Cisco 1721 router with a pix firewall config

We are installing a new T1.5 internet protocal HDLC (static). We have a cisco 1721 router with a seperate pix firewall. what is the config process and NAT assignments to have these two devices working properly.

What I am not sure of is do we put in a default gateway on the Pix to point to the WAN IP of the 1721 or the WAN IP from carrier. I know it cannot be to the LAN IP of the 1721 because the Pix will not send a packet back on the same interface it’s received.

Thanks for your help,

Mike
ServicePointUSAAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

calvinetterCommented:
hi Mike,  you'll need to be a lot more specific in your requirements, so we can help you.  A simple ASCII net diagram will also help.
>I know it cannot be to the LAN IP of the 1721 because the Pix will not send a packet back on the same interface...
  So you're *not* going to have the following typical setup??:  Internet <-> 1721 <-> PIX <-> inside LAN(s)
  Are there more than 1 internal LANs present? Please clarify the physical layout.

Important info to provide:
- This is a "point-to-point" T1 using HDLC encapsulation? (ISP has a Cisco router on the other end of this circuit?) And I assume the T1 connection will be plugged directly into a T1 card already installed in the router?
- Is the PIX's outside interface going to be directly connected to the LAN interface of the 1721?
- Is the LAN interface of the 1721 &/or the PIX outside interface going to have a public IP directly configured on it?
- Do you have any public servers that need to be accessible from the outside? ie, web, email, etc servers? If so, what are the LAN IPs of these servers going to be? And if they're going to be accessed by different IPs, post the IPs masked like so: x.x.x.81
- If a public email server is present, is it Exchange? If so, will you be using OWA? If OWA, will it be normal http or secure https?
- Please post "sanitized" public IPs that will be used in this config, but with correct subnet masks.  Example:
  ISP gateway: x.x.x.81
  WAN IP of router: x.x.x.82 with subnet mask 255.255.255.252
  LAN IP of router: x.x.x.202 with subnet mask 255.255.255.248
(But *don't* mask out private LAN IPs in these ranges: 10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- What model of PIX?
- Is the PIX going to be giving out DHCP, or do you have an internal server for this already?
- Please post current "show run" output from both router & PIX (any public IPs "sanitzed" as above), & indicate which interface on the 1721 will be the LAN interface.
- Please provide any other important info you can think of.

cheers
ServicePointUSAAuthor Commented:
Yes its point to point. T1 card in router csu/dsu. PIX will be connected to router lan. 1721 will have a public ip. Yes public
servers need to be accessed. no email server. model of pix is a 501. pix will not be giving out dhcp. Cannot provide show run because we dont have it installed yet. no public ip available either. Can we substituite ip's for x.x.x.x.
can you lead us in the right direction with this info.

Thanks Mike.
calvinetterCommented:
>1721 will have a public ip
  Public IP only on outside interface? No public IP on LAN interface & no public IP on PIX outside interface? ie, No 2nd public subnet for use by PIX, router LAN interface & public servers, & NAT being to be done on router?  Not a recommended setup.  Believe me, it's much better & easier to have public IPs for: router LAN IP, PIX outside IP; & public IPs for each server.
   Just be aware, if you have more than one server of the same type - ie, 2 web servers to be accessed by the same public IP & both via tcp port 80 - this can't be done with a single public IP, not with the router or the PIX.

>Yes public servers need to be accessed.
   Ok, this is still very vague, but I could provide an example, & some URLs as guides.
>Can we substituite ip's for x.x.x.x
   Yes, but it's much easier to follow if we know the last number of the IP. And you don't lose any privacy/security this way.

Are you familiar with accessing the CLI interface on either the router or the PIX??

cheers
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ServicePointUSAAuthor Commented:
The LAN side for the 1721 and Pix were going to be 192.168.6.x and then we'll have a public IP on the serial interface of the 1721. On the Pix there will also be a public IP on the WAN interface. We will have a block of 6 public IPs, so most clients will go out on the public IP of the Pix, but in the future there will be a handful of servers that will be NAT'd through the Pix so 192.168.6.7 will translate to a public IP. Then inbound we might have an FTP server that will have restricted accesss by IP. We will not be doing port forwarding, so if we have another server that will host a different FTP site then it will go strictly by the IP address. We are vaguely familiar with the CLI. The main question here is the routing. If we have a client PC that GW should be set to that of the 1721, so say it looks like this.

