Second PIX 515E 7.0 Question

First I don't know whats going on, I purchased the Premium Services and it still says I only have 60 points available.  I will increase this baby to 500 when my account is updated.

Below is how I am tentatively going to configure my PIX515E with 7.0 and three interfaces (outside, inside, dmz).  I want to run this by some people to make sure I am on the right track.  Here are some specific questions that I have.

My first question is when I set up my NAT statements like nat (teacher) 5 172.27.5.0 255.255.255.0 <> global (outside) 5 162.xxx.xxx.81-162.xxx.xxx.130 netmask 255.255.255.0 will the address be used up one after another until the last one of 162.xxx.xxx.129 is used and then 162.xxx.xxx.130 will be used for PAT or will each address be used for PAT?

 My second question is based on the answer of number one. If I have static statements like static (teacher,outside) 162.xxx.xxx.81 172.27.5.1 netmask 255.255.255.255 and static (teacher,outside) 162.xxx.xxx.82 172.27.5.2 netmask 255.255.255.255 will NAT just skip these address and start with 162.xxx.xxx.83?  Do I even need these static statements or when I assign them static address on the computers themselves will the pix recognize this and map them correctly with the address they need as long as I make sure I don’t assign to may static addresses and go over the pool allotment?

Do I need to put static statements for each address I am going to use or just a overall NAT statement.  On my 2003 server I will have scopes for each vlan.  If I set dhcp scopes to start at say 172.27.x.100 for each subnet, I want addresses in each subnet to take a chunk of real ip’s and when those are used up start using PAT for the rest.  I have listed how I want them broken up below next to the configuration.

Third, When I enable the dhcp realy on the pix, I will still need to define the vlan’s on my router correct?  Syntax for the pix is dhcprelay server 172.27.2.1 admin

In summary I want to divvy up my real ip addresses among 6 vlans.  I want the computers in that each specific vlan to use up the allotted real ip addresses and when those are used up, use the remaining one for PAT.  For example, on vlan2 below I will have servers starting with 172.27.2.1 mapped to 162.xxx.xxx.1 and 172.27.2.2 mapped to 162.xxx.xxx.2 and so on.  I only want to give that vlan real ip addresses of 162.xxx.xxx.1-162.xxx.xxx.60.  The servers in there will be assigned static addresses and I will only use around 20 static addresses.  I would, just for an example, like dhcp to start handing out addresses at 172.27.2.21 being mapped to 162.xxx.xxx.21 and then use 172.27.2.22 and so on until it gets to 172.27.2.59 mapped to 162.xxx.xxx.59.  Anything else that requires an address would then use 172.27.2.60 mapped to 162.xxx.xxx.60 (xxxxx) PAT’ing.  Now I know not to do this on my server vlan but this would be used on my lan and wireless vlans.  Thanks a ton.


hostname(config)# interface Fastethernet0/1.1
hostname(config-subif)# vlan 2
hostname(config-subif)# nameif admin                        (servers, switches, printers, WAP’s)
hostname(config-subif)# security-level 20
hostname(config-subif)# ip address 172.27.2.254 255.255.255.0
hostname(config-subif)# no shutdown

hostname(config)# interface Fastethernet0/1.2
hostname(config-subif)# vlan 3
hostname(config-subif)# nameif office                        (administration computers)
hostname(config-subif)# security-level 80
hostname(config-subif)# ip address 172.27.3.254 255.255.255.0
hostname(config-subif)# no shutdown

hostname(config)# interface Fastethernet0/1.3
hostname(config-subif)# vlan 4
hostname(config-subif)# nameif voice                        (ip phones)
hostname(config-subif)# security-level 70
hostname(config-subif)# ip address 172.27.4.254 255.255.255.0
hostname(config-subif)# no shutdown

