Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 713
  • Last Modified:

Configuration for PIX

I have a PIX that uses two cards (inside,outside).  Currently, the firewall is set up to allow mail to come through to the internal mail server at 10.1.0.104.  It must now be set up to allow traffic to come in to two internal SSL web servers.   If I have worked things out right, I have six available addresses, 200.200.200.153 - 200.200.200.158.  The 153 address is used by my ISP for their router.  Somehow, three of them (155-157) seem to be used up with NAT/PAT and .154 is used up on the outside interface, leaving me only one for the mail server and nothing for my new SSL servers.  That seems wrong.  It's my feeling that I should only have to use one for NAT/PAT, but be darned if I can figure out how.  Help!  This is a tough one (at least for me!), so I'll send an additional 500 points along to the person who can help me out.  Time is of the essence!

Thanks!

Here is the current configuration:


interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list nonat permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
access-list 101 permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
logging trap informational
logging history errors
logging facility 21
logging host inside x.x.x.x
logging host inside x.x.x.x
mtu outside 1500
mtu inside 1500
ip address outside 200.200.200.154 255.255.255.248
ip address inside 10.1.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool x.x.x.x-x.x.x.x
ip local pool vpn3k x.x.x.x-x.x.x.x
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 600
global (outside) 1 200.200.200.156-200.200.200.157 netmask 255.255.255.248
global (outside) 1 200.200.200.155 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 200.200.200.158 10.1.0.104 netmask 255.255.255.255 128 5

// ALLOW EMAIL THROUGH TO EMAIL SERVER //

conduit permit tcp host 200.200.200.158 eq smtp any
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 200.200.200.153 1
route inside x.x.x.x 255.0.0.0 x.x.x.x 1
timeout xlate 24:00:00
timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 4:00:00 absolute

P.S.  I know that I shouldn't be using conduits anymore.  If you can replace that line with whatever access-list changes I need, that would be great.  Thanks...
0
Robing66066
Asked:
Robing66066
2 Solutions
 
chandupcsCommented:
hi

remove the following command from the configuration

global (outside) 1 200.200.200.156-200.200.200.157 netmask 255.255.255.248

this way only one global command will be there which will be using only one ip i.e. 200.200.200.155 and .156 and .157 will be available for you.
0
 
chandupcsCommented:
hi again,

 u can change the conduit command to a corresponding access-list as given below

conduit permit tcp host 200.200.200.158 eq smtp any

should be changed to

access-list 101 permit tcp any host 200.200.200.158 eq smtp

access-group 101 in interface outside

0
 
mburdickCommented:
What version of the PIX Software are you running? Do you have a SmartNET contract for it?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
Robing66066Author Commented:
chandupcs: I wondered if I could get away with that.  What did that line do in the first place?  What will be the effect of removing it?

mburdick: Version 6.3 (3).  I don't have a SmartNet contract.  (If I did, I'd have asked them instead...)  :)
0
 
chandupcsCommented:
hi robin

   when you are using nat on the PIX you will use the first line i.e

global (outside) 1 200.200.200.156-200.200.200.157 netmask 255.255.255.248

but when you have only one ip available with you, you can use pat. Using pat you can have maximum of about 64000 hosts in your internal network and still the traffic will be translated into your public ip. when you give only one ip address with the global command you are using pat and when you give a range of ips then you are using nat.

In the config you have given you are using both, but you don't have to use both. As you have limited ips you can just use pat.

i.e. keep the line

global (outside) 1 200.200.200.155 netmask 255.255.255.248

and remove the line above.

0
 
Robing66066Author Commented:
Ok.  I'll give it a try.  Thanks!
0
 
Pascal666Commented:
You can free up .155 through .157 by replacing your two existing global statements with:

global (outside) 1 interface

This tells the PIX to use its outside IP for PAT.

-Pascal
0
 
Robing66066Author Commented:
Very nice!  I'll give that a try as well...
0
 
Robing66066Author Commented:
I'm probably going to try this on the weekend.  Will award points then...
0
 
Robing66066Author Commented:
It's all good.  Thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now