inteq
asked on
Cisco PIX 515 Intersite Routing
I have a PIX 515 in my network,which is connected to three different server which are on different Subnets
Server A --->192.168.168.0/24
Server B --->191.168.168.0/24
Server C --->190.168.168.0/24
Right now Server A is not accessible to Server C & B and same way no Server can access each other.
How to make it possible that Server A can transfer some files to Server C.
Thanks
Server A --->192.168.168.0/24
Server B --->191.168.168.0/24
Server C --->190.168.168.0/24
Right now Server A is not accessible to Server C & B and same way no Server can access each other.
How to make it possible that Server A can transfer some files to Server C.
Thanks
Might be helpful if you post your current config, could better advise then.
I am assuming you have each network on its own interface of the pix, otherwise you would need a router behind you pix and the PIX at that point would not likely be the cause of your problems.
If you have one "management" server that needs to be able to connect to the other two servers, but don't need the other two to be able to initiate a connection back to server A you can easily use the security levels feature to allow one server to make connections to the other.
In this example lets say server A is in Eth1, Server B is on Eth2 and Server 3 is on Eth 4.
If you do the following:
nameif ethernet1 inside security100
nameif ethernet2 DMZ-1 security50
nameif ethernet3 DMZ-2 security50
By default (in a standard configuration) a higher security zone will have access to a lower security zone. If server A is in a zone with a security level of 100, it would have access to grab files or other resources on hosts sitting in the other two interfaces with a value of 50.
Now this will only be the solution if you are doing all access of servers B and C from server A. If you need all servers to have access to all other servers then some access will need to be granted, either in the form of Access Lists or perhaps Conduit statements (if you have a pretty old config on your PIX.)
Also, the security statements effect everything on the interface. If you want all interfaces to have full access to each other then put them all at the same value. keep in mind this also allows EVERYTHING connected to those interfaces to have full access to everything else (more or less disables the "firewalling" between the interfaces. To accomplish this it would like something like:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ-1 security100
nameif ethernet3 DMZ-2 security100
I'll be honest, I've never tried to do this, but it *should* be an easy solution if all networks are truely Trusted. Notice I also listed Eth0 in that one with a security level of 0. For obviously reasons you wouldn't want to allow this interface to be on the same security level as your internal network interfaces.
I am assuming you have each network on its own interface of the pix, otherwise you would need a router behind you pix and the PIX at that point would not likely be the cause of your problems.
If you have one "management" server that needs to be able to connect to the other two servers, but don't need the other two to be able to initiate a connection back to server A you can easily use the security levels feature to allow one server to make connections to the other.
In this example lets say server A is in Eth1, Server B is on Eth2 and Server 3 is on Eth 4.
If you do the following:
nameif ethernet1 inside security100
nameif ethernet2 DMZ-1 security50
nameif ethernet3 DMZ-2 security50
By default (in a standard configuration) a higher security zone will have access to a lower security zone. If server A is in a zone with a security level of 100, it would have access to grab files or other resources on hosts sitting in the other two interfaces with a value of 50.
Now this will only be the solution if you are doing all access of servers B and C from server A. If you need all servers to have access to all other servers then some access will need to be granted, either in the form of Access Lists or perhaps Conduit statements (if you have a pretty old config on your PIX.)
Also, the security statements effect everything on the interface. If you want all interfaces to have full access to each other then put them all at the same value. keep in mind this also allows EVERYTHING connected to those interfaces to have full access to everything else (more or less disables the "firewalling" between the interfaces. To accomplish this it would like something like:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ-1 security100
nameif ethernet3 DMZ-2 security100
I'll be honest, I've never tried to do this, but it *should* be an easy solution if all networks are truely Trusted. Notice I also listed Eth0 in that one with a security level of 0. For obviously reasons you wouldn't want to allow this interface to be on the same security level as your internal network interfaces.
You cannot assign the same security level to any PIX interface prior to version 7.x, hence my question regarding what version you're using.
There are several different ways to accomplish this, but they are very different for PIX OS 6.x and 7.x
There are several different ways to accomplish this, but they are very different for PIX OS 6.x and 7.x
ASKER
Hi
The PIX version is 6.3
All the Servers are connected to different PIX Interfaces(Internal) and are mapped to three different public IP Addresses using the Static
Now I want tranfer some files from one server to another .How to make it possible.
