PIX 515e for WAN

I have a PIX 515e-DMZ-R with the following networks:

Public IP of PIX:   83.23.42.90
Private IP of PIX: 192.168.85.12


VPN Managed tunnels by Qwest:

Private IP of each remote site

10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24

My network layout is a hub and spoke design.  Meaning all my remote sites will come to my PIX for internet access.  How do I configure so all my sites get internet access.  Commands please.

LVL 9
Pentrix2Asked:
Who is Participating?
 
lrmooreCommented:
OK, let's back up for just a bit and take it one step at a time.

MINIMUM requirements:
 global (outside) 1 interface  <== "interface" means to use the IP address assigned to the outside interface for PAT
 nat (inside) 1 0 0 0  <== this means nat "anybody" on the inside
 route outside 0.0.0.0 0.0.0.0 182.38.44.10  <== DG, natch
 route inside 10.1.0.0 255.255.0.0 192.168.85.1  <== gateway to your other networks

That is all you NEED to do. What "I" usually do is to segregate each subnet to its own global PAT address. Assuming that you have multiple public IP's that you can use as global PAT/NAT addresses.
global (outside) # <public ip>
Where "#" is the same number as your nat (inside) #, and always a public IP. The "global" is what your subnet that is identified by the "nat" rule will use for all outbound NAT/PAT.
IF you have extra public IP's and IF you want to segregate your internal subnets to use a different public IP, then you would do it like this. Once again, these are only *optional* choices, spacing is added for empasis to align the numbers to make more sense.

global (outside) 2  182.38.44.9
nat     (inside)   2  10.1.104.0 255.255.255.0

global (outside) 3  182.38.44.8
nat     (inside)   3  10.1.110.0 255.255.255.0

In this example, subnet 10.1.104.0 will be translated to 182.38.44.9, and subnet 10.1.110.0 will be translated to 182.38.44.8. This gives you many flexiple options to add some fancy route-maps to the external router based on source subnet originating inside the PIX. It also gives you a way to monitor public use. You can get usage statistics based on your internal subnets, whereas with the global everybody uses the same public IP, you don't have that flexibility. There is no right or wrong way here, just your personal preferences.

Hope that helps clear it up a bit.
0
 
Pentrix2Author Commented:
Let me try to clarify my goals from the start.  Please correct me if I'm wrong.  Let's say I have a brand new clear config residing on a PIX 515e-DMZ-R and I want to do the initial configuration so my LAN site can have internet then my WAN site to have internet access.  Again, please correct me if I'm wrong.


I enabled and gave valid ip addresses to my e0 and e1.    Then I created this command:

Public IP of PIX:   83.23.42.90
Private IP of PIX: 192.168.85.12


VPN Managed tunnels by Qwest:

Private IP of each remote site

10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1

To my understanding this will enable internet just to everything, including the remote sites too?  If not, which command will allow me to give my remote sites internet access.  If yes, is this the recommended way?

0
 
Pentrix2Author Commented:
To my understanding on the Checkpoint firewall, each site has a policy that allows them internet access.  Does the PIX work the same way but in a ACL?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
tonyteriCommented:
I agree with the above poster give him/her the points

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1

/TT
0
 
lrmooreCommented:
You are correct in that you can create a general "just go ahead and nat for anybody" rule as you have. Generally, I create a separate nat rule for each subnet, i.e.

nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0

The numbers 1,2,3 above correlate to the global IP's. I like to give each remote subnet their own global IP. Makes troubleshooting a bit easier..but again, you can get by with all of them using the same global..
global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.8

You also need route statements so that the PIX knows where the other subnets live:
 route inside 10.1.0.0 255.255.0.0 192.168.85.X  <= where "X" is the internal router that links all your WAN sites..

0
 
Pentrix2Author Commented:
So this statement would give each remote subnet their own global IP?

nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0

global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.8

route inside 10.1.0.0 255.255.0.0 192.168.85.X <=  Would this be my WAN router that links all my remote sites to?  And would this be the public or private ip address    because i notice you got the private ip of the WAN router.

0
 
Pentrix2Author Commented:
Let me put everything in order of commands just like how I would put it in my PIX Command Line.  To my understanding this is all I need to allow traffic internet traffic to my corporate (where the PIX is located at 192.168.85.0) then my remote sites (having 10.1.x.x)????  Please correct my statements.  Very sorry to keep on bugging you like this Irmoore but I do appreciate your assistances.  I can create additional questions so you can get award more points for your time.

