Small ISP network Configuration

Posted on 2006-04-04
Last Modified: 2010-03-19
Hi All,

I need your help to resolve this network setup for a client.

Here is the current configuration:

1). Windows 2000 & Windows 2003 Servers in a server farm of 18 machines.
2). Dedicated T1 connectivity with a class "C" address space.
3). 2 domain controllers running windows 2000 with active directory integrated DNS with 7 member servers, and 2 domain controllers running windows 2003 with active directory integratged DNS with 7 members servers.
4). Domain controllers with integrated active directory based DNS act as the primary and secondary name servers for the hosted domains.
5). Member servers are running IIS,SQL and Mail. Each member server is multihomed with dedicated ip address for each domain hosted under the network.
6). They have some partnered companies that access their servers to updated application specific data, so they need remote desktop access to these servers time to time.

I have been asked to take care of this network and implement a firewall solution for it asap since they are experiencing network issues time to time. Past management people purchased a pix firewall 506E, but they never able to implement it.

Here are my questions;
1). If i were to move the existing network inside the Pix interface then, all address will be changed to private address and i can setup the pix to provide the NAT translation.
Thus,  a public class 'c' address as will translated to If i do this, all the members server and domain controllers ip address will be changed to private address, since it's active directory integrated, that would change the DNS zones to point to private address and people in the internet will not be able to access it ? Can you apply DNS doctoring on this ? If so how would you setup that in the pix 506E. I am asking this based on what i read on this site.

2). What is the best recommended network design model for a similar network ?

3). Is PIX 506E is enough for this ?

4). Implementing VPN solution for partner access ?

5). What is the based way to migrate this to new network model with no down time ?

Since i am new to Cisco Pix products, it would be helpfull if you can provide more information as possible on the possible network designs and configurations !
If you have any questions, please kindly ask me, and i will clear up with much information as i can.

Question by:tssiva
    LVL 9

    Expert Comment

    Hi, there

    I would suggest the following scenario to you.

    1. How many public IP addresses do you have ? Specify
    2. How many different companies is at that specific location.

    These servers you are mentioning are they all belonging to the same Subnet "company". Are all the hosted companies allowed to browse the whoile network "Security" issues. do you want to share a DNS server to all hosted companies inside.

    If the internal companie's is not allowed to browse inside the doamin do people need to access these servers remote as you described.

    I think in some way we need to make a network diagram of what your goals are and the objectivies.


    Author Comment

    Hi Cooledit,

    Here are answers to your questions;

    1). 255 public address ( entire class c address space )
    2). There are two different companies, so each company used 2 domain cotrollers and 7 member servers.

    Yes they all belong to the same subnet. Hosted clients don't have remote desktop access, only with partnered companies, according to them there two companies that managed the content of the web site. DNS server will shared for the hosted companies. Hosted site will have only access to www, email and sql database.

    Here is a sample diagram

     T1 connection ----> Swtich ---> Server Farm A
                                             ---> Server Farm B

    Server Farm A
    ----------------- Domain: ABC.COM
    1). Primary Active Directory Controller     ip:
    2)  Secondary Active Direcotry Contoller  ip:
    3,4,5,6,7). Webserver - multihomed with each domain with unique ip
            ex: ---->
    * some of these web server running sql server.
    8). Mail server -

    All DNS for the sites hosted in the server 3 to 8 are hosted in 1,2.

    Server Farm B
    ----------------- Domain: XYZ.COM
    1). Primary Active Directory controller with active directory integraded DNS    ip:
    2). Secondary Active Directory controller with active direcotry integrated DNS ip:
    3,4,5,6) Web servers multihomed with  each domain with unique ip
       ex: -->
    7,8). Mail Servers ip:,

    All DNS for these sites are hosted in servers 3 to 6 are hosted in 1,2.

    Now, extendting or changing this network based on recommandations with a Pix Firewall ?

    So it will be some thing like this ?
           201.20.20.x                   10.20.20.x
    T1 ---> Pix ---> switch --- > Server Farm A
                                      --- > Server Farm B

    How would this effect the integrateded active directory DNS ? Can we do DNS doctoring on the pix to make it work ? I am bit confused about this, and need a good solution that can be easily upgraded with minimum down time ? I hope this helps !
    LVL 5

    Accepted Solution

    This is a complicated migration but handled step by step is not difficult the issues are not network layout but ip addressing, access rules, and dns
    1. yes, you would create static translations for the outside address to the inside address and lets assume it host web services and rdp the config for this particular machine would be similar to this
    static (inside,outside) netmask 0 0
    access-list outside_access_in permit tcp any host eq www
    access-list outside_access_in permit tcp host x.x.x.x eq 3389
    where x.x.x.x could be the ip address of a partner

    2. Again your network model or layout would not really change

    3. Yes the pix 506e is enough but can not handle failover so stepping up to two 516e's would be more appropriate

    4.As far as down time there would be down time but could be minimal with the proper planning and pre configuration. ie internal address ch anges and config of pix box

    5. as far has dns you could consildate all public dns records to one machine and create an access rule through the pix to push out just those records for your public dns

    Hope this helps

    Author Comment

    Dawilliams, Thanks for the info. How would you congfigure the PIX 506E ?
    Would you use the web interface or the console approach ?

