ericmiller74
asked on
Cisco PIX 501 setup question
Hello All.
Let me first describe what I am trying to accomplish. I have a Cisco 675 attached to my DSL line and a Cisco PIX 501. We have a block of static IP addresses from 207.*.15.89 - 207.*.174.15.94. Our public ip address is 207.*.15.89 and all of our dns points to that address. I need to use the 10.0.0.0 private ip space for the internal network ( Our servers are setup that way and can't be changed). I have a web/mail server at 10.0.0.100 and an AFP server at 10.0.0.149. I would like to have the PIX setup to allow the web/mail traffic inside. I have successfully set up the PIX for outbound connections.
Here are some of my questions to make sure the router is set up correctly first.
1. Does the 675 NEED a eth0 ip address? OR
2. Can the 675 be configured with just a wan0-0 ipcp address?
Ive posted the running config
cbos#sh run
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Root Password = 2E55000059520000983E00009C
NSOS MD5 Commander Password = D501270E48E53864751400453E
NSOS MD5 Enable Password = 047700008C6500003E3600002F
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation
cbos#
__________________________
PIX SH RUN
Result of firewall command: "sh run"
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
**************************
access-list 101 permit tcp any host 207.*.15.89 eq www
**************************
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.*.15.91 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.0.0.100 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
**************************
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 207.*.15.89 10.0.0.100 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 207.*.15.89 1
**************************
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.2-10.0.0.30 inside
dhcpd dns 204.144.142.1 204.144.142.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:4fedd8b26d1
: end
Ive gone throught the steps outlined in my previous post of the same name, but it is still not working for me. I suspect that I am just missing a fundamental piece of the puzzle. Your help is appreciated.
-Eric Miller
Let me first describe what I am trying to accomplish. I have a Cisco 675 attached to my DSL line and a Cisco PIX 501. We have a block of static IP addresses from 207.*.15.89 - 207.*.174.15.94. Our public ip address is 207.*.15.89 and all of our dns points to that address. I need to use the 10.0.0.0 private ip space for the internal network ( Our servers are setup that way and can't be changed). I have a web/mail server at 10.0.0.100 and an AFP server at 10.0.0.149. I would like to have the PIX setup to allow the web/mail traffic inside. I have successfully set up the PIX for outbound connections.
Here are some of my questions to make sure the router is set up correctly first.
1. Does the 675 NEED a eth0 ip address? OR
2. Can the 675 be configured with just a wan0-0 ipcp address?
Ive posted the running config
cbos#sh run
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Root Password = 2E55000059520000983E00009C
NSOS MD5 Commander Password = D501270E48E53864751400453E
NSOS MD5 Enable Password = 047700008C6500003E3600002F
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation
cbos#
__________________________
PIX SH RUN
Result of firewall command: "sh run"
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
**************************
access-list 101 permit tcp any host 207.*.15.89 eq www
**************************
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.*.15.91 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.0.0.100 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
**************************
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 207.*.15.89 10.0.0.100 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 207.*.15.89 1
**************************
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.2-10.0.0.30 inside
dhcpd dns 204.144.142.1 204.144.142.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:4fedd8b26d1
: end
Ive gone throught the steps outlined in my previous post of the same name, but it is still not working for me. I suspect that I am just missing a fundamental piece of the puzzle. Your help is appreciated.
-Eric Miller
ASKER
Matthew, thanks very much for responding.
I made some changes. I've added an eth0 address on the 675 (.90) and changed the outside int on the PIX to .91 for consistancy. I am still not able to resolve our web site/mail server. Here are the new outputs. Per your suggestion i've removed the password hashes, and changed the pass =)
cbos#sh run
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Root Password = 2E55000059520000983E00009C
NSOS MD5 Commander Password =
NSOS MD5 Enable Password =
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation
[[ IP Routing = Section Start ]]
IP Port Address = 00, 207.*.15.90
cbos#
PIX SH RUN
Result of firewall command: "sh run"
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 207.*.15.92 eq www
access-list 101 permit tcp any host 207.*.15.92 eq smtp
access-list 101 permit tcp any host 207.*.15.92 eq pop3
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.*.15.91 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.0.0.100 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 207.*.15.92 www 10.0.0.100 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 207.*.15.92 smtp 10.0.0.100 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 207.*.15.92 pop3 10.0.0.100 pop3 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 207.*.15.90 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.2-10.0.0.30 inside
dhcpd dns 204.144.142.1 204.144.142.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:3f3085d2602
: end
I made some changes. I've added an eth0 address on the 675 (.90) and changed the outside int on the PIX to .91 for consistancy. I am still not able to resolve our web site/mail server. Here are the new outputs. Per your suggestion i've removed the password hashes, and changed the pass =)
cbos#sh run
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Root Password = 2E55000059520000983E00009C
NSOS MD5 Commander Password =
NSOS MD5 Enable Password =
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation
[[ IP Routing = Section Start ]]
IP Port Address = 00, 207.*.15.90
cbos#
PIX SH RUN
Result of firewall command: "sh run"
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 207.*.15.92 eq www
access-list 101 permit tcp any host 207.*.15.92 eq smtp
access-list 101 permit tcp any host 207.*.15.92 eq pop3
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.*.15.91 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.0.0.100 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 207.*.15.92 www 10.0.0.100 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 207.*.15.92 smtp 10.0.0.100 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 207.*.15.92 pop3 10.0.0.100 pop3 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 207.*.15.90 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.2-10.0.0.30 inside
dhcpd dns 204.144.142.1 204.144.142.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:3f3085d2602
: end
Eric, just to verify, you can still access external websites, etc. Right?
