• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 584
  • Last Modified:

PIX 501 configuration

I am using a PIX 501 firewall with IOS version 6.3. Behind my firewall, I have a Linksys router with three workstations connected to it and a VOIP phone.

I have enabled nat and configured the interfaces with the following commands

global (outside) 1 interface
nat (inside) 1 192.168.15.0 255.255.2
ip address outside dhcp setroute
ip address inside 192.168.15.100 255.255.255.0

Only thing I would like to allow inbound at this time is SSH access, which I will work on later on. With this configuration my internal workstations cannot go out to the internet. My PIX is getting an internet IP from comcast successfully. It seems to me like Linksys router and firewall are not communicating.

What am I missing?

Thanks in advance.

Prathap
0
prathap2
Asked:
prathap2
  • 9
  • 6
  • 4
1 Solution
 
rsivanandanCommented:
Prathap,

  We might need to see the full configuration of the PIX and are you sure the traffic is getting till PIX?

Also, is this how the topology looks;

Internet-----------PIX--------Linksys ROUTER-----------Internal LAN


So you will be having a different network between PIX and Linksys Router, which is different from the internal lan, so what is that network range ?

try to make nat (inside) 1 0.0.0.0 0.0.0.0 and see.

Need more information...

Cheers,
Rajesh
0
 
prathap2Author Commented:
Rajesh,

Thanks for the quick reply. The topology looks like

Internet ->Cable Modem -> PIX -> Linksys Router -> internal LAN

My PIX is getting an IP from my ISP and its able to ping external IPs. The inside interface of pix is connected to the Linsys router. However my PIX cannot ping that interface on Linksys router, even though it is directly connected.

Inside interface on PIX is configured with 192.168.15.100
Internet interface of linksys is configured with 192.168.15.1 These two interfaces are dirently connected , but they cannot pins each other. My internal LAN on 192.168.15.0 network as well.

As I have stated before, the only configuration I have on PIX is what I have pasted above with interface oncfiguration with IP addresses. I am not how right now. Once I get home I will paste the PIX configuration, if this information isnt enough. I am thinking how the nat rule you have recommended above will help. The only network I have behind the PIX is 192.168.15.0

Thanks again.

Prathap
0
 
prathap2Author Commented:
I have pasted my current configuration below.

: Written by enable_15 at 20:06:53.437 UTC Sat Mar 25 2006
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password YwVLfQv14TD3AEtx encrypted
passwd YwVLfQv14TD3AEtx encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.14.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.15.0 255.255.255.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:ed97dbc4b1018dcaa6e529097dbfe519
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
rsivanandanCommented:
I haven't looked at your PIX configuration because your first response says it all wrong. You have wrong network configuration or I'm overlooking something here;

See, the network between PIX and Linksys router gotta be different from your internal LAN. I'm wondering how come you were able to configure the same network on both interfaces of the Linksys router? It wouldn't allow you to do so!, well Cisco router is my experience area but as for theory goes you cannot have the same network on 2 interfaces of a ROUTER.

Are we overlooking something here ? Its gotta be diffferent and I believe one of the reason why you cannot ping the linksys router from PIX is this...

Check this thing out and let me know.

Internet ->Cable Modem(NETWORK1, PUBLIC) -> PIX ->(NETWORK2) Linksys Router ->(NETWORK3) internal LAN

See the diagram above and that is how it should be; Recommendation would be to change the network between PIX and Linksys because it would involve only 2 interfaces. You could have them something like 10.0.0.1 and 10.0.0.2 with a mask of 255.255.255.0 or something.

Cheers,
Rajesh
0
 
rsivanandanCommented:
Or since you have mentioned that the only network internally is 192.168.15.0, I would simply take out the linksys router from the picture and configure the PIX with an inside interface address of 192.168.15.1

:-) It would take a max of 10 minutes and your network would be up.... (With the existing PIX config)..

Internet ->Cable Modem -> PIX -> internal LAN

Cheers,
Rajesh
0
 
prathap2Author Commented:
Thanks Rajesh. In the meantime I got it working with Linksys router in between. The reason I need the Linksys router is because I used VOIP phone.
0
 
rsivanandanCommented:
Thatz okay, But I don't understand how you made this work with this configuration? There is no way it would work with current network setup unless you wanna tell me what you did :-) Would be a learning for me.

Cheers,
Rajesh
0
 
prathap2Author Commented:
I have nat and global commands as I had mentioned before. I didn't  realize I had configured the inside interface of PIX with an IP belonging to my internal subnet until you had pointed out in your above entry. The whole time I was thinking I had put in a 192.168.14.100 IP on it. Thanks for pointing it out.  I changed the inside interface of PIX to 192.168.14.1 and configured the dhcp to lease 192.168.14.0 subnet. My internal LAN is on a 192.168.15.0 subnet. I also manually put in DNS addresses on PIX. Actually come to think of it, I is configured the same wasy as you have described in your third entry from last. As I asid before I need the linksys router for VOIP phones.

Thanks a lot for all your help.

Prathap
0
 
rsivanandanCommented:
Thatz good. So I assume I helped you ? :-)

By the way, for VoIP phones why linksys router, I mean you have PoE from the router ?

Cheers,
Rajesh
0
 
prathap2Author Commented:
True, I could use PoE. This was a free linksys router I got from Vonage and have been using it since then. Yes, you did help me.

Thanks again

Prathap
0
 
rsivanandanCommented:
Okay, then accept the most useful answer, Have a good time.

Cheers,
Rajesh
0
 
Keith AlabasterCommented:
I think the thrust of Rajesh's point is 'Can you accept his answer please'.

Regards
keith
0
 
rsivanandanCommented:
Morning Keith :)

Cheers,
Rajesh
0
 
prathap2Author Commented:
Thanks Rajesh and Keith. This is my first time on this site and didn't realize that there was this "ACCEPT" link to accept the answer. Sorry guys.

Thanks again,

Prathap
0
 
Keith AlabasterCommented:
Morning Rajesh :)
0
 
rsivanandanCommented:
NP. Keith kinda helps me out in most of the questions where I am stuck with a problem or something like this :-)

Cheers,
Rajesh
0
 
Keith AlabasterCommented:
lol, you don't need any help
0
 
rsivanandanCommented:
:-) Experienced eyes Keith, I don't have 'em...

Cheers,
Rajesh
0
 
Keith AlabasterCommented:
http://www.experts-exchange.com/Security/Firewalls/Q_21792758.html
Rajesh, cast your eyes over that one for me then please.
thanks
keith
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 9
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now