Solved

Configure Pix 501

Posted on 2004-09-16
12
305 Views
Last Modified: 2013-11-16
So, we just bought a Cisco Pix 501.  We want to set it up in the following manner:
NOTE: We have 3 servers at a colo, they us a Cisco router ( don't know the specs)

This is what I want to do and I would like to know if its possible:
Internet --> Pix 501 --> 24 port switch --> (3) servers

Server 1, 2, 3 have outside IP's xxx.xxx.xxx.135, xxx.xxx.xxx.137, xxx.xxx.xxx.139, respectively.
Pix 501 has internal IP of 192.168.1.1

Thanks for your help
0
Comment
Question by:chigs20
  • 8
  • 4
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12078755
No problem. Assuming these are web servers for the following example:

ip address outside 1.2.3.4 255.255.255.248
route outside 0.0.0.0 0.0.0.0 1.2.3.5

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) xx.xx.xx.135 192.168.1.135 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.137 192.168.1.137 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.139 192.168.1.139 netmask 255.255.255.255

access-list outside_in permit tcp any host xx.xx.xx.135 eq www
access-list outside_in permit tcp any host xx.xx.xx.137 eq www
access-list outside_in permit tcp any host xx.xx.xx.139 eq www | smtp | whatever
access-group outside_in interfac outside

That's about all there is to it.

Use crossover cable between the router and the PIX outside interface (unless you have a hub/switch in between)
Use crossover cable from inside port to switch (unless switch as an auto x-over port, then you can use a straight patch cable)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12078769
Woops, I forgot the inside interface config:

ip address inside 192.168.1.1 255.255.255.0

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12078785
Are you really sure that you want to use 192.168.1.x on the inside? If you have a broadband router at home and decide to use the VPN capability of the PIX, then you may end up with the same subnet on both sides. Not good.

Highly suggest you use something more unusual, like 192.168.250.x on the LAN behind the PIX.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12105725
Are you still working on this? Do you need more information?
0
 
LVL 6

Author Comment

by:chigs20
ID: 12107266
OK, so heres what we have so far...

ip address inside 192.168.250.1 255.255.255.0
ip address outside 192.168.0.250 255.255.255.248
route outside 0.0.0.0 0.0.0.0 192.168.0.250

global (outside) 1 interface
nat (inside) 1 192.168.250.0 255.255.255.0
static (inside,outside) 192.168.0.135 192.168.250.135 netmask 255.255.255.255
static (inside,outside) 192.168.0.137 192.168.250.137 netmask 255.255.255.255
static (inside,outside) 192.168.0.139 192.168.250.139 netmask 255.255.255.255

access-list outside_in permit tcp any host 192.168.0.135 eq http
access-list outside_in permit tcp any host 192.168.0.137 eq http
access-list outside_in permit tcp any host 192.168.0.135 eq https
access-list outside_in permit tcp any host 192.168.0.137 eq https
access-list outside_in permit tcp any host 192.168.0.135 eq ssh
access-list outside_in permit tcp any host 192.168.0.137 eq ssh
access-group outside_in in interface outside

we even added

access-list in_outside permit any any
access-group in_outside in interface inside

but we still dont have any 'from the inside out' traffic...

Sorry for the confusing ip schema, we are attempting to test the firewall config internally before implementing it... could this be our problem?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107403
> are attempting to test the firewall config internally before implementing it... could this be our problem?
Yes. You cannot get to the "outside" natted ip address from the inside.

With the configuration you have, if you had a web server on the 192.168.0.0 "outside" network (not an "inside" 192.168.250.x server that is natted to an outside address), then I have no doubt that you will have success.

If you want to try from an inside host, to an inside server, using the outside IP, then you need to enable Alias and DNS doctoring..

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
0
 
LVL 6

Author Comment

by:chigs20
ID: 12107421
from a server on the 192.168.250.0 subnet (inside the firewall) we are trying to ping 216.239.57.99 (google.com) but we get no replies... we are able to access the servers from the outside in (viw ssh or http or whatever), but we cant access anything from the inside out.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107554
>we are trying to ping 216.239.57.99
You can't ping anything unless you permit the icmp in the acl:

add this:
access-list outside_in permit icmp any any echo-reply

Then re-apply the acl
  access-group outside_in in interface outside

>route outside 0.0.0.0 0.0.0.0 192.168.0.250
This is the correct gateway to get outside? Is it blocking anything from coming back in?

 
0
 
LVL 6

Author Comment

by:chigs20
ID: 12153298
OK, so we have it all up and running except for one thing. I am able to access the "outside" ip address from within the same subnet of the pix "outside" ip addy. However, im unable to access the the "outside" ip addresses from anywhere else.

access-list outside_in permit tcp any host 192.168.250.137 eq http
access-list outside_in permit tcp any host 192.168.250.135 eq https

this is what i thought should be allowing anyone access to our http service from anywhere...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12154352
As long as the access-list has actual public IP's and not private 192.168.x.x addresses
And, you have applied the acl to the interface, then it should work.
Since you can access these outside IP's from the same outside subnet, but nobody else further out of that subnet can get to you, then you have a routing issue. Do you control the router that is in front of the PIX?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12154362
>ip address outside 192.168.0.250 255.255.255.248
Assuming that this is correct, and that you are using a private IP address on the outside IP, you cannot get traffic back into the private IP on your PIX from anywhere else outside of that subnet, unless you have another nat router or something upstream.
0
 
LVL 6

Author Comment

by:chigs20
ID: 12162459
Thanks for the help! everything is up and running and working great... thanks again for all the help!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question