troubleshooting Question

PIX 501 - Complete setup - please help

Avatar of ITLINE
ITLINE asked on
Software FirewallsCisco
3 Comments1 Solution205 ViewsLast Modified:
I am new to the PIX family, and what to set up a PIX 501 and I will like tje PIX501 to do as following:


            Internet
               |
               |
            Internet Router
               |- ISP: 80.166.164.4/30
               |- ISP: 83.90.197.124/29
               |
               |
                   |- IP: 80.166.164.6 / 255.255.255.252
               |- Gateway: 80.166.164.5
               |- DNS: 194.239.134.83 and 193.162.153.164
            Pix 501
               |- IP: 10.150.1.1/16
               |
               |
      Subnet A         |- IP: 10.150.1.5/16            (Web Server)
     10.150.0.0/16          |- IP: 10.150.1.6/16            (Mail Server)
               |- IP: 10.150.1.7/16            (Game Server)
               |- IP: 10.150.10.1/16      (1 PC A)
               |- IP: DHCP                   (2 PCs B)
               |
               |- IP: 10.150.1.2/16 (ISA Server)
            MS ISA Server
               |- IP: 10.151.1.1/16
               |
               |
      Subent B         |
          10.151.0.0/16         |
               |- IP: 3 DHCP (PCs)
               |- IP: Printers and some other things.


Internet Router:
----------------------------------
Following IPs from my ISP can I uses:
  80.166.164.6 / 255.255.255.252 (main IP)
  and
  83.90.197.225-230 / 255.255.255.248

Subnet A:
----------
In this subnet (DMZ) I have some server that Internet users should connect to and some PCs that should connect to the Internet.

Pix501 shold give IP info to the 2 PCs B, where DNS is point to 10.150.1.2

I like to use Cisco VPN to connect to my home network.


Allow these rules:


WEB SERVER:
On the webserver I have 4 website where each site has it own .dk and .com domain name.

  web srv -> pix501 -> Internet: allow out http, https, dns, ntp, smtp
  any ips -> Internet -> 83.90.197.225 -> pix501 -> subnet A -> 10.150.1.5: allow in http, https, ftp, ssh


MAIL SERVER:
On my ISP I will setup a MX record point to 83.90.197.226 so my mailserver can service some .dk and .com domains.

  mail srv -> pix501 -> Internet: allow out http, https, dns, ntp, smtp
  any ips -> Internet -> 83.90.197.226 -> pix501 -> subnet A -> 10.150.1.6: allow in dns, ntp, http, https, smtp, owa


GAME SERVER:
  game srv -> pix501 -> Internet: allow out http, https, dns, ntp, dns, tpc 6003, tpc 7002, tcp 5273, upd 8767
  host ips -> Internet -> 83.90.197.227 -> pix501 -> subnet A -> 10.150.1.7 -> teamspeak: allow in upd 8767
  any ips -> Internet -> 83.90.197.227 -> pix501 -> subnet A -> 10.150.1.7 -> counter-strik: allow in udp 27012 tcp 27040 udp 27015-27016


ISA SERVER:
  MS ISA -> pix501 -> Internet: allow out http, https, smtp, dns, msn, rdp, ms vpn pptp, cisco vpn
  any host -> Internet -> 80.166.164.6 -> Pix501 -> subnet A -> 10.150.1.2: allow in smtp, pop3, www, owa, radius, msn, ntp


PC-A:
  pcA -> pix501 -> Internet: allow out http, https, pop3, dns, smtp, msn, 8767, rdp

PC-B:
  pcB -> pix501 -> Internet: allow out http, https, pop3, dns, smtp, msn, 8767
  2 host IPs -> Internet -> pix501 -> subnet A -> 10.150.10.1: allow in tcp 24321

Cisco VPN:
Now I used Microsoft PTPP - but I will like to used Cisco VPN to connect to my network at home at Pix 501 and use the radius server on 10.150.1.2. Cisco VPN

should have access to all subnets.

  Cisco VPN -> Internet -> 80.166.197.230 -> Pix501 -> subnet A -> 10.150.1.2: allow radius


Subnet B
----------------------------------
All is ok here


Now I have choose to use local IPs to my game-, mail- and web server on subnet a, but could I use the public IPs to point direct to the servers behind the PIX501 - so I not have to use NAT?

Or can pix 501 not support that?


So if someone will help me to setup the Pix501 - I would be very happy.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros