: 63.78.141.83   Mask:255.255.255.192
IP: 63.78.141.117  Mask:255.255.255.192
Gateway: 63.78.141.65
DNS: 63.78.141.2 / 63.78.141.3

Thank you for your time and hard work.
0
Comment
Question by:campbelc
  • 6
  • 5
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Do you have to use PPPoE w/username/password with your DSL line to get connected?

Can you paste your existing config so we can see what version you are using, and make changes with a script?


0
 
LVL 6

Author Comment

by:campbelc
Comment Utility
No, I don't have to use PPoE.

My existing config is basically what can on the box, will post it anyways.

Also, would like SSH to work for remote logins.

PIX Version 6.3(1)

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
no ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I have to know some more.
What is the private IP lan subnet that you are using?
what is the Private IP address of the Webcam =
Private IP address of the laser printer =
Private IP address of the barcode printer =

If you have not yet assigned them, may I suggest using a private IP range such as
192.168.122.x / 255.255.255.0
Set default gateway to be 192.168.122.1 < -- will be PIX inside interface

Do you want the PIX to be a DHCP server for the rest of the clients?

0
 
LVL 6

Author Comment

by:campbelc
Comment Utility
Free to set the inside addresses to just about anything. Yes I did plan on setting up the inside with a 192 IP range.

You are free to pick addresses out of thin air basically.

Yes on the DHCP for the rest of the network.
0
 
LVL 6

Author Comment

by:campbelc
Comment Utility
Also the laser printer I mentioned above is also on the 515 port not 9100.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 6

Author Comment

by:campbelc
Comment Utility
Also how much, if any, will this config change if I want to setup a site to site vpn between this PIX and our CheckPoint NG firewall?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Let's start with a basic config. You should be able to cut/paste this at the
pixfirewall(config)#

Laser Printer = 192.168.122.22
Web cam = 192.168.122.23
BarCode printer = 192.168.122.24
** be sure their default gateway points to PIX inside**

! address the interfaces:
!
ip address outside 63.78.141.83 255.255.255.192
ip address inside 192.168.122.1 255.255.255.0
!
! set default route
route outside 0.0.0.0 0.0.0.0 65.78.141.65
!
! setup NAT
global (outside) 1 interface
nat (inside) 1 192.168.122.0 255.255.255.0
!
! setup static Port translations:
! Using only one of the other available addresses
! <-Webcam
static (inside,outside) tcp 63.78.141.117 80 192.168.122.23 80
! <- Laser Printer
static (inside,outside) tcp 63.78.141.117 515 192.168.122.22 515
! <- Barcode Printer
static (inside,outside) tcp 63.78.141.117 9100 192.168.122.24 9100
!
! Create access-list to permit inbound traffic for these sytems:
access-list inbound permit icmp any any unreachables
access-list inbound permit icmp any any echo-reply
access-list inbound permit tcp any host 63.78.141.117 eq www
access-list inbound permit tcp any host 63.78.141.117 eq 9100
access-list inbound permit tcp any host 63.78.141.117 eq 515
!
! apply the acl
access-group inbound in interface outside
!
! setup DHCP server
dhcpd address 192.168.122.100-192.168.122.254
dhcpd dns 63.78.141.2 63.78.141.3
dhcpd enable inside
!
!Setup to use web interface from inside
!
http server enable
http 192.168.122.0 255.255.255.0 inside
! <--optional
! http 0.0.0.0 0.0.0.0 outside  <-- if you want to access web from outside
!
! setup to use SSH from anywhere
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.122.0 255.255.255.0 inside
!

That should get you going. Let's get this all working first, then perhaps a new question to deal with adding a site-site VPN...

0
 
LVL 6

Author Comment

by:campbelc
Comment Utility
Everything went in except for this line

access-list inbound permit icmp any any unreachables

here is the full capture

pixfirewall(config)# ! address the interfaces:
pixfirewall(config)# !
pixfirewall(config)# ip address outside 63.78.141.83 255.255.255.192
pixfirewall(config)# ip address inside 192.168.122.1 255.255.255.0
pixfirewall(config)# !
pixfirewall(config)# ! set default route
pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 65.78.141.65
pixfirewall(config)# !
pixfirewall(config)# ! setup NAT
pixfirewall(config)# global (outside) 1 interface
outside interface address added to PAT pool
pixfirewall(config)# nat (inside) 1 192.168.122.0 255.255.255.0
pixfirewall(config)# !
pixfirewall(config)# ! setup static Port translations:
pixfirewall(config)# ! Using only one of the other available addresses
pixfirewall(config)# ! <-Webcam
pixfirewall(config)# static (inside,outside) tcp 63.78.141.117 80 192.168.122.23 80
pixfirewall(config)# ! <- BarCode Printer
pixfirewall(config)# static (inside,outside) tcp 63.78.141.117 515 192.168.122.22 515
pixfirewall(config)# !
pixfirewall(config)# ! Create access-list to permit inbound traffic for these systems:
pixfirewall(config)# access-list inbound permit icmp any any unreachables

ERROR: extra command argument(s)

Usage:      [no] access-list compiled

[no] access-list deny-flow-max <n>

[no] access-list alert-interval <secs>

[no] access-list <id> compiled

[no] access-list <id> [line <line-num>] remark <text>

[no] access-list <id> [line <line-num>] deny|permit

      <protocol>|object-group <protocol_obj_grp_id>

      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>

      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]

      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>

      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]

      [log [disable|default] | [<level>] [interval <secs>]]

[no] access-list <id> [line <line-num>] deny|permit icmp

      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>

      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>

      [<icmp_type> | object-group <icmp_type_obj_grp_id>]

      [log [disable|default] | [<level>] [interval <secs>]]

Restricted ACLs for route-map use:

[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}


pixfirewall(config)# access-list inbound permit icmp any any echo-reply
pixfirewall(config)# access-list inbound permit tcp any host 63.78.141.117 eq www
pixfirewall(config)# access-list inbound permit tcp any host 63.78.141.117 eq 9100
pixfirewall(config)# access-list inbound permit tcp any host 63.78.141.117 eq 515
pixfirewall(config)# !
pixfirewall(config)# ! apply the acl
pixfirewall(config)# access-group inbound in interface outside
pixfirewall(config)# !
pixfirewall(config)# ! setup DHCP server
pixfirewall(config)# dhcpd address 192.168.122.100-192.168.122.254 inside
pixfirewall(config)# dhcpd dns 63.78.141.2 63.78.141.3
pixfirewall(config)# dhcpd enable inside
pixfirewall(config)# !
pixfirewall(config)# ! Setup to use web interface from inside
pixfirewall(config)# !
pixfirewall(config)# http server enable
pixfirewall(config)# http 192.168.122.0 255.255.255.0 inside
pixfirewall(config)# ! optional if you want to access web from outside
pixfirewall(config)# ! http 0.0.0.0 0.0.0.0 outside
pixfirewall(config)# !
pixfirewall(config)# ! setup to use SSH from anywhere
pixfirewall(config)# ssh 0.0.0.0 0.0.0.0 outside
pixfirewall(config)# ssh 192.168.122.0 255.255.255.0 inside
pixfirewall(config)# !
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
DOH! Sorry, my typo
>access-list inbound permit icmp any any unreachables
should be:
access-list inbound permit icmp any any unreachable  <-- no "s" at the end..

0
 
LVL 6

Author Comment

by:campbelc
Comment Utility
Thanks a ton, works great!
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Cool!

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now