• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 840
  • Last Modified:

CISCO PIX 501 - Static Routes and Dynamic Internet IP address

I have created Static Routes on PIX 501 with a static Internet connection but never when I the internet connection is Dynamic DSL.  I would like to be able to create static routes so that I can access various machines from outside of the LAN.  I use TZO which provides me with a FQDN that points to my dynamic IP address.  The TZO application checks my IP address for changes every 2 minutes.

Below is my current network setup.

Internet
    |
DSL Modem         -  Outside Address - Dynamic
    |                      -  Inside Address  - 192.168.254.254
    |
Unmanaged Switch
    |
Terminal Server  -  Inside Address - 192.168.254.50  Port 3389

I would like to install a PIX 501 between the DSL Modem and Unmanaged Switch.  Do I simply

1)  Allow my DSL modem act as a bridge a forward all requests to the PIX 501?  

2)  Set the inside IP address of the PIX 501 to 192.168.254.2

3)  Create the static route for my Terminal Server as follows:
access-list InBound permit tcp any host 192.168.254.254 eq 3389
static (inside,outside) tcp 192.168.254.254 3389 192.168.254.50 3389 netmask 255.255.255.255 0 0

Thanks for the help.

0
robertjwilsoncpa
Asked:
robertjwilsoncpa
4 Solutions
 
0xSaPx0Commented:
If your DSL modem is a Router it will provide the Pix with an internal address, (192.x.x.x) which becomes the Pix's WAN interface IP address, then you just setup your NAT/routes accordingly.

So in a convoluted way exactly what you said above =)

- SaP -

0
 
neoponderCommented:
)  Allow my DSL modem act as a bridge a forward all requests to the PIX 501?  
Or a router, if you choose a new address range for the inside.

2)  Set the inside IP address of the PIX 501 to 192.168.254.2
You could change the inside address to  another network.  That might be less confusing to the pix.
For instance.
 DSLIN INt:
192.168.254.254
PIX outside int: 192.168.254.(whatever 1 thru 253)
Pix inside: (makeupsomething new 192.168.253.254)
Switch
Workstations: 192.168.253.2,3,4,etc and DG= 192.168.253.254

3)  Create the static route for my Terminal Server as follows:
access-list InBound permit tcp any host 192.168.254.254 eq 3389
static (inside,outside) tcp 192.168.254.254 3389 192.168.254.50 3389 netmask 255.255.255.255 0 0
That is assuming your DSL modem can nat for you.

Thanks for the help.
0
 
jyothersCommented:
Yes a minor problem is that your translating your IP address on the DSL router via NAT already. You do not need the PIX. Just setup the DSL router to port forward the 3389 port to your internal address and your done.

If you want to actually use the 501 - you will need to stop NAT on the DSL router, and request from your ISP an additional IP address. This means a static IP address range will be given, and you need atleast 2 usable.
1 for the DSL modem
1 for the external NIC on the PIX
The DSL modem then becomes a "permiter" router
Then you just use PAT/NAT on the pix for internal traffic going out.
Then you can use your access-list and static statment with an external address going to you internal address making WAY more sense to you.

Otherwise you are looking at NATed NAT statement and your ARP requests are going to be going nuts, and you will have to reboot the DSL router and the PIX once a week.
0
 
JoesmailCommented:
Hi Rob,

You have got your assumptions correct as indicated above.

1) If you don't bridge your modem you have to create subnet inbetween your DSL modem.  This can cause you problems in the future e.g. forwarding esp, and ipsec traffic (for future remote access vpn) and is just ugly and messy.  Bridging the modem is fairly simple to do and using the 501 to setup the PPPOE/PPPOA connection to your provider is fairly simple.   I have included a guide by cisco to configure PPPOE.
http://www.cisco.com/warp/public/110/pppoe-for-pix501.html#diag

2) Yes give it an address on the internal LAN.

3) Your rule would be fine if you were NOT bridging.  I will assume you are going to bridge (preffered method) as indicated above).

So your rule will look like:
access-list InBound permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 192.168.254.50 3389 netmask 255.255.255.255 0 0

Other info:
From a security standpoint this is NOT a very secure method of being able to connect to your Terminal Server remotely.  I would not personally advise to use this method as it is very open e.g. anyone can connect on the internet to your TS server (big security hole).  Without going into detail about why I would recommend you spend a few more minutes and configure a "Remote Access VPN".
This link will show you plenty of example of how to accomplish this.  It will also provide you with logging if you use a radius server for verification.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009484e.shtml#diag
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now