Pentrix2
asked on
PIX 515e for WAN
I have a PIX 515e-DMZ-R with the following networks:
Public IP of PIX: 83.23.42.90
Private IP of PIX: 192.168.85.12
VPN Managed tunnels by Qwest:
Private IP of each remote site
10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24
My network layout is a hub and spoke design. Meaning all my remote sites will come to my PIX for internet access. How do I configure so all my sites get internet access. Commands please.
Public IP of PIX: 83.23.42.90
Private IP of PIX: 192.168.85.12
VPN Managed tunnels by Qwest:
Private IP of each remote site
10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24
My network layout is a hub and spoke design. Meaning all my remote sites will come to my PIX for internet access. How do I configure so all my sites get internet access. Commands please.
ASKER
To my understanding on the Checkpoint firewall, each site has a policy that allows them internet access. Does the PIX work the same way but in a ACL?
I agree with the above poster give him/her the points
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1
/TT
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1
/TT
You are correct in that you can create a general "just go ahead and nat for anybody" rule as you have. Generally, I create a separate nat rule for each subnet, i.e.
nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
The numbers 1,2,3 above correlate to the global IP's. I like to give each remote subnet their own global IP. Makes troubleshooting a bit easier..but again, you can get by with all of them using the same global..
global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.8
You also need route statements so that the PIX knows where the other subnets live:
route inside 10.1.0.0 255.255.0.0 192.168.85.X <= where "X" is the internal router that links all your WAN sites..
nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
The numbers 1,2,3 above correlate to the global IP's. I like to give each remote subnet their own global IP. Makes troubleshooting a bit easier..but again, you can get by with all of them using the same global..
global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.8
You also need route statements so that the PIX knows where the other subnets live:
route inside 10.1.0.0 255.255.0.0 192.168.85.X <= where "X" is the internal router that links all your WAN sites..
ASKER
So this statement would give each remote subnet their own global IP?
nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.8
route inside 10.1.0.0 255.255.0.0 192.168.85.X <= Would this be my WAN router that links all my remote sites to? And would this be the public or private ip address because i notice you got the private ip of the WAN router.
nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.8
route inside 10.1.0.0 255.255.0.0 192.168.85.X <= Would this be my WAN router that links all my remote sites to? And would this be the public or private ip address because i notice you got the private ip of the WAN router.
ASKER
Let me put everything in order of commands just like how I would put it in my PIX Command Line. To my understanding this is all I need to allow traffic internet traffic to my corporate (where the PIX is located at 192.168.85.0) then my remote sites (having 10.1.x.x)???? Please correct my statements. Very sorry to keep on bugging you like this Irmoore but I do appreciate your assistances. I can create additional questions so you can get award more points for your time.
WAN Router:
Public IP: 34.21.29.1
Private IP: 192.168.85.1
Public IP of PIX: 83.23.42.90
Private IP of PIX: 192.168.85.12
VPN Managed tunnels by Qwest:
Private IP of each remote site
10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24
Private IP of Corporate site
192.168.85.0 /24
--------------------------
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1
nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
nat (inside) 4 192.168.85.0 255.255.255.0
global (outside) 1 interface <=-- How come it doesn't have an IP address? Should it be 10.1.101.0 and what does this statement mean?
global (outside) 2 182.38.44.9 <=-- Where did you get this IP address from? I thought it would be a Private IP of 10.1.104.1
global (outside) 3 182.38.44.8 <=-- Where did you get this IP address from? I thought it would be a Private IP of 10.1.110.1
route inside 10.1.0.0 255.255.0.0 192.168.85.1
WAN Router:
Public IP: 34.21.29.1
Private IP: 192.168.85.1
Public IP of PIX: 83.23.42.90
Private IP of PIX: 192.168.85.12
VPN Managed tunnels by Qwest:
Private IP of each remote site
10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24
Private IP of Corporate site
192.168.85.0 /24
--------------------------
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1
nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
nat (inside) 4 192.168.85.0 255.255.255.0
global (outside) 1 interface <=-- How come it doesn't have an IP address? Should it be 10.1.101.0 and what does this statement mean?
global (outside) 2 182.38.44.9 <=-- Where did you get this IP address from? I thought it would be a Private IP of 10.1.104.1
global (outside) 3 182.38.44.8 <=-- Where did you get this IP address from? I thought it would be a Private IP of 10.1.110.1
route inside 10.1.0.0 255.255.0.0 192.168.85.1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
WAN Router at Corporate:
Public IP: 34.21.29.1
Private IP: 192.168.85.1
Public IP of PIX: 83.23.42.90
Private IP of PIX: 192.168.85.12
VPN Managed tunnels by Qwest:
Private IP of each remote site
10.1.101.0 /24 - 182.38.44.9
10.1.104.0 /24 - 182.38.44.10
10.1.110.0 /24 - 182.38.44.11
Private Subnet IP at Corporate site
192.168.85.0 /24
--------------------------
global (outside) 1 interface
nat (inside) 1 0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 <=--- I'm assuming this default gateway is my S0/0 on my Internet Gateway Router? ************
route inside 10.1.0.0 255.255.0.0 192.168.85.1
nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.10
global (outside) 4 182.38.44.11
Do I also need a nat and global for my 192.168.85.0 (where the pix resides)?
