ruberu
asked on
Pix Firewall configuration
Hi,
I am trying to configure a Cisco PIX 500 firewall to work on a LAN. I configured it the best way I could according to information I have found. I have 2 public IP addresses available which are xx.xx.xx.162 & xx.xx.xx.163 and I would like to use PAT since there is only 1 Public IP available.
xx.xx.xx.161 is the gateway and it is a DSL router with bulit in firewall...I disabled the firewall so that it will not interfere. My LAN is on a 192.168.0.0/24 network behind the PIX.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside xx.xx.xx.162 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 xx.xx.xx.163
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.161 1
I cannot understand as to why the LAN cannot access the internet. Is there something more I have to configure as far as the NAT/PAT goes? Access list perhaps? not sure. Thank you in advance.
I am trying to configure a Cisco PIX 500 firewall to work on a LAN. I configured it the best way I could according to information I have found. I have 2 public IP addresses available which are xx.xx.xx.162 & xx.xx.xx.163 and I would like to use PAT since there is only 1 Public IP available.
xx.xx.xx.161 is the gateway and it is a DSL router with bulit in firewall...I disabled the firewall so that it will not interfere. My LAN is on a 192.168.0.0/24 network behind the PIX.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside xx.xx.xx.162 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 xx.xx.xx.163
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.161 1
I cannot understand as to why the LAN cannot access the internet. Is there something more I have to configure as far as the NAT/PAT goes? Access list perhaps? not sure. Thank you in advance.
I don't think, that You can use
> global (outside) 1 xx.xx.xx.163
I think, You should
global (outside) 1 xx.xx.xx.162
That's becouse (I assume, that the dls modem is configured OK - try ping the world from the pix itself) packet originating to xx.xx.xx.163 are not sent to Your Pix.
On global() statement You can use either the ip of outside interface, either IP which is routed to Your pix. xx.xx.xx.163 is on the same subnet like xx.xx.xx.162, and I'm sure it's not routed to Your pix.
> global (outside) 1 xx.xx.xx.163
I think, You should
global (outside) 1 xx.xx.xx.162
That's becouse (I assume, that the dls modem is configured OK - try ping the world from the pix itself) packet originating to xx.xx.xx.163 are not sent to Your Pix.
On global() statement You can use either the ip of outside interface, either IP which is routed to Your pix. xx.xx.xx.163 is on the same subnet like xx.xx.xx.162, and I'm sure it's not routed to Your pix.
Hi ruberu
Your PAT configuration is fine and no, you don't need to configure an access-list for traffic going out - its allowed by default on the PIX. As per LionBSD - verify your connection from the PIX to router -
#
ping outside x.x.x.161
#
Is the internal LAN workstations' default gateway ip address set to 192.168.0.1 (inside ip of PIX)?
Can PCs ping this address?
A possible problem would be double natting - where the DSL router is also natting the traffic out - the PIX is performing address translation already so make sure the DSL router isn't trying to do it too.
hope this helps
Your PAT configuration is fine and no, you don't need to configure an access-list for traffic going out - its allowed by default on the PIX. As per LionBSD - verify your connection from the PIX to router -
#
ping outside x.x.x.161
#
Is the internal LAN workstations' default gateway ip address set to 192.168.0.1 (inside ip of PIX)?
Can PCs ping this address?
A possible problem would be double natting - where the DSL router is also natting the traffic out - the PIX is performing address translation already so make sure the DSL router isn't trying to do it too.
hope this helps
ASKER
Thanks for your responses,
The PIX can ping the DSL router on xx.xx.xx.161. The LAN is able to ping the inside interface (192.168.0.1) of the PIX and the gateway IP address of the LAN PCs are set to 192.168.0.1. I haved turned off NATting on the DSL router as this has the capability. The DSL router is also capable of having more than one IP address as you can specify a pool of IP addresses. The IPs that I am using xx.xx.xx.161-163 are not part of that pool. I can ping the gateway xx.xx.xx.161 and any of the LAN PCs from the PIX. I cannot think of anything else wrong with the PIX config. I have a feeling that it might be a problem with the routing table in the DSL router. It has an entry to route any xx.xx.xx.160 traffic to xx.xx.xx.161 which is the gateway. I am just wondering if there has to be another route statement specific to the PIX configured in the routing table. The router I am using is a zoom telephonics X5v.
The PIX can ping the DSL router on xx.xx.xx.161. The LAN is able to ping the inside interface (192.168.0.1) of the PIX and the gateway IP address of the LAN PCs are set to 192.168.0.1. I haved turned off NATting on the DSL router as this has the capability. The DSL router is also capable of having more than one IP address as you can specify a pool of IP addresses. The IPs that I am using xx.xx.xx.161-163 are not part of that pool. I can ping the gateway xx.xx.xx.161 and any of the LAN PCs from the PIX. I cannot think of anything else wrong with the PIX config. I have a feeling that it might be a problem with the routing table in the DSL router. It has an entry to route any xx.xx.xx.160 traffic to xx.xx.xx.161 which is the gateway. I am just wondering if there has to be another route statement specific to the PIX configured in the routing table. The router I am using is a zoom telephonics X5v.
