Solved

Pix configuration change

Posted on 2004-08-11
4
178 Views
Last Modified: 2010-04-09
Group,
Wanted to ask a quick question about the configuration of a IP change to my Pix. We currently use the DHCP Setroute to obtain IP address information provided by our ISP, however we are bringing a DMZ online and have made the switch to 2 static IP address. I presume all I need to do is program the IP address into the outside and dmz interfaces, our ISP is currently binding our MAC address from both interfaces to both IP address. Is there anything I need to be careful of? Any commands to execute after reconfiguring the IP address? We intended to put a Exchange relay, ftp and www server in the dmz. Thanks in advance for all of the advise!!
0
Comment
Question by:Blackmoon91
  • 3
4 Comments
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Hi Blackmoon91,
I assume you have at least a PIX 515 with 3 interfaces?

You need to fix the external IP address and then add a static NAT mapping for the second IP address through to the IP address of the server in the DMZ. You then need to add/modify the access-list assigned to the external interface.

If you want to post your configuration I will tell you what you need to change.
0
 

Author Comment

by:Blackmoon91
Comment Utility
GRBlades,
Thanks for the post, have kinda of a urgent situation that could use some help on. Some time ago my suddenly dropped off the net, and I have as of yet not been able to restore it. I have gone over the ip address setups and configurations, as well as nat and route statements and have not be able to get out. What I have found is the outside interface can ping the default gateway, and users on the intranet can ping the gateway out, somewhere it is losing the translation or hasn't been cleared correctly. I will post ip information also as well as route and global statements. The user who can tell me what I missed, and continue our question from before will have some points to add by day's end.  But really guys thanks for all the help, everyone knows how it feels to fall off the net ( I hope)

PIX Version 6.2(3)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif ethernet2 intf2 security10                                
enable password 2KFQnbNIdI.2KYOU encrypted                                          
passwd YHP/GpHoiUQdMATS encrypted                                
hostname MeccaNetPix                    
domain-name domain.com                          
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
fixup protocol sip udp 5060                          
names    
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0                                                                            
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0                                                                            
no pager        
logging trap notifications                          
interface ethernet0 auto                        
interface ethernet1 auto                        
interface ethernet2 auto shutdown                                
mtu outside 1500                
mtu inside 1500              
mtu intf2 1500              
ip address outside 24.96.66.41 255.255.255.0           not acutal IP, however last digits are correct (.41), gateway at (.1)  255.255.255.0  subnet                              
ip address inside 192.168.0.1 255.255.255.0                                          
ip address intf2 127.0.0.1 255.255.255.255                                          
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool ippool 192.168.2.1-192.168.2.254                                              
no failover          
failover timeout 0:00:00                        
failover poll 15                
failover ip address outside 0.0.0.0                                  
failover ip address inside 0.0.0.0                                  
failover ip address intf2 0.0.0.0                                
pdm logging informational 100                            
no pdm history enable                    
arp timeout 14400
                 
global (outside) 1 interface                            
nat (inside) 0 access-list 101                              
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  

conduit permit icmp any any                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si                                                                                
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
no sysopt route dnat                    
crypto ipsec transform-set myset esp-des esp-md5-hmac                          
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup meccanet address-pool ippool
vpngroup meccanet dns-server 192.168.0.2
vpngroup meccanet wins-server 192.168.0.4
vpngroup meccanet default-domain domain.com
vpngroup meccanet idle-time 1800
vpngroup meccanet password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:78b45eb2d074913d98e0551a6b9c07bd
: end
MeccaNetPix#
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
You are missing the default route to your gateway. Add the following to the configuration :-

route outside 0.0.0.0 0.0.0.0 24.96.66.1 1
0
 
LVL 36

Accepted Solution

by:
grblades earned 275 total points
Comment Utility
Here is the config to add to get the DMZ working. I assume you only have one machine in the DMZ?
If you have more than one then let me know what services each will be running

!define correct IP for dmz
ip address intf2 192.168.3.1 255.255.255.0
! allow incoming connections to dmz on desired ports
access-list outside_in permit tcp any host 24.96.66.41 eq smtp
access-list outside_in permit tcp any host 24.96.66.41 eq ftp
access-list outside_in permit tcp any host 24.96.66.41 eq www
access-list outside_in permit tcp any host 24.96.66.41 eq https
access-group ourside_in in interface outside
! setuup 1 to 1 mapping between DMZ IP and outside
static (intf2,outside) 24.96.66.41 192.168.3.2 nemask 255.255.255.255 0 0
! don't do NAT from inside to DMZ
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now