Which ISP is providing your DSL account? Have you checked with them regarding the proper 675 configuration for a static-mapped zone?
Can you ping your pix from an external site? (You may need to add an access-list for that - I use "access-list 101 permit icmp any any".)
MM
Which ISP is providing your DSL account? Have you checked with them regarding the proper 675 configuration for a static-mapped zone?
Can you ping your pix from an external site? (You may need to add an access-list for that - I use "access-list 101 permit icmp any any".)
MM
ASKER
OK, sorry for the delay, I have alot going on right now.
I spoke with my ISP and they gave me instructions for setting up the 675. Here is the running config.
cbos#sh run
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Enable Password =
NSOS MD5 Root Password =
NSOS MD5 Commander Password =
NSOS Remote Restart = enabled
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation
PPP Port Option = 00, IPCP,Primary DNS Server,129,Auto,Negotiatio
PPP Port Option = 00, IPCP,Secondary DNS Server,131,Auto,Negotiatio
cbos#
Maybe it would be best to describe what I am trying to do again.
1. We have a block of static IPs assigned to us. 207.*.15.89-94 or /29
2. All of our DNS records point to the .89 address for the public address. ( I would like to keep it this way )
3. We need to use a 10.0.0.0 private scheme
4. I need to allow traffic in to our web/mail server at 10.0.0.100
5. Everyone on the inside needs access to the outside
Thats it.
I need help understanding the exact config for this to work. Thanks in advance
-Eric
I spoke with my ISP and they gave me instructions for setting up the 675. Here is the running config.
cbos#sh run
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Enable Password =
NSOS MD5 Root Password =
NSOS MD5 Commander Password =
NSOS Remote Restart = enabled
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation
PPP Port Option = 00, IPCP,Primary DNS Server,129,Auto,Negotiatio
PPP Port Option = 00, IPCP,Secondary DNS Server,131,Auto,Negotiatio
cbos#
Maybe it would be best to describe what I am trying to do again.
1. We have a block of static IPs assigned to us. 207.*.15.89-94 or /29
2. All of our DNS records point to the .89 address for the public address. ( I would like to keep it this way )
3. We need to use a 10.0.0.0 private scheme
4. I need to allow traffic in to our web/mail server at 10.0.0.100
5. Everyone on the inside needs access to the outside
Thats it.
I need help understanding the exact config for this to work. Thanks in advance
-Eric
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
WOOOHOOO...
Got it Dude.
The only thing you forgot in your most kick ass answer is to apply the access-group commands to apply the access-list to the outside interface.
Here is what I did
access-group 101 in interface outside.
Thanks alot Matthew. Your help deserves 500 pts
Got it Dude.
The only thing you forgot in your most kick ass answer is to apply the access-group commands to apply the access-list to the outside interface.
Here is what I did
access-group 101 in interface outside.
Thanks alot Matthew. Your help deserves 500 pts
Whether your 675 needs an IP address is probably dependant on how your ISP is set up. My ISP (Qwest) requires an IP address on the 675 for routing when it's configured with a range (my range uses a 29 bit subnet mask just like yours). In our case, the 675 is configured with a single IP, at the top of the range. That's the address the pix uses as it's external route.
Your situation looks similar: your pix is configured, outside interface, with an address on the interface from your range and the 675's address (also from your range) as it's route outside.
So you can configure a static map using _another_ ip address (maybe .90 or .92) OR use a static map on the pix's outside interface that maps specific ports only. From your config, it looks like you've static mapped the external address you route to (.89), which won't work.
Assuming the 675 config is working (it sounds like it is, if outgoing traffic works), then here's what I would do on your pix:
* Remove the static map you have currently define.
* Create a new static map on a second IP address (i'll use .90 for example):
static (inside, outside) tcp 207.*.15.90 www 10.0.0.100 www netm 255.255.255.255
static (inside, outside) tcp 207.*.15.90 smtp 10.0.0.100 smtp netm 255.255.255.255
static (inside, outside) tcp 207.*.15.90 pop 10.0.0.100 pop netm 255.255.255.255
* Change access-list 101 to reflect that you're using a different external IP address
* Add pop and smtp traffic to your access-list 101
* Reapply the access-group to the external interface
no access-group 101 int outside
access-group 101 int outside
If that doesn't work, post what happens and we'll troubleshoot further. I've also set up something like this using a single external address, so we could try that, too (though it's more work as we'd have to NAT through the 675).
NOTE: it's not a good idea to post the encrypted passwords from your pix config. Also, the 675 is vulnerable to certain attacks and won't ever be upgradable. You may want to consider a 678 for that reason. Basically the same device, without the problems.
Good luck,
Matthew