[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 954
  • Last Modified:

Cisco PIX 501 setup question

Hello All.
Let me first describe what I am trying to accomplish. I have a Cisco 675 attached to my DSL line and a Cisco PIX 501. We have a block of static IP addresses from 207.*.15.89 - 207.*.174.15.94. Our public ip address is 207.*.15.89 and all of our dns points to that address. I need to use the 10.0.0.0 private ip space for the internal network ( Our servers are setup that way and can't be changed). I have a web/mail server at 10.0.0.100 and an AFP server at 10.0.0.149. I would like to have the PIX setup to allow the web/mail traffic inside. I have successfully set up the PIX for outbound connections.

Here are some of my questions to make sure the router is set up correctly first.
1. Does the 675 NEED a eth0 ip address? OR
2. Can the 675 be configured with just a wan0-0 ipcp address?

Ive posted the running config

cbos#sh run
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Root Password = 2E55000059520000983E00009C770000BE64DCAB13CFD8D427F9BE82D0952A1D
NSOS MD5 Commander Password = D501270E48E53864751400453E424DFC
NSOS MD5 Enable Password = 047700008C6500003E3600002F290000BD47780B7FD1F135FB93B4B044F0D00E
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation Not Required,Negotiable,IP,207.*.15.89

cbos#

_________________________________________________________________
PIX SH RUN

Result of firewall command: "sh run"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
******************************************************************************
access-list 101 permit tcp any host 207.*.15.89 eq www
******************************************************************************
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.*.15.91 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.0.0.100 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
******************************************************************************
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 207.*.15.89 10.0.0.100 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 207.*.15.89 1
******************************************************************************
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.2-10.0.0.30 inside
dhcpd dns 204.144.142.1 204.144.142.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:4fedd8b26d1d2268014ca123e7aa2d36
: end

Ive gone throught the steps outlined in my previous post of the same name, but it is still not working for me. I suspect that I am just missing a fundamental piece of the puzzle. Your help is appreciated.

-Eric Miller
0
ericmiller74
Asked:
ericmiller74
  • 3
  • 3
1 Solution
 
itgbCommented:
Eric,

Whether your 675 needs an IP address is probably dependant on how your ISP is set up.   My ISP (Qwest) requires an IP address on the 675 for routing when it's configured with a range (my range uses a 29 bit subnet mask just like yours).  In our case, the 675 is configured with a single IP, at the top of the range.  That's the address the pix uses as it's external route.

Your situation looks similar: your pix is configured, outside interface, with an address on the interface from your range and the 675's address (also from your range) as it's route outside.  

So you can configure a static map using _another_ ip address (maybe .90 or .92) OR use a static map on the pix's outside interface that maps specific ports only.  From your config, it looks like you've static mapped the external address you route to (.89), which won't work.

Assuming the 675 config is working (it sounds like it is, if outgoing traffic works), then here's what I would do on your pix:

* Remove the static map you have currently define.
* Create a new static map on a second IP address (i'll use .90 for example):
  static (inside, outside) tcp 207.*.15.90 www 10.0.0.100 www netm 255.255.255.255
  static (inside, outside) tcp 207.*.15.90 smtp 10.0.0.100 smtp netm 255.255.255.255
  static (inside, outside) tcp 207.*.15.90 pop 10.0.0.100 pop netm 255.255.255.255
* Change access-list 101 to reflect that you're using a different external IP address
* Add pop and smtp traffic to your access-list 101
* Reapply the access-group to the external interface
  no access-group 101 int outside
  access-group 101 int outside

If that doesn't work, post what happens and we'll troubleshoot further.  I've also set up something like this using a single external address, so we could try that, too (though it's more work as we'd have to NAT through the 675).

NOTE:  it's not a good idea to post the encrypted passwords from your pix config.  Also, the 675 is vulnerable to certain attacks and won't ever be upgradable.  You may want to consider a 678 for that reason.  Basically the same device, without the problems.

Good luck,
Matthew
0
 
ericmiller74Author Commented:
Matthew, thanks very much for responding.