Thanks
The PIX version is 6.3
All the Servers are connected to different PIX Interfaces(Internal) and are mapped to three different public IP Addresses using the Static
Now I want tranfer some files from one server to another .How to make it possible.
Thanks
If you will post your complete config we can customize a perfect solution for you.
ASKER
HI Experts
Below is the current script as demanded by you to give a solution
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz2 security50
nameif ethernet3 dmz1 security50
nameif ethernet4 dmz3 security50
nameif ethernet5 intf5 security10
enable password Jy7EX5L7IaBR3eYJ encrypted
passwd Jy7EX5L7IaBR3eYJ encrypted
hostname NVPIX
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 203.204.224.0 singtel
name 203.208.235.0 Singtel1
object-group network sing
network-object 223.228.224.0 255.255.255.0
network-object Singtel1 255.255.255.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 223.228.226.71 eq smtp
access-list outside_access_in permit tcp any host 223.228.226.70 eq www
access-list outside_access_in permit tcp any host 223.228.226.69 eq www
access-list outside_access_in permit tcp any host 223.228.226.69 eq ftp
access-list outside_access_in permit icmp 223.228.224.0 255.255.255.0 host 223.228.226.69 echo
access-list outside_access_in permit icmp 223.228.224.0 255.255.255.0 host 223.228.226.70 echo
access-list outside_access_in permit icmp 223.228.224.0 255.255.255.0 host 223.228.226.71 echo
access-list outside_access_in permit icmp Singtel1 255.255.255.0 host 223.228.226.71 echo
access-list outside_access_in permit icmp Singtel1 255.255.255.0 host 223.228.226.70 echo
access-list outside_access_in permit icmp Singtel1 255.255.255.0 host 223.228.226.69 echo
access-list outside_access_in permit tcp any host 223.228.226.70 eq ftp
access-list outside_access_in permit tcp any host 223.228.226.70 eq ftp-data
access-list outside_access_in permit tcp any host 223.228.226.70 eq smtp
access-list inside_nat0_outbound permit ip any 192.168.8.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.6.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.7.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.8.0 255.255.255.224
access-list dmz1_nat0_outbound permit ip any 192.168.5.0 255.255.255.224
access-list dmz2_nat0_outbound permit ip any 192.168.6.0 255.255.255.224
access-list dmz3_nat0_outbound permit ip any 192.168.7.0 255.255.255.224
access-list vpn4_splitTunnelAcl permit ip 10.1.200.0 255.255.255.0 any
access-list vpn3_splitTunnelAcl permit ip 192.168.3.0 255.255.255.0 any
access-list vpn1_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list vpn2_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging monitor informational
logging trap informational
logging host dmz1 192.168.1.10
mtu outside 1500
mtu inside 1500
mtu dmz2 1500
mtu dmz1 1500
mtu dmz3 1500
mtu intf5 1500
ip address outside 223.228.226.68 255.255.255.240
ip address inside 10.1.200.113 255.255.255.0
ip address dmz2 192.168.2.9 255.255.255.0
ip address dmz1 192.168.1.9 255.255.255.0
ip address dmz3 192.168.3.9 255.255.255.0
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn1 192.168.5.1-192.168.5.20
ip local pool vpn2 192.168.6.1-192.168.6.20
ip local pool vpn3 192.168.7.1-192.168.7.20
ip local pool vpn4 192.168.8.1-192.168.8.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz2
no failover ip address dmz1
no failover ip address dmz3
no failover ip address intf5
pdm location 10.1.200.2 255.255.255.255 inside
pdm location 10.1.200.0 255.255.255.240 outside
pdm location 192.168.1.10 255.255.255.255 dmz1
pdm location 192.168.3.10 255.255.255.255 dmz3
pdm location 192.168.2.10 255.255.255.255 dmz2
pdm location singtel 255.255.255.0 outside
pdm location 223.228.224.0 255.255.255.0 outside
pdm location Singtel1 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 223.228.226.77-223.228.226
