[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 327
  • Last Modified:

Configure Pix 501

So, we just bought a Cisco Pix 501.  We want to set it up in the following manner:
NOTE: We have 3 servers at a colo, they us a Cisco router ( don't know the specs)

This is what I want to do and I would like to know if its possible:
Internet --> Pix 501 --> 24 port switch --> (3) servers

Server 1, 2, 3 have outside IP's xxx.xxx.xxx.135, xxx.xxx.xxx.137, xxx.xxx.xxx.139, respectively.
Pix 501 has internal IP of 192.168.1.1

Thanks for your help
0
chigs20
Asked:
chigs20
  • 8
  • 4
1 Solution
 
lrmooreCommented:
No problem. Assuming these are web servers for the following example:

ip address outside 1.2.3.4 255.255.255.248
route outside 0.0.0.0 0.0.0.0 1.2.3.5

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) xx.xx.xx.135 192.168.1.135 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.137 192.168.1.137 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.139 192.168.1.139 netmask 255.255.255.255

access-list outside_in permit tcp any host xx.xx.xx.135 eq www
access-list outside_in permit tcp any host xx.xx.xx.137 eq www
access-list outside_in permit tcp any host xx.xx.xx.139 eq www | smtp | whatever
access-group outside_in interfac outside

That's about all there is to it.

Use crossover cable between the router and the PIX outside interface (unless you have a hub/switch in between)
Use crossover cable from inside port to switch (unless switch as an auto x-over port, then you can use a straight patch cable)

0
 
lrmooreCommented:
Woops, I forgot the inside interface config:

ip address inside 192.168.1.1 255.255.255.0

0
 
lrmooreCommented:
Are you really sure that you want to use 192.168.1.x on the inside? If you have a broadband router at home and decide to use the VPN capability of the PIX, then you may end up with the same subnet on both sides. Not good.

Highly suggest you use something more unusual, like 192.168.250.x on the LAN behind the PIX.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
lrmooreCommented:
Are you still working on this? Do you need more information?
0
 
chigs20Author Commented:
OK, so heres what we have so far...

ip address inside 192.168.250.1 255.255.255.0
ip address outside 192.168.0.250 255.255.255.248
route outside 0.0.0.0 0.0.0.0 192.168.0.250

global (outside) 1 interface
nat (inside) 1 192.168.250.0 255.255.255.0
static (inside,outside) 192.168.0.135 192.168.250.135 netmask 255.255.255.255
static (inside,outside) 192.168.0.137 192.168.250.137 netmask 255.255.255.255
static (inside,outside) 192.168.0.139 192.168.250.139 netmask 255.255.255.255

access-list outside_in permit tcp any host 192.168.0.135 eq http
access-list outside_in permit tcp any host 192.168.0.137 eq http
access-list outside_in permit tcp any host 192.168.0.135 eq https
access-list outside_in permit tcp any host 192.168.0.137 eq https
access-list outside_in permit tcp any host 192.168.0.135 eq ssh
access-list outside_in permit tcp any host 192.168.0.137 eq ssh
access-group outside_in in interface outside

we even added

access-list in_outside permit any any
access-group in_outside in interface inside

but we still dont have any 'from the inside out' traffic...

Sorry for the confusing ip schema, we are attempting to test the firewall config internally before implementing it... could this be our problem?
0
 
lrmooreCommented:
> are attempting to test the firewall config internally before implementing it... could this be our problem?
Yes. You cannot get to the "outside" natted ip address from the inside.

With the configuration you have, if you had a web server on the 192.168.0.0 "outside" network (not an "inside" 192.168.250.x server that is natted to an outside address), then I have no doubt that you will have success.

If you want to try from an inside host, to an inside server, using the outside IP, then you need to enable Alias and DNS doctoring..

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
0
 
chigs20Author Commented:
from a server on the 192.168.250.0 subnet (inside the firewall) we are trying to ping 216.239.57.99 (google.com) but we get no replies... we are able to access the servers from the outside in (viw ssh or http or whatever), but we cant access anything from the inside out.
0
 
lrmooreCommented:
>we are trying to ping 216.239.57.99
You can't ping anything unless you permit the icmp in the acl:

add this:
access-list outside_in permit icmp any any echo-reply

Then re-apply the acl
  access-group outside_in in interface outside

>route outside 0.0.0.0 0.0.0.0 192.168.0.250
This is the correct gateway to get outside? Is it blocking anything from coming back in?

 
0
 
chigs20Author Commented:
OK, so we have it all up and running except for one thing. I am able to access the "outside" ip address from within the same subnet of the pix "outside" ip addy. However, im unable to access the the "outside" ip addresses from anywhere else.

access-list outside_in permit tcp any host 192.168.250.137 eq http
access-list outside_in permit tcp any host 192.168.250.135 eq https

this is what i thought should be allowing anyone access to our http service from anywhere...
0
 
lrmooreCommented:
As long as the access-list has actual public IP's and not private 192.168.x.x addresses
And, you have applied the acl to the interface, then it should work.
Since you can access these outside IP's from the same outside subnet, but nobody else further out of that subnet can get to you, then you have a routing issue. Do you control the router that is in front of the PIX?
0
 
lrmooreCommented:
>ip address outside 192.168.0.250 255.255.255.248
Assuming that this is correct, and that you are using a private IP address on the outside IP, you cannot get traffic back into the private IP on your PIX from anywhere else outside of that subnet, unless you have another nat router or something upstream.
0
 
chigs20Author Commented:
Thanks for the help! everything is up and running and working great... thanks again for all the help!
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now