chigs20
asked on
Configure Pix 501
So, we just bought a Cisco Pix 501. We want to set it up in the following manner:
NOTE: We have 3 servers at a colo, they us a Cisco router ( don't know the specs)
This is what I want to do and I would like to know if its possible:
Internet --> Pix 501 --> 24 port switch --> (3) servers
Server 1, 2, 3 have outside IP's xxx.xxx.xxx.135, xxx.xxx.xxx.137, xxx.xxx.xxx.139, respectively.
Pix 501 has internal IP of 192.168.1.1
Thanks for your help
NOTE: We have 3 servers at a colo, they us a Cisco router ( don't know the specs)
This is what I want to do and I would like to know if its possible:
Internet --> Pix 501 --> 24 port switch --> (3) servers
Server 1, 2, 3 have outside IP's xxx.xxx.xxx.135, xxx.xxx.xxx.137, xxx.xxx.xxx.139, respectively.
Pix 501 has internal IP of 192.168.1.1
Thanks for your help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you really sure that you want to use 192.168.1.x on the inside? If you have a broadband router at home and decide to use the VPN capability of the PIX, then you may end up with the same subnet on both sides. Not good.
Highly suggest you use something more unusual, like 192.168.250.x on the LAN behind the PIX.
Highly suggest you use something more unusual, like 192.168.250.x on the LAN behind the PIX.
Are you still working on this? Do you need more information?
ASKER
OK, so heres what we have so far...
ip address inside 192.168.250.1 255.255.255.0
ip address outside 192.168.0.250 255.255.255.248
route outside 0.0.0.0 0.0.0.0 192.168.0.250
global (outside) 1 interface
nat (inside) 1 192.168.250.0 255.255.255.0
static (inside,outside) 192.168.0.135 192.168.250.135 netmask 255.255.255.255
static (inside,outside) 192.168.0.137 192.168.250.137 netmask 255.255.255.255
static (inside,outside) 192.168.0.139 192.168.250.139 netmask 255.255.255.255
access-list outside_in permit tcp any host 192.168.0.135 eq http
access-list outside_in permit tcp any host 192.168.0.137 eq http
access-list outside_in permit tcp any host 192.168.0.135 eq https
access-list outside_in permit tcp any host 192.168.0.137 eq https
access-list outside_in permit tcp any host 192.168.0.135 eq ssh
access-list outside_in permit tcp any host 192.168.0.137 eq ssh
access-group outside_in in interface outside
we even added
access-list in_outside permit any any
access-group in_outside in interface inside
but we still dont have any 'from the inside out' traffic...
Sorry for the confusing ip schema, we are attempting to test the firewall config internally before implementing it... could this be our problem?
ip address inside 192.168.250.1 255.255.255.0
ip address outside 192.168.0.250 255.255.255.248
route outside 0.0.0.0 0.0.0.0 192.168.0.250
global (outside) 1 interface
nat (inside) 1 192.168.250.0 255.255.255.0
static (inside,outside) 192.168.0.135 192.168.250.135 netmask 255.255.255.255
static (inside,outside) 192.168.0.137 192.168.250.137 netmask 255.255.255.255
static (inside,outside) 192.168.0.139 192.168.250.139 netmask 255.255.255.255
access-list outside_in permit tcp any host 192.168.0.135 eq http
access-list outside_in permit tcp any host 192.168.0.137 eq http
access-list outside_in permit tcp any host 192.168.0.135 eq https
access-list outside_in permit tcp any host 192.168.0.137 eq https
access-list outside_in permit tcp any host 192.168.0.135 eq ssh
access-list outside_in permit tcp any host 192.168.0.137 eq ssh
access-group outside_in in interface outside
we even added
access-list in_outside permit any any
access-group in_outside in interface inside
but we still dont have any 'from the inside out' traffic...
Sorry for the confusing ip schema, we are attempting to test the firewall config internally before implementing it... could this be our problem?
> are attempting to test the firewall config internally before implementing it... could this be our problem?
Yes. You cannot get to the "outside" natted ip address from the inside.
With the configuration you have, if you had a web server on the 192.168.0.0 "outside" network (not an "inside" 192.168.250.x server that is natted to an outside address), then I have no doubt that you will have success.
If you want to try from an inside host, to an inside server, using the outside IP, then you need to enable Alias and DNS doctoring..
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
Yes. You cannot get to the "outside" natted ip address from the inside.
With the configuration you have, if you had a web server on the 192.168.0.0 "outside" network (not an "inside" 192.168.250.x server that is natted to an outside address), then I have no doubt that you will have success.
If you want to try from an inside host, to an inside server, using the outside IP, then you need to enable Alias and DNS doctoring..
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
ASKER
from a server on the 192.168.250.0 subnet (inside the firewall) we are trying to ping 216.239.57.99 (google.com) but we get no replies... we are able to access the servers from the outside in (viw ssh or http or whatever), but we cant access anything from the inside out.
>we are trying to ping 216.239.57.99
You can't ping anything unless you permit the icmp in the acl:
add this:
access-list outside_in permit icmp any any echo-reply
Then re-apply the acl
access-group outside_in in interface outside
>route outside 0.0.0.0 0.0.0.0 192.168.0.250
This is the correct gateway to get outside? Is it blocking anything from coming back in?
You can't ping anything unless you permit the icmp in the acl:
add this:
access-list outside_in permit icmp any any echo-reply
Then re-apply the acl
access-group outside_in in interface outside
>route outside 0.0.0.0 0.0.0.0 192.168.0.250
This is the correct gateway to get outside? Is it blocking anything from coming back in?
ASKER
OK, so we have it all up and running except for one thing. I am able to access the "outside" ip address from within the same subnet of the pix "outside" ip addy. However, im unable to access the the "outside" ip addresses from anywhere else.
access-list outside_in permit tcp any host 192.168.250.137 eq http
access-list outside_in permit tcp any host 192.168.250.135 eq https
this is what i thought should be allowing anyone access to our http service from anywhere...
access-list outside_in permit tcp any host 192.168.250.137 eq http
access-list outside_in permit tcp any host 192.168.250.135 eq https
this is what i thought should be allowing anyone access to our http service from anywhere...
As long as the access-list has actual public IP's and not private 192.168.x.x addresses
And, you have applied the acl to the interface, then it should work.
Since you can access these outside IP's from the same outside subnet, but nobody else further out of that subnet can get to you, then you have a routing issue. Do you control the router that is in front of the PIX?
And, you have applied the acl to the interface, then it should work.
Since you can access these outside IP's from the same outside subnet, but nobody else further out of that subnet can get to you, then you have a routing issue. Do you control the router that is in front of the PIX?
>ip address outside 192.168.0.250 255.255.255.248
Assuming that this is correct, and that you are using a private IP address on the outside IP, you cannot get traffic back into the private IP on your PIX from anywhere else outside of that subnet, unless you have another nat router or something upstream.
Assuming that this is correct, and that you are using a private IP address on the outside IP, you cannot get traffic back into the private IP on your PIX from anywhere else outside of that subnet, unless you have another nat router or something upstream.
ASKER
Thanks for the help! everything is up and running and working great... thanks again for all the help!
ip address inside 192.168.1.1 255.255.255.0