nat (inside) 4 192.168.85.0 255.255.255.0
global (outside) 4 34.21.29.1
Public IP: 34.21.29.1
Private IP: 192.168.85.1
Public IP of PIX: 83.23.42.90
Private IP of PIX: 192.168.85.12
VPN Managed tunnels by Qwest:
Private IP of each remote site
10.1.101.0 /24 - 182.38.44.9
10.1.104.0 /24 - 182.38.44.10
10.1.110.0 /24 - 182.38.44.11
Private Subnet IP at Corporate site
192.168.85.0 /24
--------------------------
global (outside) 1 interface
nat (inside) 1 0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 <=--- I'm assuming this default gateway is my S0/0 on my Internet Gateway Router? ************
route inside 10.1.0.0 255.255.0.0 192.168.85.1
nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.10
global (outside) 4 182.38.44.11
Do I also need a nat and global for my 192.168.85.0 (where the pix resides)?
nat (inside) 4 192.168.85.0 255.255.255.0
global (outside) 4 34.21.29.1
My apologies if I have confused you, but we need to set some basic rules regarding gateways.
Any gateway *must* be on the same local subnet..
The route outside should point to the next hop router. Assuming that is a T1 router with a public IP address, the PIX would route outside to that router. Typically 1-off from the PIX outside IP.
Given:
>Public IP of PIX: 83.23.42.90
PIX:
ip address outside 83.23.42.90 255.255.255.xxx
route outside 0.0.0.0 0.0.0.0. 83.23.42.89 <== whatever is the next hop on the same subnet as the outside
Regarding NAT and the inside network, these two lines take care of that already
> global (outside) 1 interface
> nat (inside) 1 0 0 0
*if* you want to specify for the local lan same as you did for the other subnets:
nat (inside) 1 192.168.85.0 255.255.255.0
The global (outside) "1" interface = the global PAT for the inside local subnet
>global (outside) 4 34.21.29.1
the global *CANNOT* be any other IP subnet other than the outside IP of the PIX, 83.23.42.xx
Any gateway *must* be on the same local subnet..
The route outside should point to the next hop router. Assuming that is a T1 router with a public IP address, the PIX would route outside to that router. Typically 1-off from the PIX outside IP.
Given:
>Public IP of PIX: 83.23.42.90
PIX:
ip address outside 83.23.42.90 255.255.255.xxx
route outside 0.0.0.0 0.0.0.0. 83.23.42.89 <== whatever is the next hop on the same subnet as the outside
Regarding NAT and the inside network, these two lines take care of that already
> global (outside) 1 interface
> nat (inside) 1 0 0 0
*if* you want to specify for the local lan same as you did for the other subnets:
nat (inside) 1 192.168.85.0 255.255.255.0
The global (outside) "1" interface = the global PAT for the inside local subnet
>global (outside) 4 34.21.29.1
the global *CANNOT* be any other IP subnet other than the outside IP of the PIX, 83.23.42.xx
ASKER
Internet -> s0/0 83.23.42.88 [Internet Gateway Router] e0/0 65.126.83.10 -> e0/0 83.23.42.90 [PIX] e0/1 192.168.12 -> 192.168.85.x
The above is how my layout looks like then branches out to my remote sites, like a hub and spoke design
PIX:
ip address outside 83.23.42.90 255.255.255.xxx
route outside 0.0.0.0 0.0.0.0. 83.23.42.89 <== what will be my next hop, would it be just another available public ip?
The above is how my layout looks like then branches out to my remote sites, like a hub and spoke design
PIX:
ip address outside 83.23.42.90 255.255.255.xxx
route outside 0.0.0.0 0.0.0.0. 83.23.42.89 <== what will be my next hop, would it be just another available public ip?
ASKER
Hopefully I got the config right this time. I'm looking for a config that I can copy and paste into my PIX so I can deploy this.
WAN Router at Corporate:
Public IP: 34.21.29.1
Private IP: 192.168.85.1
Public IP of PIX: 83.23.42.90
Private IP of PIX: 192.168.85.12
VPN Managed tunnels by Qwest:
Private IP of each remote site
10.1.101.0 /24 - 182.38.44.9
10.1.104.0 /24 - 182.38.44.10
10.1.110.0 /24 - 182.38.44.11
Private Subnet IP at Corporate site
192.168.85.0 /24
--------------------------
global (outside) 1 interface
nat (inside) 1 0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10
route inside 10.1.0.0 255.255.0.0 192.168.85.1
nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
nat (inside) 4 192.168.85.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.10
global (outside) 4 83.23.42.90
WAN Router at Corporate:
Public IP: 34.21.29.1
Private IP: 192.168.85.1
Public IP of PIX: 83.23.42.90
Private IP of PIX: 192.168.85.12
VPN Managed tunnels by Qwest:
Private IP of each remote site
10.1.101.0 /24 - 182.38.44.9
10.1.104.0 /24 - 182.38.44.10
10.1.110.0 /24 - 182.38.44.11
Private Subnet IP at Corporate site
192.168.85.0 /24
--------------------------
global (outside) 1 interface
nat (inside) 1 0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10
route inside 10.1.0.0 255.255.0.0 192.168.85.1
nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
nat (inside) 4 192.168.85.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.10
global (outside) 4 83.23.42.90
ASKER
I enabled and gave valid ip addresses to my e0 and e1. Then I created this command:
Public IP of PIX: 83.23.42.90
Private IP of PIX: 192.168.85.12
VPN Managed tunnels by Qwest:
Private IP of each remote site
10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1
To my understanding this will enable internet just to everything, including the remote sites too? If not, which command will allow me to give my remote sites internet access. If yes, is this the recommended way?