Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PIX 515e for WAN

Posted on 2005-05-12
11
Medium Priority
?
379 Views
Last Modified: 2013-11-16
I have a PIX 515e-DMZ-R with the following networks:

Public IP of PIX:   83.23.42.90
Private IP of PIX: 192.168.85.12


VPN Managed tunnels by Qwest:

Private IP of each remote site

10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24

My network layout is a hub and spoke design.  Meaning all my remote sites will come to my PIX for internet access.  How do I configure so all my sites get internet access.  Commands please.

0
Comment
Question by:Pentrix2
  • 7
  • 3
11 Comments
 
LVL 9

Author Comment

by:Pentrix2
ID: 13986318
Let me try to clarify my goals from the start.  Please correct me if I'm wrong.  Let's say I have a brand new clear config residing on a PIX 515e-DMZ-R and I want to do the initial configuration so my LAN site can have internet then my WAN site to have internet access.  Again, please correct me if I'm wrong.


I enabled and gave valid ip addresses to my e0 and e1.    Then I created this command:

Public IP of PIX:   83.23.42.90
Private IP of PIX: 192.168.85.12


VPN Managed tunnels by Qwest:

Private IP of each remote site

10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1

To my understanding this will enable internet just to everything, including the remote sites too?  If not, which command will allow me to give my remote sites internet access.  If yes, is this the recommended way?

0
 
LVL 9

Author Comment

by:Pentrix2
ID: 13986338
To my understanding on the Checkpoint firewall, each site has a policy that allows them internet access.  Does the PIX work the same way but in a ACL?
0
 
LVL 7

Expert Comment

by:tonyteri
ID: 13988101
I agree with the above poster give him/her the points

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1

/TT
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
LVL 79

Expert Comment

by:lrmoore
ID: 13989975
You are correct in that you can create a general "just go ahead and nat for anybody" rule as you have. Generally, I create a separate nat rule for each subnet, i.e.

nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0

The numbers 1,2,3 above correlate to the global IP's. I like to give each remote subnet their own global IP. Makes troubleshooting a bit easier..but again, you can get by with all of them using the same global..
global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.8

You also need route statements so that the PIX knows where the other subnets live:
 route inside 10.1.0.0 255.255.0.0 192.168.85.X  <= where "X" is the internal router that links all your WAN sites..

0
 
LVL 9

Author Comment

by:Pentrix2
ID: 13990273
So this statement would give each remote subnet their own global IP?

nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0

global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.8

route inside 10.1.0.0 255.255.0.0 192.168.85.X <=  Would this be my WAN router that links all my remote sites to?  And would this be the public or private ip address    because i notice you got the private ip of the WAN router.

0
 
LVL 9

Author Comment

by:Pentrix2
ID: 13995145
Let me put everything in order of commands just like how I would put it in my PIX Command Line.  To my understanding this is all I need to allow traffic internet traffic to my corporate (where the PIX is located at 192.168.85.0) then my remote sites (having 10.1.x.x)????  Please correct my statements.  Very sorry to keep on bugging you like this Irmoore but I do appreciate your assistances.  I can create additional questions so you can get award more points for your time.

WAN Router:
Public IP:  34.21.29.1
Private IP: 192.168.85.1

Public IP of PIX:   83.23.42.90
Private IP of PIX: 192.168.85.12


VPN Managed tunnels by Qwest:

Private IP of each remote site

10.1.101.0 /24
10.1.104.0 /24
10.1.110.0 /24

Private IP of Corporate site

192.168.85.0 /24


--------------------------------------------------------------------------------------------------------
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 182.38.44.10 1

nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
nat (inside) 4 192.168.85.0 255.255.255.0

global (outside) 1 interface          <=--  How come it doesn't have an IP address?  Should it be 10.1.101.0 and what does this statement mean?
global (outside) 2 182.38.44.9     <=--  Where did you get this IP address from?  I thought it would be a Private IP of 10.1.104.1
global (outside) 3 182.38.44.8     <=--  Where did you get this IP address from?  I thought it would be a Private IP of 10.1.110.1

route inside 10.1.0.0 255.255.0.0 192.168.85.1
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13995931
OK, let's back up for just a bit and take it one step at a time.

MINIMUM requirements:
 global (outside) 1 interface  <== "interface" means to use the IP address assigned to the outside interface for PAT
 nat (inside) 1 0 0 0  <== this means nat "anybody" on the inside
 route outside 0.0.0.0 0.0.0.0 182.38.44.10  <== DG, natch
 route inside 10.1.0.0 255.255.0.0 192.168.85.1  <== gateway to your other networks

That is all you NEED to do. What "I" usually do is to segregate each subnet to its own global PAT address. Assuming that you have multiple public IP's that you can use as global PAT/NAT addresses.
global (outside) # <public ip>
Where "#" is the same number as your nat (inside) #, and always a public IP. The "global" is what your subnet that is identified by the "nat" rule will use for all outbound NAT/PAT.
IF you have extra public IP's and IF you want to segregate your internal subnets to use a different public IP, then you would do it like this. Once again, these are only *optional* choices, spacing is added for empasis to align the numbers to make more sense.

