Link to home
Create AccountLog in
Avatar of ddsvi
ddsviFlag for United States of America

asked on

Inbound access thru pix

How can I allow inbound traffic thru a pix.  I want to allow a full class C address range thru the outside interface to my internal interface which hosts several class C subnets which fall in the 10.232.0.0 range.


           Internet
               |
               |              
       Main Router
       (Main Site)- 10.200.4.0 255.255.255.0
               |
               |
    Branch Site Router
               |
               |
              PIX
       (Branch Site)- 10.232.0.0 255.255.0.0



I am trying to allow traffic from the 10.200.4.0 network to several subnet ranges in the 10.232.0.0 network that resides on the inside interface of the pix.

I have no issues with the internal subnets talking out to the 10.200.4.0 network or to the internet.
ASKER CERTIFIED SOLUTION
Avatar of rsivanandan
rsivanandan
Flag of India image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of ddsvi

ASKER

2600 routers on each end (2621 I believe), I thought about doing a vpn from the main firewall, but thats not what they want to do.

I am thinking about just doing a static nat to one address on the inside of the pix and just use remote desktop and telnet to connect to the rest of the network from there.

Didnt relize you could build a vpn tunnel between a pix and a router.
Static NAT for the whole Network ? Doesnt seem to be appropriate. You should really be going for the VPN and you will be all good.

VPN ??

1. Router to Router
2. PIX to PIX
3. PIX to Router
4. PIX to Windows
5. Router to Windows

:-) Almost everything.

Cheers,
Rajesh
Avatar of zyclonix
zyclonix

Doing a static NAT as opposed to a VPN is a very bad idea, you will be sending this company's data unencrypted over the internet. Depending on what the company does this may be against the law! It certainly is bad practice.

VPNs are not that hard to set up, probably easier than doing one-to-one NAT anyway.
Avatar of ddsvi

ASKER

it is a point to point T1 connection. There is a firewall between the internet and the main site. They are wanting to add a second firewall at the branch site incase the main site firewall was compromised.


Avatar of ddsvi

ASKER

also the 10.200.4.0 is just 1 private subnet for Tech support at the main site. Everything else will be blocked by the firewall at the branch site. The branch site gets its internet from thru the Main site.
Oh. Ok. If it is a ptp connection, then there is nothing to worry about, just plug them in and make sure you got proper routes in all the networking devices involved.

thnx for the points.

Cheers,
Rajesh
Avatar of ddsvi

ASKER

is there another way to allow that subnet in threw the outside interface of that pix, besides doing a static nat?
Yeah. I mean if it is a point to point connection then you would be using private addresses right ? Is there anything that is stopping you from doing that ?

I'm not sure about the topology here. Since it is a ptp network, can you print their ip addresses too. I am wondering, are you having the traffic go through the PIX ?

Cheers,
Rajesh
Avatar of ddsvi

ASKER

from inside the firewall I can ping out to the main site, but the main site can not ping back in unless I do a static nat right now.

I am trying to get the one subnet at the main site to come in thru the outside interface of the PIX and access the inside network.

On the inside of the PIX on the branch site, there is another router that feeds 3 other sites(not including the subnet at the branch site), all of which are on seperate subnets.


My problem is that the tech support subnet from the main site can not connect in any way thru that outside interface of the PIX.
Oh. I see it now.

DDSvi,

  Unfortunately, if you want to have the traffic go through PIX, you'll not be able to do it without NAT. The reason being, traffic from low security interface cannot pass onto high security interface by default and without statics. It is designed to be like that.

  The only way around is as I said first, you'll have to build a VPN tunnel between the mainsite router to branch site PIX.

Cheers,
Rajesh
Avatar of ddsvi

ASKER

Ok, thats what I was thinking.

Thanks for all your help Rajesh.
NP.

Sorry that I couldn't of much help here.

Cheers,
Rajesh
Avatar of ddsvi

ASKER

Just an update, this actually works

static (inside,outside) 10.232.1.0 10.232.1.0 netmask 255.255.255.0
static (inside,outside) 10.232.2.0 10.232.2.0 netmask 255.255.255.0

access-list outside permit ip 10.200.4.0 255.255.255.0 10.232.1.0 255.255.255.0
access-list outside permit ip 10.200.4.0 255.255.255.0 10.232.2.0 255.255.255.0

route inside 10.232.1.0 255.255.255.0 <ip_address_next_hop>
route inside 10.232.2.0 255.255.255.0 <ip_address_next_hop>

But we decided to go ahead and upgrade firewall. We upgraded the pix to an ASA. Then I just put the ASA in layer 2 transparent mode and added my access-lists. Took all of about 5 minutes to configure.
Exactly, you can't do it without a NAT which is what you gain by the 'static' feature, since it is a Point to Point link, it is much easier now :-)

Cheers,
Rajesh