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 0 access-list dmz2_nat0_outbound
nat (dmz1) 0 access-list dmz1_nat0_outbound
nat (dmz3) 0 access-list dmz3_nat0_outbound
static (dmz3,outside) 223.228.226.71 192.168.3.10 netmask 255.255.255.255 0 0
static (dmz2,outside) 223.228.226.70 192.168.2.10 netmask 255.255.255.255 0 0
static (dmz1,outside) 223.228.226.69 192.168.1.10 netmask 255.255.255.255 0 0
static (dmz1,outside) 223.228.226.72 192.168.1.11 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 223.228.226.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.200.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server dmzmed 192.168.1.10 TFTP-Root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn1 address-pool vpn1
vpngroup vpn1 dns-server 223.228.224.91 223.228.224.92
vpngroup vpn1 default-domain xyz.com
vpngroup vpn1 split-tunnel vpn1_splitTunnelAcl
vpngroup vpn1 idle-time 1800
vpngroup vpn1 password ********
vpngroup vpn2 address-pool vpn2
vpngroup vpn2 dns-server 223.228.224.91 223.228.224.92
vpngroup vpn2 default-domain xyz.com
vpngroup vpn2 split-tunnel vpn2_splitTunnelAcl
vpngroup vpn2 idle-time 1800
vpngroup vpn2 password ********
vpngroup vpn3 address-pool vpn3
vpngroup vpn3 dns-server 192.168.3.10 203.208.224.92
vpngroup vpn3 default-domain xyz.com
vpngroup vpn3 split-tunnel vpn3_splitTunnelAcl
vpngroup vpn3 idle-time 43200
vpngroup vpn3 password ********
vpngroup vpn4 address-pool vpn4
vpngroup vpn4 dns-server 223.228.224.91 223.228.224.92
vpngroup vpn4 default-domain xyz.com
vpngroup vpn4 split-tunnel vpn4_splitTunnelAcl
vpngroup vpn4 idle-time 1800
vpngroup vpn4 password ********
telnet 192.168.3.10 255.255.255.255 dmz3
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:eb1ac0834de
: end
Below is the current script as demanded by you to give a solution
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz2 security50
nameif ethernet3 dmz1 security50
nameif ethernet4 dmz3 security50
nameif ethernet5 intf5 security10
enable password Jy7EX5L7IaBR3eYJ encrypted
passwd Jy7EX5L7IaBR3eYJ encrypted
hostname NVPIX
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 203.204.224.0 singtel
name 203.208.235.0 Singtel1
object-group network sing
network-object 223.228.224.0 255.255.255.0
network-object Singtel1 255.255.255.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 223.228.226.71 eq smtp
access-list outside_access_in permit tcp any host 223.228.226.70 eq www
access-list outside_access_in permit tcp any host 223.228.226.69 eq www
access-list outside_access_in permit tcp any host 223.228.226.69 eq ftp
access-list outside_access_in permit icmp 223.228.224.0 255.255.255.0 host 223.228.226.69 echo
access-list outside_access_in permit icmp 223.228.224.0 255.255.255.0 host 223.228.226.70 echo
access-list outside_access_in permit icmp 223.228.224.0 255.255.255.0 host 223.228.226.71 echo
access-list outside_access_in permit icmp Singtel1 255.255.255.0 host 223.228.226.71 echo
access-list outside_access_in permit icmp Singtel1 255.255.255.0 host 223.228.226.70 echo
access-list outside_access_in permit icmp Singtel1 255.255.255.0 host 223.228.226.69 echo
access-list outside_access_in permit tcp any host 223.228.226.70 eq ftp
access-list outside_access_in permit tcp any host 223.228.226.70 eq ftp-data
access-list outside_access_in permit tcp any host 223.228.226.70 eq smtp
access-list inside_nat0_outbound permit ip any 192.168.8.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.6.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.7.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.8.0 255.255.255.224
access-list dmz1_nat0_outbound permit ip any 192.168.5.0 255.255.255.224
access-list dmz2_nat0_outbound permit ip any 192.168.6.0 255.255.255.224
access-list dmz3_nat0_outbound permit ip any 192.168.7.0 255.255.255.224
access-list vpn4_splitTunnelAcl permit ip 10.1.200.0 255.255.255.0 any
access-list vpn3_splitTunnelAcl permit ip 192.168.3.0 255.255.255.0 any
