Blackmoon91
asked on
Pix configuration change
Group,
Wanted to ask a quick question about the configuration of a IP change to my Pix. We currently use the DHCP Setroute to obtain IP address information provided by our ISP, however we are bringing a DMZ online and have made the switch to 2 static IP address. I presume all I need to do is program the IP address into the outside and dmz interfaces, our ISP is currently binding our MAC address from both interfaces to both IP address. Is there anything I need to be careful of? Any commands to execute after reconfiguring the IP address? We intended to put a Exchange relay, ftp and www server in the dmz. Thanks in advance for all of the advise!!
Wanted to ask a quick question about the configuration of a IP change to my Pix. We currently use the DHCP Setroute to obtain IP address information provided by our ISP, however we are bringing a DMZ online and have made the switch to 2 static IP address. I presume all I need to do is program the IP address into the outside and dmz interfaces, our ISP is currently binding our MAC address from both interfaces to both IP address. Is there anything I need to be careful of? Any commands to execute after reconfiguring the IP address? We intended to put a Exchange relay, ftp and www server in the dmz. Thanks in advance for all of the advise!!
ASKER
GRBlades,
Thanks for the post, have kinda of a urgent situation that could use some help on. Some time ago my suddenly dropped off the net, and I have as of yet not been able to restore it. I have gone over the ip address setups and configurations, as well as nat and route statements and have not be able to get out. What I have found is the outside interface can ping the default gateway, and users on the intranet can ping the gateway out, somewhere it is losing the translation or hasn't been cleared correctly. I will post ip information also as well as route and global statements. The user who can tell me what I missed, and continue our question from before will have some points to add by day's end. But really guys thanks for all the help, everyone knows how it feels to fall off the net ( I hope)
PIX Version 6.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 2KFQnbNIdI.2KYOU encrypted
passwd YHP/GpHoiUQdMATS encrypted
hostname MeccaNetPix
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol sip udp 5060
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
no pager
logging trap notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 24.96.66.41 255.255.255.0 not acutal IP, however last digits are correct (.41), gateway at (.1) 255.255.255.0 subnet
ip address inside 192.168.0.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup meccanet address-pool ippool
vpngroup meccanet dns-server 192.168.0.2
vpngroup meccanet wins-server 192.168.0.4
vpngroup meccanet default-domain domain.com
vpngroup meccanet idle-time 1800
vpngroup meccanet password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:78b45eb2d07 4913d98e05 51a6b9c07b d
: end
MeccaNetPix#
Thanks for the post, have kinda of a urgent situation that could use some help on. Some time ago my suddenly dropped off the net, and I have as of yet not been able to restore it. I have gone over the ip address setups and configurations, as well as nat and route statements and have not be able to get out. What I have found is the outside interface can ping the default gateway, and users on the intranet can ping the gateway out, somewhere it is losing the translation or hasn't been cleared correctly. I will post ip information also as well as route and global statements. The user who can tell me what I missed, and continue our question from before will have some points to add by day's end. But really guys thanks for all the help, everyone knows how it feels to fall off the net ( I hope)
PIX Version 6.2(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 2KFQnbNIdI.2KYOU encrypted
passwd YHP/GpHoiUQdMATS encrypted
hostname MeccaNetPix
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol sip udp 5060
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
no pager
logging trap notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 24.96.66.41 255.255.255.0 not acutal IP, however last digits are correct (.41), gateway at (.1) 255.255.255.0 subnet
ip address inside 192.168.0.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup meccanet address-pool ippool
vpngroup meccanet dns-server 192.168.0.2
vpngroup meccanet wins-server 192.168.0.4
vpngroup meccanet default-domain domain.com
vpngroup meccanet idle-time 1800
vpngroup meccanet password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:78b45eb2d07
: end
MeccaNetPix#
You are missing the default route to your gateway. Add the following to the configuration :-
route outside 0.0.0.0 0.0.0.0 24.96.66.1 1
route outside 0.0.0.0 0.0.0.0 24.96.66.1 1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I assume you have at least a PIX 515 with 3 interfaces?
You need to fix the external IP address and then add a static NAT mapping for the second IP address through to the IP address of the server in the DMZ. You then need to add/modify the access-list assigned to the external interface.
If you want to post your configuration I will tell you what you need to change.