Solved

Configure Pix 501

Posted on 2004-09-16
12
275 Views
Last Modified: 2013-11-16
So, we just bought a Cisco Pix 501.  We want to set it up in the following manner:
NOTE: We have 3 servers at a colo, they us a Cisco router ( don't know the specs)

This is what I want to do and I would like to know if its possible:
Internet --> Pix 501 --> 24 port switch --> (3) servers

Server 1, 2, 3 have outside IP's xxx.xxx.xxx.135, xxx.xxx.xxx.137, xxx.xxx.xxx.139, respectively.
Pix 501 has internal IP of 192.168.1.1

Thanks for your help
0
Comment
Question by:chigs20
  • 8
  • 4
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12078755
No problem. Assuming these are web servers for the following example:

ip address outside 1.2.3.4 255.255.255.248
route outside 0.0.0.0 0.0.0.0 1.2.3.5

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) xx.xx.xx.135 192.168.1.135 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.137 192.168.1.137 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.139 192.168.1.139 netmask 255.255.255.255

access-list outside_in permit tcp any host xx.xx.xx.135 eq www
access-list outside_in permit tcp any host xx.xx.xx.137 eq www
access-list outside_in permit tcp any host xx.xx.xx.139 eq www | smtp | whatever
access-group outside_in interfac outside

That's about all there is to it.

Use crossover cable between the router and the PIX outside interface (unless you have a hub/switch in between)
Use crossover cable from inside port to switch (unless switch as an auto x-over port, then you can use a straight patch cable)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12078769
Woops, I forgot the inside interface config:

ip address inside 192.168.1.1 255.255.255.0

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12078785
Are you really sure that you want to use 192.168.1.x on the inside? If you have a broadband router at home and decide to use the VPN capability of the PIX, then you may end up with the same subnet on both sides. Not good.

Highly suggest you use something more unusual, like 192.168.250.x on the LAN behind the PIX.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12105725
Are you still working on this? Do you need more information?
0
 
LVL 6

Author Comment

by:chigs20
ID: 12107266
OK, so heres what we have so far...

ip address inside 192.168.250.1 255.255.255.0
ip address outside 192.168.0.250 255.255.255.248
route outside 0.0.0.0 0.0.0.0 192.168.0.250

global (outside) 1 interface
nat (inside) 1 192.168.250.0 255.255.255.0
static (inside,outside) 192.168.0.135 192.168.250.135 netmask 255.255.255.255
static (inside,outside) 192.168.0.137 192.168.250.137 netmask 255.255.255.255
static (inside,outside) 192.168.0.139 192.168.250.139 netmask 255.255.255.255

access-list outside_in permit tcp any host 192.168.0.135 eq http
access-list outside_in permit tcp any host 192.168.0.137 eq http
access-list outside_in permit tcp any host 192.168.0.135 eq https
access-list outside_in permit tcp any host 192.168.0.137 eq https
access-list outside_in permit tcp any host 192.168.0.135 eq ssh
access-list outside_in permit tcp any host 192.168.0.137 eq ssh
access-group outside_in in interface outside

we even added

access-list in_outside permit any any
access-group in_outside in interface inside

but we still dont have any 'from the inside out' traffic...

Sorry for the confusing ip schema, we are attempting to test the firewall config internally before implementing it... could this be our problem?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107403
> are attempting to test the firewall config internally before implementing it... could this be our problem?
Yes. You cannot get to the "outside" natted ip address from the inside.

With the configuration you have, if you had a web server on the 192.168.0.0 "outside" network (not an "inside" 192.168.250.x server that is natted to an outside address), then I have no doubt that you will have success.

If you want to try from an inside host, to an inside server, using the outside IP, then you need to enable Alias and DNS doctoring..

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Author Comment

by:chigs20
ID: 12107421
from a server on the 192.168.250.0 subnet (inside the firewall) we are trying to ping 216.239.57.99 (google.com) but we get no replies... we are able to access the servers from the outside in (viw ssh or http or whatever), but we cant access anything from the inside out.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12107554
>we are trying to ping 216.239.57.99
You can't ping anything unless you permit the icmp in the acl:

add this:
access-list outside_in permit icmp any any echo-reply

Then re-apply the acl
  access-group outside_in in interface outside

>route outside 0.0.0.0 0.0.0.0 192.168.0.250
This is the correct gateway to get outside? Is it blocking anything from coming back in?

 
0
 
LVL 6

Author Comment

by:chigs20
ID: 12153298
OK, so we have it all up and running except for one thing. I am able to access the "outside" ip address from within the same subnet of the pix "outside" ip addy. However, im unable to access the the "outside" ip addresses from anywhere else.

access-list outside_in permit tcp any host 192.168.250.137 eq http
access-list outside_in permit tcp any host 192.168.250.135 eq https

this is what i thought should be allowing anyone access to our http service from anywhere...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12154352
As long as the access-list has actual public IP's and not private 192.168.x.x addresses
And, you have applied the acl to the interface, then it should work.
Since you can access these outside IP's from the same outside subnet, but nobody else further out of that subnet can get to you, then you have a routing issue. Do you control the router that is in front of the PIX?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12154362
>ip address outside 192.168.0.250 255.255.255.248
Assuming that this is correct, and that you are using a private IP address on the outside IP, you cannot get traffic back into the private IP on your PIX from anywhere else outside of that subnet, unless you have another nat router or something upstream.
0
 
LVL 6

Author Comment

by:chigs20
ID: 12162459
Thanks for the help! everything is up and running and working great... thanks again for all the help!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now