Well, haven't You read my previous answer. If x.x.x.163 is not binded to any device, then dsl router does not know where to send packets to x.x.x.163 destination.
Think this way: DLS router on his ethernet side sends arp packet with who-has x.x.x.163 - nobody replies - so no forwarding is done.
Maybe i'm wrong, but why don't You give a shot with
global (outside) 1 xx.xx.xx.162
instead 163 ?
Think this way: DLS router on his ethernet side sends arp packet with who-has x.x.x.163 - nobody replies - so no forwarding is done.
Maybe i'm wrong, but why don't You give a shot with
global (outside) 1 xx.xx.xx.162
instead 163 ?
ASKER
ravenpl,
I tried what you said to use the interface IP xx.xx.xx.162 on the global and I got this error message.
pix(config)# global (outside) 1 xx.xx.xx.162
Start and end addresses overlap with outside interface address
I also tried
pix(config)# global (outside) 1 interface
Invalid IP address
usage: global [(if)] <global_id> <ip[-ip]> [netmask <global_mask>]
I don't know what else could be wrong. Thanks
I tried what you said to use the interface IP xx.xx.xx.162 on the global and I got this error message.
pix(config)# global (outside) 1 xx.xx.xx.162
Start and end addresses overlap with outside interface address
I also tried
pix(config)# global (outside) 1 interface
Invalid IP address
usage: global [(if)] <global_id> <ip[-ip]> [netmask <global_mask>]
I don't know what else could be wrong. Thanks
That's strange. According to documentation:
> To specify PAT using the IP address of an interface, specify the interface keyword in the global [(int_name)] nat_id address | interface command.
> The following example enables PAT using the IP address at the outside interface in global configuration mode:
> ip address outside 192.150.49.1
> nat (inside) 1 0 0
> global (outside) 1 interface
Maybe try first removing all global entries, do clear xlate, put this above global statement, and clear xlate again. (note, that clear xlate will reset all connections)
> To specify PAT using the IP address of an interface, specify the interface keyword in the global [(int_name)] nat_id address | interface command.
> The following example enables PAT using the IP address at the outside interface in global configuration mode:
> ip address outside 192.150.49.1
> nat (inside) 1 0 0
> global (outside) 1 interface
Maybe try first removing all global entries, do clear xlate, put this above global statement, and clear xlate again. (note, that clear xlate will reset all connections)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got the ping to my gateway and the world to work and I am also able to get to websites by pasting the ip address of the websites in the URL field of the browser e.g 64.233.161.147 (google.com). I am not able to use the domain names so it must be some DNS issue now. I think the version of IOS on the PIX is old so none of the commands such as access-lists will not work, I think conduit is a substitute..not too sure. I do not have access to a new image unfortunately. Here is the config.
PIX Version 4.4(4)
hostname PIX
fixup protocol ftp 21
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol http 80
names
pager lines 24
no logging timestamp
no logging console
no logging monitor
logging buffered debugging
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.162 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 x.x.x.163
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit ip any any
conduit permit tcp any any
conduit permit icmp any any
conduit permit udp any any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 x.x.x.161 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet 192.168.0.0 255.255.255.0
telnet timeout 10
terminal width 80
I thank you guys for all your help so far....
PIX Version 4.4(4)
hostname PIX
fixup protocol ftp 21
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol http 80
names
pager lines 24
no logging timestamp
no logging console
no logging monitor
logging buffered debugging
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.162 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 x.x.x.163
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit ip any any
conduit permit tcp any any
conduit permit icmp any any
conduit permit udp any any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 x.x.x.161 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet 192.168.0.0 255.255.255.0
telnet timeout 10
terminal width 80
I thank you guys for all your help so far....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It seems to me that the packets are making their way back into the PIX interface because as I mentioned earlier, I can view web pages in the browser by putting in the ip address of a web site. I am just wondering how to get the DNS issue resolved so that DNS requests can get out of the firewall. There is a port protocol problem here.
ASKER
I resolved the issue and everything is working fine. I had to make sure the DNS server settings on the LAN PCs were set to the gateway and not the inside iterface of the PIX 192.168.0.1. Silly me...Thank you all so much for your help...really appreciate it :)
the DSL router needs to know how to get to x.x.x.162 , what kind of a router is it? is it capable of having more than 1 external IP?
does the pix can ping x.x.x.161 ?
you need to first check if the pix can "talk" with the DSL router.