[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 380
  • Last Modified:

Inbound access thru pix

How can I allow inbound traffic thru a pix.  I want to allow a full class C address range thru the outside interface to my internal interface which hosts several class C subnets which fall in the 10.232.0.0 range.


           Internet
               |
               |              
       Main Router
       (Main Site)- 10.200.4.0 255.255.255.0
               |
               |
    Branch Site Router
               |
               |
              PIX
       (Branch Site)- 10.232.0.0 255.255.0.0



I am trying to allow traffic from the 10.200.4.0 network to several subnet ranges in the 10.232.0.0 network that resides on the inside interface of the pix.

I have no issues with the internal subnets talking out to the 10.200.4.0 network or to the internet.
0
ddsvi
Asked:
ddsvi
  • 7
  • 7
1 Solution
 
rsivanandanCommented:
You would have to build some kind of tunnel so that the private addresses can talk to each other. So considering security, I would suggest you go for a VPN Connection between these 2 sites and once you build the site-to-site VPN, it is just possible + secured.

Try out some of the links below to get an idea of how this can be done;

 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/sit2site.htm#xtocid1

Do you have a PIX at the Main location ? If not then you could build a vpn tunnel between the router at the main location and PIX or Router at the Branch location. Let us know what kind of routers you have in there.

Cheers,
Rajesh
0
 
ddsviAuthor Commented:
2600 routers on each end (2621 I believe), I thought about doing a vpn from the main firewall, but thats not what they want to do.

I am thinking about just doing a static nat to one address on the inside of the pix and just use remote desktop and telnet to connect to the rest of the network from there.

Didnt relize you could build a vpn tunnel between a pix and a router.
0
 
rsivanandanCommented:
Static NAT for the whole Network ? Doesnt seem to be appropriate. You should really be going for the VPN and you will be all good.

VPN ??

1. Router to Router
2. PIX to PIX
3. PIX to Router
4. PIX to Windows
5. Router to Windows

:-) Almost everything.

Cheers,
Rajesh
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
zyclonixCommented:
Doing a static NAT as opposed to a VPN is a very bad idea, you will be sending this company's data unencrypted over the internet. Depending on what the company does this may be against the law! It certainly is bad practice.

VPNs are not that hard to set up, probably easier than doing one-to-one NAT anyway.
0
 
ddsviAuthor Commented:
it is a point to point T1 connection. There is a firewall between the internet and the main site. They are wanting to add a second firewall at the branch site incase the main site firewall was compromised.


0
 
ddsviAuthor Commented:
also the 10.200.4.0 is just 1 private subnet for Tech support at the main site. Everything else will be blocked by the firewall at the branch site. The branch site gets its internet from thru the Main site.
0
 
rsivanandanCommented:
Oh. Ok. If it is a ptp connection, then there is nothing to worry about, just plug them in and make sure you got proper routes in all the networking devices involved.

thnx for the points.

Cheers,
Rajesh
0
 
ddsviAuthor Commented:
is there another way to allow that subnet in threw the outside interface of that pix, besides doing a static nat?
0
 
rsivanandanCommented:
Yeah. I mean if it is a point to point connection then you would be using private addresses right ? Is there anything that is stopping you from doing that ?

I'm not sure about the topology here. Since it is a ptp network, can you print their ip addresses too. I am wondering, are you having the traffic go through the PIX ?

Cheers,
Rajesh
0
 
ddsviAuthor Commented:
from inside the firewall I can ping out to the main site, but the main site can not ping back in unless I do a static nat right now.

I am trying to get the one subnet at the main site to come in thru the outside interface of the PIX and access the inside network.

On the inside of the PIX on the branch site, there is another router that feeds 3 other sites(not including the subnet at the branch site), all of which are on seperate subnets.


My problem is that the tech support subnet from the main site can not connect in any way thru that outside interface of the PIX.
0
 
rsivanandanCommented:
Oh. I see it now.

DDSvi,

  Unfortunately, if you want to have the traffic go through PIX, you'll not be able to do it without NAT. The reason being, traffic from low security interface cannot pass onto high security interface by default and without statics. It is designed to be like that.

  The only way around is as I said first, you'll have to build a VPN tunnel between the mainsite router to branch site PIX.

Cheers,
Rajesh
0
 
ddsviAuthor Commented:
Ok, thats what I was thinking.

Thanks for all your help Rajesh.
0
 
rsivanandanCommented:
NP.

Sorry that I couldn't of much help here.

Cheers,
Rajesh
0
 
ddsviAuthor Commented:
Just an update, this actually works

static (inside,outside) 10.232.1.0 10.232.1.0 netmask 255.255.255.0
static (inside,outside) 10.232.2.0 10.232.2.0 netmask 255.255.255.0

access-list outside permit ip 10.200.4.0 255.255.255.0 10.232.1.0 255.255.255.0
access-list outside permit ip 10.200.4.0 255.255.255.0 10.232.2.0 255.255.255.0

route inside 10.232.1.0 255.255.255.0 <ip_address_next_hop>
route inside 10.232.2.0 255.255.255.0 <ip_address_next_hop>

But we decided to go ahead and upgrade firewall. We upgraded the pix to an ASA. Then I just put the ASA in layer 2 transparent mode and added my access-lists. Took all of about 5 minutes to configure.
0
 
rsivanandanCommented:
Exactly, you can't do it without a NAT which is what you gain by the 'static' feature, since it is a Point to Point link, it is much easier now :-)

Cheers,
Rajesh
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now