Solved

Configuration for PIX

Posted on 2004-04-12
10
704 Views
Last Modified: 2010-04-11
I have a PIX that uses two cards (inside,outside).  Currently, the firewall is set up to allow mail to come through to the internal mail server at 10.1.0.104.  It must now be set up to allow traffic to come in to two internal SSL web servers.   If I have worked things out right, I have six available addresses, 200.200.200.153 - 200.200.200.158.  The 153 address is used by my ISP for their router.  Somehow, three of them (155-157) seem to be used up with NAT/PAT and .154 is used up on the outside interface, leaving me only one for the mail server and nothing for my new SSL servers.  That seems wrong.  It's my feeling that I should only have to use one for NAT/PAT, but be darned if I can figure out how.  Help!  This is a tough one (at least for me!), so I'll send an additional 500 points along to the person who can help me out.  Time is of the essence!

Thanks!

Here is the current configuration:


interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list nonat permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
access-list 101 permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
logging trap informational
logging history errors
logging facility 21
logging host inside x.x.x.x
logging host inside x.x.x.x
mtu outside 1500
mtu inside 1500
ip address outside 200.200.200.154 255.255.255.248
ip address inside 10.1.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool x.x.x.x-x.x.x.x
ip local pool vpn3k x.x.x.x-x.x.x.x
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 600
global (outside) 1 200.200.200.156-200.200.200.157 netmask 255.255.255.248
global (outside) 1 200.200.200.155 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 200.200.200.158 10.1.0.104 netmask 255.255.255.255 128 5

// ALLOW EMAIL THROUGH TO EMAIL SERVER //

conduit permit tcp host 200.200.200.158 eq smtp any
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 200.200.200.153 1
route inside x.x.x.x 255.0.0.0 x.x.x.x 1
timeout xlate 24:00:00
timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 4:00:00 absolute

P.S.  I know that I shouldn't be using conduits anymore.  If you can replace that line with whatever access-list changes I need, that would be great.  Thanks...
0
Comment
Question by:Robing66066
10 Comments
 
LVL 1

Expert Comment

by:chandupcs
Comment Utility
hi

remove the following command from the configuration

global (outside) 1 200.200.200.156-200.200.200.157 netmask 255.255.255.248

this way only one global command will be there which will be using only one ip i.e. 200.200.200.155 and .156 and .157 will be available for you.
0
 
LVL 1

Assisted Solution

by:chandupcs
chandupcs earned 250 total points
Comment Utility
hi again,

 u can change the conduit command to a corresponding access-list as given below

conduit permit tcp host 200.200.200.158 eq smtp any

should be changed to

access-list 101 permit tcp any host 200.200.200.158 eq smtp

access-group 101 in interface outside

0
 
LVL 12

Expert Comment

by:mburdick
Comment Utility
What version of the PIX Software are you running? Do you have a SmartNET contract for it?
0
 
LVL 7

Author Comment

by:Robing66066
Comment Utility
chandupcs: I wondered if I could get away with that.  What did that line do in the first place?  What will be the effect of removing it?

mburdick: Version 6.3 (3).  I don't have a SmartNet contract.  (If I did, I'd have asked them instead...)  :)
0
 
LVL 1

Expert Comment

by:chandupcs
Comment Utility
hi robin

   when you are using nat on the PIX you will use the first line i.e

global (outside) 1 200.200.200.156-200.200.200.157 netmask 255.255.255.248

but when you have only one ip available with you, you can use pat. Using pat you can have maximum of about 64000 hosts in your internal network and still the traffic will be translated into your public ip. when you give only one ip address with the global command you are using pat and when you give a range of ips then you are using nat.

In the config you have given you are using both, but you don't have to use both. As you have limited ips you can just use pat.

i.e. keep the line

global (outside) 1 200.200.200.155 netmask 255.255.255.248

and remove the line above.

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 7

Author Comment

by:Robing66066
Comment Utility
Ok.  I'll give it a try.  Thanks!
0
 
LVL 6

Accepted Solution

by:
Pascal666 earned 250 total points
Comment Utility
You can free up .155 through .157 by replacing your two existing global statements with:

global (outside) 1 interface

This tells the PIX to use its outside IP for PAT.

-Pascal
0
 
LVL 7

Author Comment

by:Robing66066
Comment Utility
Very nice!  I'll give that a try as well...
0
 
LVL 7

Author Comment

by:Robing66066
Comment Utility
I'm probably going to try this on the weekend.  Will award points then...
0
 
LVL 7

Author Comment

by:Robing66066
Comment Utility
It's all good.  Thanks!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Simple Guest VLAN Help 17 33
Windows 2012 R2 DHCP Policies 10 57
DNS Name Pointing 6 24
Windows DHCP server in virtual environment 3 53
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now