Pix configuration change

Posted on 2004-08-11
Last Modified: 2010-04-09
Wanted to ask a quick question about the configuration of a IP change to my Pix. We currently use the DHCP Setroute to obtain IP address information provided by our ISP, however we are bringing a DMZ online and have made the switch to 2 static IP address. I presume all I need to do is program the IP address into the outside and dmz interfaces, our ISP is currently binding our MAC address from both interfaces to both IP address. Is there anything I need to be careful of? Any commands to execute after reconfiguring the IP address? We intended to put a Exchange relay, ftp and www server in the dmz. Thanks in advance for all of the advise!!
Question by:Blackmoon91
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 36

Expert Comment

ID: 11776155
Hi Blackmoon91,
I assume you have at least a PIX 515 with 3 interfaces?

You need to fix the external IP address and then add a static NAT mapping for the second IP address through to the IP address of the server in the DMZ. You then need to add/modify the access-list assigned to the external interface.

If you want to post your configuration I will tell you what you need to change.

Author Comment

ID: 11779245
Thanks for the post, have kinda of a urgent situation that could use some help on. Some time ago my suddenly dropped off the net, and I have as of yet not been able to restore it. I have gone over the ip address setups and configurations, as well as nat and route statements and have not be able to get out. What I have found is the outside interface can ping the default gateway, and users on the intranet can ping the gateway out, somewhere it is losing the translation or hasn't been cleared correctly. I will post ip information also as well as route and global statements. The user who can tell me what I missed, and continue our question from before will have some points to add by day's end.  But really guys thanks for all the help, everyone knows how it feels to fall off the net ( I hope)

PIX Version 6.2(3)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif ethernet2 intf2 security10                                
enable password 2KFQnbNIdI.2KYOU encrypted                                          
passwd YHP/GpHoiUQdMATS encrypted                                
hostname MeccaNetPix                    
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
fixup protocol sip udp 5060                          
access-list 101 permit ip                                                                            
access-list 102 permit ip                                                                            
no pager        
logging trap notifications                          
interface ethernet0 auto                        
interface ethernet1 auto                        
interface ethernet2 auto shutdown                                
mtu outside 1500                
mtu inside 1500              
mtu intf2 1500              
ip address outside           not acutal IP, however last digits are correct (.41), gateway at (.1)  subnet                              
ip address inside                                          
ip address intf2                                          
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool ippool                                              
no failover          
failover timeout 0:00:00                        
failover poll 15                
failover ip address outside                                  
failover ip address inside                                  
failover ip address intf2                                
pdm logging informational 100                            
no pdm history enable                    
arp timeout 14400
global (outside) 1 interface                            
nat (inside) 0 access-list 101                              
nat (inside) 1 0 0                                  

conduit permit icmp any any                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si                                                                                
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
no sysopt route dnat                    
crypto ipsec transform-set myset esp-des esp-md5-hmac                          
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup meccanet address-pool ippool
vpngroup meccanet dns-server
vpngroup meccanet wins-server
vpngroup meccanet default-domain
vpngroup meccanet idle-time 1800
vpngroup meccanet password ********
telnet inside
telnet timeout 5
ssh timeout 5
terminal width 80
: end
LVL 36

Expert Comment

ID: 11781249
You are missing the default route to your gateway. Add the following to the configuration :-

route outside 1
LVL 36

Accepted Solution

grblades earned 275 total points
ID: 11781297
Here is the config to add to get the DMZ working. I assume you only have one machine in the DMZ?
If you have more than one then let me know what services each will be running

!define correct IP for dmz
ip address intf2
! allow incoming connections to dmz on desired ports
access-list outside_in permit tcp any host eq smtp
access-list outside_in permit tcp any host eq ftp
access-list outside_in permit tcp any host eq www
access-list outside_in permit tcp any host eq https
access-group ourside_in in interface outside
! setuup 1 to 1 mapping between DMZ IP and outside
static (intf2,outside) nemask 0 0
! don't do NAT from inside to DMZ
access-list 101 permit ip

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question