Small ISP network Configuration

Hi All,

I need your help to resolve this network setup for a client.

Here is the current configuration:

1). Windows 2000 & Windows 2003 Servers in a server farm of 18 machines.
2). Dedicated T1 connectivity with a class "C" address space.
3). 2 domain controllers running windows 2000 with active directory integrated DNS with 7 member servers, and 2 domain controllers running windows 2003 with active directory integratged DNS with 7 members servers.
4). Domain controllers with integrated active directory based DNS act as the primary and secondary name servers for the hosted domains.
5). Member servers are running IIS,SQL and Mail. Each member server is multihomed with dedicated ip address for each domain hosted under the network.
6). They have some partnered companies that access their servers to updated application specific data, so they need remote desktop access to these servers time to time.

I have been asked to take care of this network and implement a firewall solution for it asap since they are experiencing network issues time to time. Past management people purchased a pix firewall 506E, but they never able to implement it.

Here are my questions;
1). If i were to move the existing network inside the Pix interface then, all address will be changed to private address and i can setup the pix to provide the NAT translation.
Thus,  a public class 'c' address as will translated to If i do this, all the members server and domain controllers ip address will be changed to private address, since it's active directory integrated, that would change the DNS zones to point to private address and people in the internet will not be able to access it ? Can you apply DNS doctoring on this ? If so how would you setup that in the pix 506E. I am asking this based on what i read on this site.

2). What is the best recommended network design model for a similar network ?

3). Is PIX 506E is enough for this ?

4). Implementing VPN solution for partner access ?

5). What is the based way to migrate this to new network model with no down time ?

Since i am new to Cisco Pix products, it would be helpfull if you can provide more information as possible on the possible network designs and configurations !
If you have any questions, please kindly ask me, and i will clear up with much information as i can.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi, there

I would suggest the following scenario to you.

1. How many public IP addresses do you have ? Specify
2. How many different companies is at that specific location.

These servers you are mentioning are they all belonging to the same Subnet "company". Are all the hosted companies allowed to browse the whoile network "Security" issues. do you want to share a DNS server to all hosted companies inside.

If the internal companie's is not allowed to browse inside the doamin do people need to access these servers remote as you described.

I think in some way we need to make a network diagram of what your goals are and the objectivies.

tssivaAuthor Commented:
Hi Cooledit,

Here are answers to your questions;

1). 255 public address ( entire class c address space )
2). There are two different companies, so each company used 2 domain cotrollers and 7 member servers.

Yes they all belong to the same subnet. Hosted clients don't have remote desktop access, only with partnered companies, according to them there two companies that managed the content of the web site. DNS server will shared for the hosted companies. Hosted site will have only access to www, email and sql database.

Here is a sample diagram

 T1 connection ----> Swtich ---> Server Farm A
                                         ---> Server Farm B

Server Farm A
----------------- Domain: ABC.COM
1). Primary Active Directory Controller     ip:
2)  Secondary Active Direcotry Contoller  ip:
3,4,5,6,7). Webserver - multihomed with each domain with unique ip
        ex: ---->
* some of these web server running sql server.
8). Mail server -

All DNS for the sites hosted in the server 3 to 8 are hosted in 1,2.

Server Farm B
----------------- Domain: XYZ.COM
1). Primary Active Directory controller with active directory integraded DNS    ip:
2). Secondary Active Directory controller with active direcotry integrated DNS ip:
3,4,5,6) Web servers multihomed with  each domain with unique ip
   ex: --> -->
7,8). Mail Servers ip:,

All DNS for these sites are hosted in servers 3 to 6 are hosted in 1,2.

Now, extendting or changing this network based on recommandations with a Pix Firewall ?