access-list vpn1_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list vpn2_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging monitor informational
logging trap informational
logging host dmz1 192.168.1.10
mtu outside 1500
mtu inside 1500
mtu dmz2 1500
mtu dmz1 1500
mtu dmz3 1500
mtu intf5 1500
ip address outside 223.228.226.68 255.255.255.240
ip address inside 10.1.200.113 255.255.255.0
ip address dmz2 192.168.2.9 255.255.255.0
ip address dmz1 192.168.1.9 255.255.255.0
ip address dmz3 192.168.3.9 255.255.255.0
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn1 192.168.5.1-192.168.5.20
ip local pool vpn2 192.168.6.1-192.168.6.20
ip local pool vpn3 192.168.7.1-192.168.7.20
ip local pool vpn4 192.168.8.1-192.168.8.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz2
no failover ip address dmz1
no failover ip address dmz3
no failover ip address intf5
pdm location 10.1.200.2 255.255.255.255 inside
pdm location 10.1.200.0 255.255.255.240 outside
pdm location 192.168.1.10 255.255.255.255 dmz1
pdm location 192.168.3.10 255.255.255.255 dmz3
pdm location 192.168.2.10 255.255.255.255 dmz2
pdm location singtel 255.255.255.0 outside
pdm location 223.228.224.0 255.255.255.0 outside
pdm location Singtel1 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 223.228.226.77-223.228.226
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 0 access-list dmz2_nat0_outbound
nat (dmz1) 0 access-list dmz1_nat0_outbound
nat (dmz3) 0 access-list dmz3_nat0_outbound
static (dmz3,outside) 223.228.226.71 192.168.3.10 netmask 255.255.255.255 0 0
static (dmz2,outside) 223.228.226.70 192.168.2.10 netmask 255.255.255.255 0 0
static (dmz1,outside) 223.228.226.69 192.168.1.10 netmask 255.255.255.255 0 0
static (dmz1,outside) 223.228.226.72 192.168.1.11 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 223.228.226.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.200.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server dmzmed 192.168.1.10 TFTP-Root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn1 address-pool vpn1
vpngroup vpn1 dns-server 223.228.224.91 223.228.224.92
vpngroup vpn1 default-domain xyz.com
vpngroup vpn1 split-tunnel vpn1_splitTunnelAcl
vpngroup vpn1 idle-time 1800
vpngroup vpn1 password ********
vpngroup vpn2 address-pool vpn2
vpngroup vpn2 dns-server 223.228.224.91 223.228.224.92
vpngroup vpn2 default-domain xyz.com
vpngroup vpn2 split-tunnel vpn2_splitTunnelAcl
vpngroup vpn2 idle-time 1800
vpngroup vpn2 password ********
vpngroup vpn3 address-pool vpn3
vpngroup vpn3 dns-server 192.168.3.10 203.208.224.92
vpngroup vpn3 default-domain xyz.com
vpngroup vpn3 split-tunnel vpn3_splitTunnelAcl
vpngroup vpn3 idle-time 43200
vpngroup vpn3 password ********
vpngroup vpn4 address-pool vpn4
vpngroup vpn4 dns-server 223.228.224.91 223.228.224.92
vpngroup vpn4 default-domain xyz.com
vpngroup vpn4 split-tunnel vpn4_splitTunnelAcl
vpngroup vpn4 idle-time 1800
vpngroup vpn4 password ********
telnet 192.168.3.10 255.255.255.255 dmz3
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:eb1ac0834de
: end
Please provide the exact address of the two servers in question so we can provide you with the exact command you need. Which is server A and which is server C?
ASKER
The Server with IP address 192.168.1.10 wants to transfer some files through FTP to Server with IP address 192.168.2.10
static (dmz1,dmz2) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
with dmz1 and dmz2 same security level, that may be all you need.
with dmz1 and dmz2 same security level, that may be all you need.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanx a lot
The thing finally worked
The thing finally worked
Is each subnet connected to a separate interface on the PIX?
What version PIX OS are you running?
What is your skill level? This will help us in knowing how much detailed assistance you need, or just gentle guidance..