hostname(config)# interface Fastethernet0/1.4
hostname(config-subif)# vlan 5
hostname(config-subif)# nameif teacher                        (teacher workstations)
hostname(config-subif)# security-level 60
hostname(config-subif)# ip address 172.27.5.254 255.255.255.0
hostname(config-subif)# no shutdown


hostname(config)# interface Fastethernet0/1.5
hostname(config-subif)# vlan 6
hostname(config-subif)# nameif lan                              (lab computers)
hostname(config-subif)# security-level 50
hostname(config-subif)# ip address 172.27.6.254 255.255.255.0
hostname(config-subif)# no shutdown

hostname(config)# interface Fastethernet0/1.6
hostname(config-subif)# vlan 7
hostname(config-subif)# nameif wireless                        (mobile lab, wireless devices)
hostname(config-subif)# security-level 40
hostname(config-subif)# ip address 172.27.7.254 255.255.255.0
hostname(config-subif)# no shutdown

-----------------------------------------------------------------------------------------------

Servers 162.xxx.xxx.1-20 (admin)
Switches 162.xxx.xxx-21-30 (admin)
Printers 162.xxx.xxx.31-50 (admin)
WAP’s 162.xxx.xxx.51-60 (admin)

nat (admin) 2 172.27.2.0 255.255.255.0
global (outside) 2 162.xxx.xxx.1-162.xxx.xxx.60 netmask 255.255.255.0

static (admin,outside) 162.xxx.xxx.1 172.27.2.1 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.2 172.27.2.2 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.3 172.27.2.3 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.4 172.27.2.4 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.5 172.27.2.5 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.6 172.27.2.6 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.7 172.27.2.7 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.8 172.27.2.8 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.9 172.27.2.9 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.10 172.27.2.10 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.11 172.27.2.11 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.12 172.27.2.12 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.13 172.27.2.13 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.14 172.27.2.14 netmask 255.255.255.255

static (admin,outside) 162.xxx.xxx.21 172.27.2.21 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.22 172.27.2.22 netmask 255.255.255.255

static (admin,outside) 162.xxx.xxx.31 172.27.2.31 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.32 172.27.2.32 netmask 255.255.255.255

static (admin,outside) 162.xxx.xxx.51 172.27.2.51 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.52 172.27.2.52 netmask 255.255.255.255

-----------------------------------------------------------------------------------------------

Office Workstations 162.xxx.xxx.61-70 (office)

nat (office) 3 172.27.4.0 255.255.255.0
global (outside) 3 162.xxx.xxx.71-162.xxx.xxx.80 netmask 255.255.255.0

static (office,outside) 162.xxx.xxx.41 172.27.3.1 netmask 255.255.255.255
static (office,outside) 162.xxx.xxx.42 172.27.3.2 netmask 255.255.255.255

-----------------------------------------------------------------------------------------------


IP Phones 162.xxx.xxx.71-80 (voice)

nat (voice) 4 172.27.4.0 255.255.255.0
global (outside) 4 162.xxx.xxx.71-162.xxx.xxx.80 netmask 255.255.255.0

-----------------------------------------------------------------------------------------------

Teacher Workstations 162.xxx.xxx.81-130 (teacher)

nat (teacher) 5 172.27.5.0 255.255.255.0
global (outside) 5 162.xxx.xxx.81-162.xxx.xxx.130 netmask 255.255.255.0

static (teacher,outside) 162.xxx.xxx.81 172.27.5.1 netmask 255.255.255.255
static (teacher,outside) 162.xxx.xxx.82 172.27.5.2 netmask 255.255.255.255

-----------------------------------------------------------------------------------------------

Lab Computers 162.xxx.xxx.131-210 (lan)

nat (lan) 6 172.27.6.0 255.255.255.0
global (outside) 6 162.xxx.xxx.131-162.xxx.xxx.210 netmask 255.255.255.0

-----------------------------------------------------------------------------------------------

Wireless Computers 162.xxx.xxx.211-250 (wireless)

nat (wireless) 7 172.27.7.0 255.255.255.0
global (outside) 7 162.xxx.xxx.211-162.xxx.xxx.250 netmask 255.255.255.0

-----------------------------------------------------------------------------------------------

darkcometiceAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
>global (outside) 5 162.xxx.xxx.81-162.xxx.xxx.130 netmask 255.255.255.0 will the address be used up one after another until the last one of 162.xxx.xxx.129 is used and then 162.xxx.xxx.130 will be used for PAT or will each address be used for PAT?