So it will be some thing like this ?
       201.20.20.x                   10.20.20.x
T1 ---> Pix ---> switch --- > Server Farm A
                                  --- > Server Farm B

How would this effect the integrateded active directory DNS ? Can we do DNS doctoring on the pix to make it work ? I am bit confused about this, and need a good solution that can be easily upgraded with minimum down time ? I hope this helps !
This is a complicated migration but handled step by step is not difficult the issues are not network layout but ip addressing, access rules, and dns
1. yes, you would create static translations for the outside address to the inside address and lets assume it host web services and rdp the config for this particular machine would be similar to this
static (inside,outside) netmask 0 0
access-list outside_access_in permit tcp any host eq www
access-list outside_access_in permit tcp host x.x.x.x eq 3389
where x.x.x.x could be the ip address of a partner

2. Again your network model or layout would not really change

3. Yes the pix 506e is enough but can not handle failover so stepping up to two 516e's would be more appropriate

4.As far as down time there would be down time but could be minimal with the proper planning and pre configuration. ie internal address ch anges and config of pix box

5. as far has dns you could consildate all public dns records to one machine and create an access rule through the pix to push out just those records for your public dns

Hope this helps

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

tssivaAuthor Commented:
Dawilliams, Thanks for the info. How would you congfigure the PIX 506E ?
Would you use the web interface or the console approach ?

Since i am new to this i would really appricate a detailed step approch to doing setup 1 ?

telnet or ssh , the pdm usually breaks more than it fixes

I could help you configure the pix you mentioned the pix was not implemented is it online at all?
first step would be to configure the pix off line

if its online send along what is configured already and we'll look at it
from the command line type  " sh ru"
then  "sh ver"
paste the results
if its not online set it up and use the terminal cable from the host pc use hyperterminal or telnet into it and then do the commands above and paste the results
you dont have to plug ant ethernet cable to it just the terminal cable for now.
tssivaAuthor Commented:

I have added the pix into one of the free ip and set it up through the PDM. Since i am learning i want to see how it works.

Here is the output;
pixfirewall# sh ver

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

pixfirewall up 3 mins 8 secs

Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0014.6a66.e26d, irq 10
1: ethernet1: address is 0014.6a66.e26e, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 809222482 (0x303bc152)
Running Activation Key: 0xc1d5856a 0x74d099b0 0x59d93f14 0x61a3086e
Configuration has not been modified since last system restart.
pixfirewall# sh ip
System IP Addresses:
        ip address outside
        ip address inside
Current IP Addresses:
        ip address outside
        ip address inside
pixfirewall# sh ur
Ambiguous command. Please enter more characters.
pixfirewall# sh ru
: Saved
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
route outside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
I haven't added any access rules or anything. Just put a external address and assigned a internal subnet, i was able to access the internet, that's all. If you can help with a config that would allow the above requirement would be nice. Also if you can provide me a step by step approach, i can try lean each configuration settings.

Thanks for you help.
tssivaAuthor Commented:
One more question, i do have a cisco support package service contract for this. I believe it's the basic one. Should need to upgrade the OS on the pix to 7.1 ? If so how would i do that ?

To be honest I'm not sure What differences there are but updateting is a matter of downloading a file and running the proper command , if you plan on updating to the 7.1 I suggest you do that first before we configure it then we'll work on the access rules.
tssivaAuthor Commented:
Ok, But i don't think i am going to do that. Since it requires me to upgrade the memory to atleast 64MB. Let's get this working then i can ask them to fund for new Pix 515E.

tssivaAuthor Commented:
Ok, thanks for the info. I talk to the managment, but said can't afford to get a Pix 515E rightaway, so i have to use this for a while. Can you please provide me the setup to configure this device ?

Lets start with this
Do you  have a dhcp server set up to handle the new 10.x.x.x. addresses and also you mentioned the servers have outside ips is this correct

this is what you could do do get the outside mapped to the inside if your sticking with the 10.20.20.x scheme
static (inside,outside) netmask 0 0

this would allow web access
access-list outside_access_in permit tcp any host eq www

this would alow rdp to the specific pc
access-list outside_access_in permit tcp host x.x.x.x eq 3389
where x.x.x.x could be the wan ip address of a partner
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.