Robing66066
asked on
Configuration for PIX
I have a PIX that uses two cards (inside,outside). Currently, the firewall is set up to allow mail to come through to the internal mail server at 10.1.0.104. It must now be set up to allow traffic to come in to two internal SSL web servers. If I have worked things out right, I have six available addresses, 200.200.200.153 - 200.200.200.158. The 153 address is used by my ISP for their router. Somehow, three of them (155-157) seem to be used up with NAT/PAT and .154 is used up on the outside interface, leaving me only one for the mail server and nothing for my new SSL servers. That seems wrong. It's my feeling that I should only have to use one for NAT/PAT, but be darned if I can figure out how. Help! This is a tough one (at least for me!), so I'll send an additional 500 points along to the person who can help me out. Time is of the essence!
Thanks!
Here is the current configuration:
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list nonat permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
access-list 101 permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
logging trap informational
logging history errors
logging facility 21
logging host inside x.x.x.x
logging host inside x.x.x.x
mtu outside 1500
mtu inside 1500
ip address outside 200.200.200.154 255.255.255.248
ip address inside 10.1.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool x.x.x.x-x.x.x.x
ip local pool vpn3k x.x.x.x-x.x.x.x
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 600
global (outside) 1 200.200.200.156-200.200.20
global (outside) 1 200.200.200.155 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 200.200.200.158 10.1.0.104 netmask 255.255.255.255 128 5
// ALLOW EMAIL THROUGH TO EMAIL SERVER //
conduit permit tcp host 200.200.200.158 eq smtp any
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 200.200.200.153 1
route inside x.x.x.x 255.0.0.0 x.x.x.x 1
timeout xlate 24:00:00
timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 4:00:00 absolute
P.S. I know that I shouldn't be using conduits anymore. If you can replace that line with whatever access-list changes I need, that would be great. Thanks...
Thanks!
Here is the current configuration:
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list nonat permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
access-list 101 permit ip x.x.x.x 255.0.0.0 x.x.x.x 255.255.255.0
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
logging trap informational
logging history errors
logging facility 21
logging host inside x.x.x.x
logging host inside x.x.x.x
mtu outside 1500
mtu inside 1500
ip address outside 200.200.200.154 255.255.255.248
ip address inside 10.1.0.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool x.x.x.x-x.x.x.x
ip local pool vpn3k x.x.x.x-x.x.x.x
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 600
global (outside) 1 200.200.200.156-200.200.20
global (outside) 1 200.200.200.155 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 200.200.200.158 10.1.0.104 netmask 255.255.255.255 128 5
// ALLOW EMAIL THROUGH TO EMAIL SERVER //
conduit permit tcp host 200.200.200.158 eq smtp any
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 200.200.200.153 1
route inside x.x.x.x 255.0.0.0 x.x.x.x 1
timeout xlate 24:00:00
timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 4:00:00 absolute
P.S. I know that I shouldn't be using conduits anymore. If you can replace that line with whatever access-list changes I need, that would be great. Thanks...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What version of the PIX Software are you running? Do you have a SmartNET contract for it?
ASKER
chandupcs: I wondered if I could get away with that. What did that line do in the first place? What will be the effect of removing it?
mburdick: Version 6.3 (3). I don't have a SmartNet contract. (If I did, I'd have asked them instead...) :)
mburdick: Version 6.3 (3). I don't have a SmartNet contract. (If I did, I'd have asked them instead...) :)
hi robin
when you are using nat on the PIX you will use the first line i.e
global (outside) 1 200.200.200.156-200.200.20
but when you have only one ip available with you, you can use pat. Using pat you can have maximum of about 64000 hosts in your internal network and still the traffic will be translated into your public ip. when you give only one ip address with the global command you are using pat and when you give a range of ips then you are using nat.
In the config you have given you are using both, but you don't have to use both. As you have limited ips you can just use pat.
i.e. keep the line
global (outside) 1 200.200.200.155 netmask 255.255.255.248
and remove the line above.
when you are using nat on the PIX you will use the first line i.e
global (outside) 1 200.200.200.156-200.200.20
but when you have only one ip available with you, you can use pat. Using pat you can have maximum of about 64000 hosts in your internal network and still the traffic will be translated into your public ip. when you give only one ip address with the global command you are using pat and when you give a range of ips then you are using nat.
In the config you have given you are using both, but you don't have to use both. As you have limited ips you can just use pat.
i.e. keep the line
global (outside) 1 200.200.200.155 netmask 255.255.255.248
and remove the line above.
ASKER
Ok. I'll give it a try. Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Very nice! I'll give that a try as well...
ASKER
I'm probably going to try this on the weekend. Will award points then...
ASKER
It's all good. Thanks!
remove the following command from the configuration
global (outside) 1 200.200.200.156-200.200.20
this way only one global command will be there which will be using only one ip i.e. 200.200.200.155 and .156 and .157 will be available for you.