No. You have to setup another PAT ip to be used. i.e.
global (outside) 5 162.x.x.81-162.x.x.129 netmask 255.255.255.0
global (outside) 5 162.x.x.130

We need to clear up some issues with NAT/Statics.

You cannot have a static that is also in a pool. You must start the pool with an ip that is outside the statics.
You don't necessarily need statics unless you want a permanent 1-1 address allocation for these particular hosts..
NO:
global (outside) 2 162.xxx.xxx.1-162.xxx.xxx.60 netmask 255.255.255.0
static (admin,outside) 162.xxx.xxx.1 172.27.2.1 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.2 172.27.2.2 netmask 255.255.255.255
static (admin,outside) 162.xxx.xxx.3 172.27.2.3 netmask 255.255.255.255

YES (.41 and .42 are outside the pool of .71-.80):
global (outside) 3 162.xxx.xxx.71-162.xxx.xxx.80 netmask 255.255.255.0
static (office,outside) 162.xxx.xxx.41 172.27.3.1 netmask 255.255.255.255
static (office,outside) 162.xxx.xxx.42 172.27.3.2 netmask 255.255.255.255

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
darkcometiceAuthor Commented:
Thanks Irmoore,  that helps clear things up alot.
darkcometiceAuthor Commented:
So based on what you said let's take my teacher vlan for example.  Now I can setup a statment like

nat (teacher) 5 172.27.5.0 255.255.255.0
global (outside) 5 162.xxx.xxx.81-162.xxx.xxx.129 netmask 255.255.255.0
global (outside 5 162.xxx.xxx.130

which will start using address .81, .82, and so on until it reaches .129.  From then on any other client will use the .130 for PAT correct? Or it would also use another NAT address if one opens up?

So on my 2003 server I will have a dhcp scope of 172.27.5.100-253 setup.  If I am only using that then the server would hand out an address of 172.27.5.100 to a client and if the client wants to get outside then it would be mapped to the first open address such as 162.xxx.xxx.81 correct?  Now I think this is where I am getting confused (static server addresses compared to static pix statements).  If I let dhcp handle everythinig then no problem but what if I have some clients with static addresses of 172.27.5.1-20.  They do not need static address on the outside just internal.  How does the pix handle this.  Does it see the 172.27.1.1-20 address and use either the NAT (162.xxx.xxx.81-129) and/or PAT (162.xxx.xxx.130) to translate.  Or do I need static statements for every static address I have for clients.  I don't believe I need the static statements because they are just used as a 1:1 mapping mainly for servers correct?

So if this example is true above I could have the following.

172.27.5.1 --> 162.xxx.xxx.81 -- (static address on client mapped to nat pool)
172.27.5.2 --> 162.xxx.xxx.82 -- (static address on client mapped to nat pool)
172.27.5.101 --> 162.xxx.xxx.83 -- (dhcp assigned address to client mapped to nat pool)

Let say that all NAT address are in use by other dhcp assigned clients.

172.27.5.3 --> 162.xxx.xxx.130 (port number) -- (static address on client to PAT)
172.27.5.203 --> 162.xxx.xxx.130 (post number) -- (dhcp assigned address to client mapped to PAT)

I would then only need static statements if I were to add a server in that vlan that needed to get access to but if I did that then i would have to start my nat pool say at 162.xxx.xxx.91-129 instead of 162.xxx.xxx.81 correct.  That way the static mappings would not be in a dhcp pool.  Hope this makes sense.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.