WAN Router:
Public IP:  34.21.29.1
Private IP: 192.168.85.1

Public IP of PIX:   83.23.42.90
Private IP of PIX: 192.168.85.12


VPN Managed tunnels by Qwest:

Private IP of each remote site

10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24

Private IP of Corporate site

192.168.85.0 /24


--------------------------------------------------------------------------------------------------------
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1

nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
nat (inside) 4 192.168.85.0 255.255.255.0

global (outside) 1 interface          <=--  How come it doesn't have an IP address?  Should it be 10.1.101.0 and what does this statement mean?
global (outside) 2 182.38.44.9     <=--  Where did you get this IP address from?  I thought it would be a Private IP of 10.1.104.1
global (outside) 3 182.38.44.8     <=--  Where did you get this IP address from?  I thought it would be a Private IP of 10.1.110.1

route inside 10.1.0.0 255.255.0.0 192.168.85.1
0
 
Pentrix2Author Commented:
WAN Router at Corporate:
Public IP:  34.21.29.1
Private IP: 192.168.85.1

Public IP of PIX:   83.23.42.90
Private IP of PIX: 192.168.85.12


VPN Managed tunnels by Qwest:

Private IP of each remote site

10.1.101.0 /24   -  182.38.44.9
10.1.104.0 /24   -  182.38.44.10
10.1.110.0 /24   -  182.38.44.11

Private Subnet IP at Corporate site

192.168.85.0 /24
-------------------------------------------------------- Alright, how does this look like?

global (outside) 1 interface
 nat (inside) 1 0 0 0
 route outside 0.0.0.0 0.0.0.0 182.38.44.10   <=---  I'm assuming this default gateway is my S0/0 on my Internet Gateway Router?   ************
 route inside 10.1.0.0 255.255.0.0 192.168.85.1

nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0

global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.10
global (outside) 4 182.38.44.11


Do I also need a nat and global for my 192.168.85.0 (where the pix resides)?  
nat (inside) 4 192.168.85.0 255.255.255.0
global (outside) 4 34.21.29.1
0
 
lrmooreCommented:
My apologies if I have confused you, but we need to set some basic rules regarding gateways.
Any gateway *must* be on the same local subnet..

The route outside should point to the next hop router. Assuming that is a T1 router with a public IP address, the PIX would route outside to that router. Typically 1-off from the PIX outside IP.
Given:
>Public IP of PIX:   83.23.42.90

PIX:
 ip address outside 83.23.42.90 255.255.255.xxx
 route outside 0.0.0.0 0.0.0.0. 83.23.42.89 <== whatever is the next hop on the same subnet as the outside

Regarding NAT and the inside network, these two lines take care of that already
> global (outside) 1 interface
> nat (inside) 1 0 0 0

*if* you want to specify  for the local lan same as you did for the other subnets:
 nat (inside) 1 192.168.85.0 255.255.255.0

The global (outside) "1" interface = the global PAT for the inside local subnet

>global (outside) 4 34.21.29.1
the global *CANNOT* be any other IP subnet other than the outside IP of the PIX, 83.23.42.xx

0
 
Pentrix2Author Commented:
Internet -> s0/0 83.23.42.88 [Internet Gateway Router] e0/0 65.126.83.10 -> e0/0 83.23.42.90 [PIX] e0/1 192.168.12 -> 192.168.85.x

The above is how my layout looks like then branches out to my remote sites, like a hub and spoke design


PIX:
 ip address outside 83.23.42.90 255.255.255.xxx
 route outside 0.0.0.0 0.0.0.0. 83.23.42.89 <== what will be my next hop, would it be just another available public ip?

0
 
Pentrix2Author Commented:
Hopefully I got the config right this time.  I'm looking for a config that I can copy and paste into my PIX so I can deploy this.

WAN Router at Corporate:
Public IP:  34.21.29.1
Private IP: 192.168.85.1

Public IP of PIX:   83.23.42.90
Private IP of PIX: 192.168.85.12


VPN Managed tunnels by Qwest:

Private IP of each remote site

10.1.101.0 /24   -  182.38.44.9
10.1.104.0 /24   -  182.38.44.10
10.1.110.0 /24   -  182.38.44.11

Private Subnet IP at Corporate site

192.168.85.0 /24
-------------------------------------------------------- Alright, how does this look like?

global (outside) 1 interface
 nat (inside) 1 0 0 0
 route outside 0.0.0.0 0.0.0.0 182.38.44.10
 route inside 10.1.0.0 255.255.0.0 192.168.85.1

nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
nat (inside) 4 192.168.85.0 255.255.255.0

global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.10
global (outside) 4 83.23.42.90
 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.