Solved

howto use PIX as transparent firewall, no NAT, just traffic monitoring

Posted on 2004-04-30
15
410 Views
Last Modified: 2013-11-16
Hello all
i have PIX 525, and i want to place it infront of my ISP network. Currently the 7500 router is facing the external network. I want to configure PIX transparently , ie not configure NAT for my internal IP's and use PIX just to monitor all of the traffic coming to my corporate network and allow specific traffic for web, ftp and mail machines. Anybody guide me in this regards, i also tried to search some scenarios to get help for this but not scenarios found, please send me some link or guide me in this regards.also guide me that is it recommended to place it infront of the network ????
thanx
mwa
0
Comment
Question by:ahsan9211110200
  • 7
  • 6
15 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10959402
You can't configure the PIX transparently (ie layer 2).  It NEEDS IP addreses.
I believe transparency will be addressed in a later release of software.
0
 

Author Comment

by:ahsan9211110200
ID: 11074057
hello
but we can assign IP addres to the outside interface of the firewall then what's the problem in using it as transparent ????????

waiting

0
 

Author Comment

by:ahsan9211110200
ID: 11195778
hello all
i can't find the satisfied answer of my question, so i have now changed my firewall behaviour. Now i have placed my firewall behind transit router. now i m getting a problem. traffice from my external interface to internal interface is Ok according to the access list, and inside to outside is also fine, but when i tried to pass the traffic throug hmain router ,  it is not working fine, plz tel me know , wat to do now ??????

thanx
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11196077
PIX is a firewall, not a router ?

What do you mean by transparent - do you mean like a layer 2 switch is ?

0
 

Author Comment

by:ahsan9211110200
ID: 11197022

yes
now i want just monitoring. i m placing it inside my network. i have applied accesslist to allow http, ftp , SMTP and pop request from outside to my inside interface, but when i request from outside for http or request for http from inside, it's not working, i m pasting the running config, here

PIX#
: Saved
:
PIX Version 6.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name asia.pix
clock timezone PKT 5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host x.y.z.a eq telnet
access-list 101 permit tcp any host x.y.z.a eq domain
access-list 101 permit tcp any host x.y.z.a eq ssh
access-list 101 permit tcp any host x.y.z.a eq www
access-list 101 permit udp any any eq domain
access-list 101 permit icmp any host x.y.z.a
access-list 101 permit tcp any any
access-list 101 permit icmp any any
access-list acl_in permit tcp any host x.y.z.a eq ssh
pager lines 20
logging on
logging trap notifications
logging device-id ipaddress inside
logging host inside x.y.z.a
icmp permit any outside
icmp permit any inside
icmp deny any intf2
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside x.y.z.a   x.y.z.a
ip address inside x.y.z.a   x.y.z.a
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location x.y.z.a x.y.z.a  inside
pdm history enable
arp timeout 14400
static (inside,outside) 200.1.2.3  200.1.2.3 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 200.45.144.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http x.y.z.a 255.255.255.255 inside
snmp-server host inside x.y.z.a
no snmp-server location
snmp-server contact waseem
snmp-server community Pix@Asia
no snmp-server enable traps
tftp-server inside x.y.z.a /source
floodguard enable
sysopt connection permit-pptp
telnet a.b.c.d 255.255.255.255 inside
telnet timeout 30
ssh a.b.c.d 255.255.255.255 inside
ssh timeout 50
management-access inside
console timeout 60
terminal width 80
banner motd Speed
Cryptochecksum:edc79bf355dab7bb4021b06d383de2e5
: end


i have removed unrelated lines

thanx
waiting for the answerr

ahsan9211






0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11197899
To go from outside in, you need static NAT, plus the access lists.
I can see static NAT for 200.1.2.3 - if this is x.y.z.a then you're on the right track.
BUT, as you've only two interfaces, you can't do identity NAT (200.1.2.3 to 200.1.2.3)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:ahsan9211110200
ID: 11199863
hello

but both of the ourside and inside network have different net ID's. and i m using NAT x x just for that i don't wannt to do natting, ie on the inside i have the machines with live IP's and i don't want NAT on the PIX so i just do NAT X X ,
i can't understand where my trafic is lagging , i m also using syslog, but no success

thanx
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11280206
Config guide here:

http://cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186a0080172852.html

I understand what you need now - and yes, it is possible if there are different net IDs on either side.
0
 

Author Comment

by:ahsan9211110200
ID: 11298537
hello
thanx but i have alreay gone through these articles but my problem is still not solved.
my configuration is given above and i think that everything is fine but still its creating problem. plz read the above config and advise me that what may be the problem .
me
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11301388
You need static NAT in order to get from the outside to the inside.
If you want more details, then you will need to post up more points..  ;)
0
 

Author Comment

by:ahsan9211110200
ID: 11426146
i think this is very basic question and not needed any more points.
just a global statement and a static statement needed, but ok if u want this ,
i m adding 50 more points, now waiting for the answer

than  in advance
0
 

Author Comment

by:ahsan9211110200
ID: 11979369
still no response,
i'll wait for last1week then i'll close the question
bye
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 200 total points
ID: 11979612
Try setting up two access lists, so keep 101 for outside > in -

access-list 101 permit tcp any host x.y.z.a eq telnet
access-list 101 permit tcp any host x.y.z.a eq domain
access-list 101 permit tcp any host x.y.z.a eq ssh
access-list 101 permit tcp any host x.y.z.a eq www
access-list 101 permit udp any any eq domain
access-list 101 permit icmp any host x.y.z.a
access-list 101 permit tcp any any
access-list 101 permit icmp any any

...but have a separate one for inside > out

access-list 102 permit ip any any

..then apply as follows:

access-group 101 in interface outside
access-group 102 in interface inside

And remove the NAT:

no static (inside,outside) 200.1.2.3  200.1.2.3 netmask 255.255.255.255 0 0

This way, as long as addresses are fully routable on either side.

This way, the PIX will just firewall the IP addresses, rather than NATting.


0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now