Client Internal IP - 192.168.6.10
GW - 192.168.6.2 - 1721
DNS - Will use one's assigned from provider

Client requests access to HTTP port 80 --> Cisco 1721 now on the 1721 do we have a route point to internal IP of pix 192.168.6.4 --> Pix 501 inspects traffic and then on the Pix do we have a static route to providers GW interface and then the client will be known on the Internet through the Public IP of the Pix 501?

Then on inbound what we want is this.

Remote client requests ftp to x.x.x.x (this being one of our public IP's that has a NAT translation in Pix to 192.168.6.7) that hits the 1721 on the WAN ineterface it passes through to the Pix on the WAN side is inspected and finds a match for the rule allowing FTP from that client to the FTP server in question, and then passes it to the server.
calvinetterCommented:
>The LAN side for the 1721 and Pix were going to be 192.168.6.x and then we'll have a public IP on
> the serial interface of the 1721. On the Pix there will also be a public IP on the WAN interface.
If you were intending something like this:
  router LAN IP: 192.168.6.x
  PIX WAN IP: <some public IP>
  PIX LAN IP: 192.168.6.y
...then this isn't possible.  The IP ranges on the _LAN_ side of both devices (inside subnets) *must* be different.

Since you said you'll have a block of 6 public IPs, below is a general example of how you'll want to set this up.  Since the info provided above is still pretty vague, I'll be making the following assumptions for the purpose of the example:
  Router WAN IP: 2.2.2.2 subnet mask: 255.255.255.252
  Router default gateway at ISP: 2.2.2.1
  Router WAN interface: Serial0
  Public block of 6 IPs: 1.1.1.0 subnet mask: 255.255.255.248 (usable IPs: 1.1.1.1-1.1.1.6)
  Router LAN (inside) IP: 1.1.1.1
  Router LAN interface: FastEthernet0
  PIX WAN IP: 1.1.1.2
  LAN behind PIX: 192.168.6.x
  PIX LAN IP: 192.168.6.1
  default gateway for PCs behind PIX: 192.168.6.1
  web server behind PIX: 192.168.6.18 (accessible from Internet via public IP: 1.1.1.3)
  web server behind PIX: 192.168.6.7 (accessible from Internet via public IP: 1.1.1.4)

  On 1721:
----------
interface FastEthernet0
ip address 1.1.1.1 255.255.255.248
no shut
exit

interface Serial0
ip address 2.2.2.2 255.255.255.252
no shut
exit

ip route 0.0.0.0 0.0.0.0 2.2.2.1
copy run start   <- saves config to the router

  On PIX:
---------
access-list inbound permit icmp any any echo-reply   <- allow replies for outbound pings
access-list inbound permit tcp any host 1.1.1.3 eq 80  <- allow access to web server
access-list inbound permit tcp any host 1.1.1.4 eq 21  <- allow access to FTP server
access-group inbound in interface outside
ip address outside 1.1.1.2 255.255.255.248
ip address inside 192.168.6.1 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 1.1.1.1
clear xlate
static (inside,outside) 1.1.1.3 192.168.6.18
static (inside,outside) 1.1.1.4 192.168.6.7
write mem     <- saves config to the PIX

Once again, the above is a basic general example only, based on the info provided. You'll of course need to substitute IPs & actual interface names as necessary to match what you'll have.  You'll need to connect the router LAN interface (FastEthernet0) to the PIX outside interface with a crossover Ethernet cable, not a regular Ethernet cable.

  Some other general references:
http://www.experts-exchange.com/Security/Firewalls/Q_21630922.html
http://www.experts-exchange.com/Security/Firewalls/Q_21573481.html
  PIX config guide - PIX software version 6.3:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/index.htm
  PIX config guide - PIX version 7.x (PIX models 515 or above only):
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/index.htm

cheers

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ServicePointUSAAuthor Commented:
Thanks for the clarification. Now one last question on physical cabling of this setup. The T1 connection will go into the serial interface of the 1721, now should I put a switch where the fastethernet can connect to and then on the Pix plug the WAN interface into the same switch? Then I have a core switch where my users are on that I assume the LAN side of the Pix can connect into?
calvinetterCommented:
You don't need a switch between the PIX & 1721... I wouldn't, unless you have a specific reason to do so.  Adding a switch is adding another potential point of failure.  Just connect a Cat5 crossover cable between the 1721 & the PIX.

cheers
ServicePointUSAAuthor Commented:
That's what I first envisioned, and that's what we will now do. Thank you for all of your suggestions!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.