global (outside) 2  182.38.44.9
nat     (inside)   2  10.1.104.0 255.255.255.0

global (outside) 3  182.38.44.8
nat     (inside)   3  10.1.110.0 255.255.255.0

In this example, subnet 10.1.104.0 will be translated to 182.38.44.9, and subnet 10.1.110.0 will be translated to 182.38.44.8. This gives you many flexiple options to add some fancy route-maps to the external router based on source subnet originating inside the PIX. It also gives you a way to monitor public use. You can get usage statistics based on your internal subnets, whereas with the global everybody uses the same public IP, you don't have that flexibility. There is no right or wrong way here, just your personal preferences.

Hope that helps clear it up a bit.
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 13996116
WAN Router at Corporate:
Public IP:  34.21.29.1
Private IP: 192.168.85.1

Public IP of PIX:   83.23.42.90
Private IP of PIX: 192.168.85.12


VPN Managed tunnels by Qwest:

Private IP of each remote site

10.1.101.0 /24   -  182.38.44.9
10.1.104.0 /24   -  182.38.44.10
10.1.110.0 /24   -  182.38.44.11

Private Subnet IP at Corporate site

192.168.85.0 /24
-------------------------------------------------------- Alright, how does this look like?

global (outside) 1 interface
 nat (inside) 1 0 0 0
 route outside 0.0.0.0 0.0.0.0 182.38.44.10   <=---  I'm assuming this default gateway is my S0/0 on my Internet Gateway Router?   ************
 route inside 10.1.0.0 255.255.0.0 192.168.85.1

nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0

global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.10
global (outside) 4 182.38.44.11


Do I also need a nat and global for my 192.168.85.0 (where the pix resides)?  
nat (inside) 4 192.168.85.0 255.255.255.0
global (outside) 4 34.21.29.1
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14000271
My apologies if I have confused you, but we need to set some basic rules regarding gateways.
Any gateway *must* be on the same local subnet..

The route outside should point to the next hop router. Assuming that is a T1 router with a public IP address, the PIX would route outside to that router. Typically 1-off from the PIX outside IP.
Given:
>Public IP of PIX:   83.23.42.90

PIX:
 ip address outside 83.23.42.90 255.255.255.xxx
 route outside 0.0.0.0 0.0.0.0. 83.23.42.89 <== whatever is the next hop on the same subnet as the outside

Regarding NAT and the inside network, these two lines take care of that already
> global (outside) 1 interface
> nat (inside) 1 0 0 0

*if* you want to specify  for the local lan same as you did for the other subnets:
 nat (inside) 1 192.168.85.0 255.255.255.0

The global (outside) "1" interface = the global PAT for the inside local subnet

>global (outside) 4 34.21.29.1
the global *CANNOT* be any other IP subnet other than the outside IP of the PIX, 83.23.42.xx

0
 
LVL 9

Author Comment

by:Pentrix2
ID: 14000978
Internet -> s0/0 83.23.42.88 [Internet Gateway Router] e0/0 65.126.83.10 -> e0/0 83.23.42.90 [PIX] e0/1 192.168.12 -> 192.168.85.x

The above is how my layout looks like then branches out to my remote sites, like a hub and spoke design


PIX:
 ip address outside 83.23.42.90 255.255.255.xxx
 route outside 0.0.0.0 0.0.0.0. 83.23.42.89 <== what will be my next hop, would it be just another available public ip?

0
 
LVL 9

Author Comment

by:Pentrix2
ID: 14001005
Hopefully I got the config right this time.  I'm looking for a config that I can copy and paste into my PIX so I can deploy this.

WAN Router at Corporate:
Public IP:  34.21.29.1
Private IP: 192.168.85.1

Public IP of PIX:   83.23.42.90
Private IP of PIX: 192.168.85.12


VPN Managed tunnels by Qwest:

Private IP of each remote site

10.1.101.0 /24   -  182.38.44.9
10.1.104.0 /24   -  182.38.44.10
10.1.110.0 /24   -  182.38.44.11

Private Subnet IP at Corporate site

192.168.85.0 /24
-------------------------------------------------------- Alright, how does this look like?

global (outside) 1 interface
 nat (inside) 1 0 0 0
 route outside 0.0.0.0 0.0.0.0 182.38.44.10
 route inside 10.1.0.0 255.255.0.0 192.168.85.1

nat (inside) 1 10.1.101.0 255.255.255.0
nat (inside) 2 10.1.104.0 255.255.255.0
nat (inside) 3 10.1.110.0 255.255.255.0
nat (inside) 4 192.168.85.0 255.255.255.0

global (outside) 1 interface
global (outside) 2 182.38.44.9
global (outside) 3 182.38.44.10
global (outside) 4 83.23.42.90
 
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month11 days, 20 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question