Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Configure Pix 501

Posted on 2004-09-16
12
Medium Priority
?
324 Views
Last Modified: 2013-11-16
So, we just bought a Cisco Pix 501.  We want to set it up in the following manner:
NOTE: We have 3 servers at a colo, they us a Cisco router ( don't know the specs)

This is what I want to do and I would like to know if its possible:
Internet --> Pix 501 --> 24 port switch --> (3) servers

Server 1, 2, 3 have outside IP's xxx.xxx.xxx.135, xxx.xxx.xxx.137, xxx.xxx.xxx.139, respectively.
Pix 501 has internal IP of 192.168.1.1

Thanks for your help
0
Comment
Question by:chigs20
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12078755
No problem. Assuming these are web servers for the following example:

ip address outside 1.2.3.4 255.255.255.248
route outside 0.0.0.0 0.0.0.0 1.2.3.5

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) xx.xx.xx.135 192.168.1.135 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.137 192.168.1.137 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.139 192.168.1.139 netmask 255.255.255.255

access-list outside_in permit tcp any host xx.xx.xx.135 eq www
access-list outside_in permit tcp any host xx.xx.xx.137 eq www
access-list outside_in permit tcp any host xx.xx.xx.139 eq www | smtp | whatever
access-group outside_in interfac outside

That's about all there is to it.

Use crossover cable between the router and the PIX outside interface (unless you have a hub/switch in between)
Use crossover cable from inside port to switch (unless switch as an auto x-over port, then you can use a straight patch cable)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12078769
Woops, I forgot the inside interface config:

ip address inside 192.168.1.1 255.255.255.0

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12078785
Are you really sure that you want to use 192.168.1.x on the inside? If you have a broadband router at home and decide to use the VPN capability of the PIX, then you may end up with the same subnet on both sides. Not good.

Highly suggest you use something more unusual, like 192.168.250.x on the LAN behind the PIX.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12105725
Are you still working on this? Do you need more information?
0
 
LVL 6

Author Comment

by:chigs20
ID: 12107266
OK, so heres what we have so far...

ip address inside 192.168.250.1 255.255.255.0
ip address outside 192.168.0.250 255.255.255.248
route outside 0.0.0.0 0.0.0.0 192.168.0.250

global (outside) 1 interface
nat (inside) 1 192.168.250.0 255.255.255.0
static (inside,outside) 192.168.0.135 192.168.250.135 netmask 255.255.255.255
static (inside,outside) 192.168.0.137 192.168.250.137 netmask 255.255.255.255
static (inside,outside) 192.168.0.139 192.168.250.139 netmask 255.255.255.255

access-list outside_in permit tcp any host 192.168.0.135 eq http
access-list outside_in permit tcp any host 192.168.0.137 eq http
access-list outside_in permit tcp any host 192.168.0.135 eq https
access-list outside_in permit tcp any host 192.168.0.137 eq https
access-list outside_in permit tcp any host 192.168.0.135 eq ssh
access-list outside_in permit tcp any host 192.168.0.137 eq ssh
access-group outside_in in interface outside

we even added

access-list in_outside permit any any
access-group in_outside in interface inside

but we still dont have any 'from the inside out' traffic...

Sorry for the confusing ip schema, we are attempting to test the firewall config internally before implementing it... could this be our problem?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107403
> are attempting to test the firewall config internally before implementing it... could this be our problem?
Yes. You cannot get to the "outside" natted ip address from the inside.

With the configuration you have, if you had a web server on the 192.168.0.0 "outside" network (not an "inside" 192.168.250.x server that is natted to an outside address), then I have no doubt that you will have success.

If you want to try from an inside host, to an inside server, using the outside IP, then you need to enable Alias and DNS doctoring..

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
0
 
LVL 6

Author Comment

by:chigs20
ID: 12107421
from a server on the 192.168.250.0 subnet (inside the firewall) we are trying to ping 216.239.57.99 (google.com) but we get no replies... we are able to access the servers from the outside in (viw ssh or http or whatever), but we cant access anything from the inside out.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107554
>we are trying to ping 216.239.57.99
You can't ping anything unless you permit the icmp in the acl:

add this:
access-list outside_in permit icmp any any echo-reply

Then re-apply the acl
  access-group outside_in in interface outside

>route outside 0.0.0.0 0.0.0.0 192.168.0.250
This is the correct gateway to get outside? Is it blocking anything from coming back in?

 
0
 
LVL 6

Author Comment

by:chigs20
ID: 12153298
OK, so we have it all up and running except for one thing. I am able to access the "outside" ip address from within the same subnet of the pix "outside" ip addy. However, im unable to access the the "outside" ip addresses from anywhere else.

access-list outside_in permit tcp any host 192.168.250.137 eq http
access-list outside_in permit tcp any host 192.168.250.135 eq https

this is what i thought should be allowing anyone access to our http service from anywhere...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12154352
As long as the access-list has actual public IP's and not private 192.168.x.x addresses
And, you have applied the acl to the interface, then it should work.
Since you can access these outside IP's from the same outside subnet, but nobody else further out of that subnet can get to you, then you have a routing issue. Do you control the router that is in front of the PIX?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12154362
>ip address outside 192.168.0.250 255.255.255.248
Assuming that this is correct, and that you are using a private IP address on the outside IP, you cannot get traffic back into the private IP on your PIX from anywhere else outside of that subnet, unless you have another nat router or something upstream.
0
 
LVL 6

Author Comment

by:chigs20
ID: 12162459
Thanks for the help! everything is up and running and working great... thanks again for all the help!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question