    Since i am new to this i would really appricate a detailed step approch to doing setup 1 ?

    LVL 5

    Expert Comment

    telnet or ssh , the pdm usually breaks more than it fixes

    I could help you configure the pix you mentioned the pix was not implemented is it online at all?
    first step would be to configure the pix off line

    if its online send along what is configured already and we'll look at it
    from the command line type  " sh ru"
    then  "sh ver"
    paste the results
    if its not online set it up and use the terminal cable from the host pc use hyperterminal or telnet into it and then do the commands above and paste the results
    you dont have to plug ant ethernet cable to it just the terminal cable for now.

    Author Comment


    I have added the pix into one of the free ip and set it up through the PDM. Since i am learning i want to see how it works.

    Here is the output;
    pixfirewall# sh ver

    Cisco PIX Firewall Version 6.3(4)
    Cisco PIX Device Manager Version 3.0(2)

    Compiled on Fri 02-Jul-04 00:07 by morlee

    pixfirewall up 3 mins 8 secs

    Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 433 MHz
    Flash E28F640J3 @ 0x300, 8MB
    BIOS Flash AM29F400B @ 0xfffd8000, 32KB

    0: ethernet0: address is 0014.6a66.e26d, irq 10
    1: ethernet1: address is 0014.6a66.e26e, irq 11
    Licensed Features:
    Failover:                    Disabled
    VPN-DES:                     Enabled
    VPN-3DES-AES:                Enabled
    Maximum Physical Interfaces: 2
    Maximum Interfaces:          2
    Cut-through Proxy:           Enabled
    Guards:                      Enabled
    URL-filtering:               Enabled
    Inside Hosts:                Unlimited
    Throughput:                  Unlimited
    IKE peers:                   Unlimited

    This PIX has a Restricted (R) license.

    Serial Number: 809222482 (0x303bc152)
    Running Activation Key: 0xc1d5856a 0x74d099b0 0x59d93f14 0x61a3086e
    Configuration has not been modified since last system restart.
    pixfirewall# sh ip
    System IP Addresses:
            ip address outside
            ip address inside
    Current IP Addresses:
            ip address outside
            ip address inside
    pixfirewall# sh ur
    Ambiguous command. Please enter more characters.
    pixfirewall# sh ru
    : Saved
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewall
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    pager lines 24
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0 0
    route outside 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address inside
    dhcpd dns
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    : end
    I haven't added any access rules or anything. Just put a external address and assigned a internal subnet, i was able to access the internet, that's all. If you can help with a config that would allow the above requirement would be nice. Also if you can provide me a step by step approach, i can try lean each configuration settings.

    Thanks for you help.

    Author Comment

    One more question, i do have a cisco support package service contract for this. I believe it's the basic one. Should need to upgrade the OS on the pix to 7.1 ? If so how would i do that ?

    LVL 5

    Expert Comment

    To be honest I'm not sure What differences there are but updateting is a matter of downloading a file and running the proper command , if you plan on updating to the 7.1 I suggest you do that first before we configure it then we'll work on the access rules.

    Author Comment

    Ok, But i don't think i am going to do that. Since it requires me to upgrade the memory to atleast 64MB. Let's get this working then i can ask them to fund for new Pix 515E.

    LVL 5

    Expert Comment


    Author Comment

    Ok, thanks for the info. I talk to the managment, but said can't afford to get a Pix 515E rightaway, so i have to use this for a while. Can you please provide me the setup to configure this device ?

    LVL 5

    Expert Comment

    Lets start with this
    Do you  have a dhcp server set up to handle the new 10.x.x.x. addresses and also you mentioned the servers have outside ips is this correct

    this is what you could do do get the outside mapped to the inside if your sticking with the 10.20.20.x scheme
    static (inside,outside) netmask 0 0

    this would allow web access
    access-list outside_access_in permit tcp any host eq www

    this would alow rdp to the specific pc
    access-list outside_access_in permit tcp host x.x.x.x eq 3389
    where x.x.x.x could be the wan ip address of a partner

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now