Solved

Configuration for PIX

Posted on 2004-04-12
10
709 Views
Last Modified: 2010-04-11
I have a PIX that uses two cards (inside,outside).  Currently, the firewall is set up to allow mail to come through to the internal mail server at 10.1.0.104.  It must now be set up to allow traffic to come in to two internal SSL web servers.   If I have worked things out right, I have six available addresses, 200.200.200.153 - 200.200.200.158.  The 153 address is used by my ISP for their router.  Somehow, three of them (155-157) seem to be used up with NAT/PAT and .154 is used up on the outside interface, leaving me only one for the mail server and nothing for my new SSL servers.  That seems wrong.  It's my feeling that I should only have to use one for NAT/PAT, but be darned if I can figure out how.  Help!  This is a tough one (at least for me!), so I'll send an additional 500 points along to the person who can help me out.  Time is of the essence!

Thanks!

Here is the current configuration:


interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list nonat permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
access-list 101 permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
logging trap informational
logging history errors
logging facility 21
logging host inside x.x.x.x
logging host inside x.x.x.x
mtu outside 1500
mtu inside 1500
ip address outside 200.200.200.154 255.255.255.248
ip address inside 10.1.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool x.x.x.x-x.x.x.x
ip local pool vpn3k x.x.x.x-x.x.x.x
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 600
global (outside) 1 200.200.200.156-200.200.200.157 netmask 255.255.255.248
global (outside) 1 200.200.200.155 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 200.200.200.158 10.1.0.104 netmask 255.255.255.255 128 5

// ALLOW EMAIL THROUGH TO EMAIL SERVER //

conduit permit tcp host 200.200.200.158 eq smtp any
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 200.200.200.153 1
route inside x.x.x.x 255.0.0.0 x.x.x.x 1
timeout xlate 24:00:00
timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 4:00:00 absolute

P.S.  I know that I shouldn't be using conduits anymore.  If you can replace that line with whatever access-list changes I need, that would be great.  Thanks...
0
Comment
Question by:Robing66066
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 1

Expert Comment

by:chandupcs
ID: 10809089
hi

remove the following command from the configuration

global (outside) 1 200.200.200.156-200.200.200.157 netmask 255.255.255.248

this way only one global command will be there which will be using only one ip i.e. 200.200.200.155 and .156 and .157 will be available for you.
0
 
LVL 1

Assisted Solution

by:chandupcs
chandupcs earned 250 total points
ID: 10809124
hi again,

 u can change the conduit command to a corresponding access-list as given below

conduit permit tcp host 200.200.200.158 eq smtp any

should be changed to

access-list 101 permit tcp any host 200.200.200.158 eq smtp

access-group 101 in interface outside

0
 
LVL 12

Expert Comment

by:mburdick
ID: 10809438
What version of the PIX Software are you running? Do you have a SmartNET contract for it?
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 7

Author Comment

by:Robing66066
ID: 10813660
chandupcs: I wondered if I could get away with that.  What did that line do in the first place?  What will be the effect of removing it?

mburdick: Version 6.3 (3).  I don't have a SmartNet contract.  (If I did, I'd have asked them instead...)  :)
0
 
LVL 1

Expert Comment

by:chandupcs
ID: 10814042
hi robin

   when you are using nat on the PIX you will use the first line i.e

global (outside) 1 200.200.200.156-200.200.200.157 netmask 255.255.255.248

but when you have only one ip available with you, you can use pat. Using pat you can have maximum of about 64000 hosts in your internal network and still the traffic will be translated into your public ip. when you give only one ip address with the global command you are using pat and when you give a range of ips then you are using nat.

In the config you have given you are using both, but you don't have to use both. As you have limited ips you can just use pat.

i.e. keep the line

global (outside) 1 200.200.200.155 netmask 255.255.255.248

and remove the line above.

0
 
LVL 7

Author Comment

by:Robing66066
ID: 10815151
Ok.  I'll give it a try.  Thanks!
0
 
LVL 6

Accepted Solution

by:
Pascal666 earned 250 total points
ID: 10815622
You can free up .155 through .157 by replacing your two existing global statements with:

global (outside) 1 interface

This tells the PIX to use its outside IP for PAT.

-Pascal
0
 
LVL 7

Author Comment

by:Robing66066
ID: 10815686
Very nice!  I'll give that a try as well...
0
 
LVL 7

Author Comment

by:Robing66066
ID: 10901322
I'm probably going to try this on the weekend.  Will award points then...
0
 
LVL 7

Author Comment

by:Robing66066
ID: 10950645
It's all good.  Thanks!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
http response code 3 39
NIC teaming 3 42
Routing Issue 26 69
is a device online 4 44
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question