I made some changes. I've added an eth0 address on the 675 (.90) and changed the outside int on the PIX to .91 for consistancy. I am still not able to resolve our web site/mail server. Here are the new outputs. Per your suggestion i've removed the password hashes, and changed the pass =)

cbos#sh run
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Root Password = 2E55000059520000983E00009C770000BE64DCAB13CFD8D427F9BE82D0952A1D
NSOS MD5 Commander Password =
NSOS MD5 Enable Password =
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation Not Required,Negotiable,IP,207.*.15.89
[[ IP Routing = Section Start ]]
IP Port Address = 00, 207.*.15.90
cbos#

PIX SH RUN

Result of firewall command: "sh run"
 
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 207.*.15.92 eq www
access-list 101 permit tcp any host 207.*.15.92 eq smtp
access-list 101 permit tcp any host 207.*.15.92 eq pop3
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.*.15.91 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.0.0.100 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 207.*.15.92 www 10.0.0.100 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 207.*.15.92 smtp 10.0.0.100 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 207.*.15.92 pop3 10.0.0.100 pop3 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 207.*.15.90 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.2-10.0.0.30 inside
dhcpd dns 204.144.142.1 204.144.142.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:3f3085d2602816e09307ebf604c82ef8
: end
0
 
itgbCommented:
Eric, just to verify, you can still access external websites, etc. Right?  

Which ISP is providing your DSL account?  Have you checked with them regarding the proper 675 configuration for a static-mapped zone?

Can you ping your pix from an external site?  (You may need to add an access-list for that - I use "access-list 101 permit icmp any any".)

MM
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
ericmiller74Author Commented:
OK, sorry for the delay, I have alot going on right now.

I spoke with my ISP and they gave me instructions for setting up the 675. Here is the running config.

cbos#sh run
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Enable Password =
NSOS MD5 Root Password =
NSOS MD5 Commander Password =
NSOS Remote Restart = enabled
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation Not Required,Negotiable,IP,207.*.15.89
PPP Port Option = 00, IPCP,Primary DNS Server,129,Auto,Negotiation Not Required,Negotiable,IP,0.0.0.0
PPP Port Option = 00, IPCP,Secondary DNS Server,131,Auto,Negotiation Not Required,Negotiable,IP,0.0.0.0
cbos#

Maybe it would be best to describe what I am trying to do again.

1. We have a block of static IPs assigned to us. 207.*.15.89-94 or /29
2. All of our DNS records point to the .89 address for the public address. ( I would like to keep it this way )
3. We need to use a 10.0.0.0 private scheme
4. I need to allow traffic in to our web/mail server at 10.0.0.100
5. Everyone on the inside needs access to the outside

Thats it.

I need help understanding the exact config for this to work. Thanks in advance
-Eric
0
 
itgbCommented:
OK Eric.  Since you'd prefer to use .89 for the public address exclusively and it appears that address is assigned to the 675, you could NAT the mail and web traffic through the 675 before handing it off to the pix.  In order to do that, I believe you'll need to put a private network ip zone between the 675 and the pix.    [Note: it may also be that .89 is the address of the router on the other side of the 675, and you'll need to assign an address within your zone to the 675 and reset the dns entries to use that.  If your ISP is using .89 as your gateway address, you probably won't be able to use it.  However, I'll assume that's not the case for this message.]

To configure the 675:
(Note, you can substitue '?' for the end of any command on a 675 to get help on that command)

set interface eth0 addresss 172.16.0.1
set interface eth0 netmask 255.255.255.0
set nat enabled
set nat entry add 172.16.0.2 80 207.*.15.89 80
write
reboot

Then configure the pix (commands assume config mode):
ip address outside 172.16.0.2 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.16.0.1
static (inside,outside) tcp interface 80 10.0.0.100 80 netmask 255.255.255.255
(remove other static maps if they still exist)
no access-list 101
access-list 101 permit tcp any host 172.16.0.2 eq 80
access-list 101 permit icmp any any
management inside
write mem
reload

Then test the connection.  If it still doesn't work, check the following
* Can you get out to the internet from inside?
* Can you ping 205.*.15.89 from inside? from the pix? from the 678?
* Can you ping 205.*.15.89 from outside your network?
* Can you ping the pix from the 678?  (172.16.0.2)  vice-versa, too?
* What does a manual telnet connection from outside to the web server address on port 80 get you?  (telnet 205.*.15.89 80)  You should see at least a banner announcing you're connected to <serverName>.

Would also be happy to talk directly if you'd like.  I know these can be very frustrating!

Matthew
2083440050
0
 
ericmiller74Author Commented:
WOOOHOOO...
Got it Dude.

The only thing you forgot in your most kick ass answer is to apply the access-group commands to apply the access-list to the outside interface.

Here is what I did
access-group 101 in interface outside.

Thanks alot Matthew. Your help deserves 500 pts
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now