Cisco PIX 515 Intersite Routing

I have a PIX 515 in my network,which is connected to three different server which are on different Subnets

Server A --->192.168.168.0/24
Server B --->191.168.168.0/24
Server C --->190.168.168.0/24

Right now Server A is not accessible to Server C & B and same way no Server can access each other.

How to make it possible that Server A can transfer some files to Server C.

Thanks
inteqAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Can you explain where these servers/subnets are in relation to the PIX?
Is each subnet connected to a separate interface on the PIX?
What version PIX OS are you running?
What is your skill level? This will help us in knowing how much detailed assistance you need, or just gentle guidance..
0
cmonteithCommented:
Might be helpful if you post your current config, could better advise then.

I am assuming you have each network on its own interface of the pix, otherwise you would need a router behind you pix and the PIX at that point would not likely be the cause of your  problems.

If you have one "management" server that needs to be able to connect to the other two servers, but don't need the other two to be able to initiate a connection back to server A you can easily use the security levels feature to allow one server to make connections to the other.  

In this example lets say server A is in Eth1, Server B is on Eth2 and Server 3 is on Eth 4.

If you do the following:

nameif ethernet1 inside security100
nameif ethernet2 DMZ-1 security50
nameif ethernet3 DMZ-2 security50

By default (in a standard configuration) a higher security zone will have access to a lower security zone.  If server A is in a zone with a security level of 100, it would have access to grab files or other resources on hosts sitting in the other two interfaces with a value of 50.

Now this will only be the solution if you are doing all access of servers B and C from server A.  If you need all servers to have access to all other servers then some access will need to be granted, either in the form of Access Lists or perhaps Conduit statements (if you have a pretty old config on your PIX.)

Also, the security statements effect everything on the interface.  If you want all interfaces to have full access to each other then put them all at the same value.  keep in mind this also allows EVERYTHING connected to those interfaces to have full access to everything else (more or less disables the "firewalling" between the interfaces.  To accomplish this it would like something like:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ-1 security100
nameif ethernet3 DMZ-2 security100

I'll be honest, I've never tried to do this, but it *should* be an easy solution if all networks are truely Trusted.  Notice I also listed Eth0 in that one with a security level of 0.  For obviously reasons you wouldn't want to allow this interface to be on the same security level as your internal network interfaces.
0
lrmooreCommented:
You cannot assign the same security level to any PIX interface prior to version 7.x, hence my question regarding what version you're using.
There are several different ways to accomplish this, but they are very different for PIX OS 6.x and 7.x
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

inteqAuthor Commented:
Hi
The PIX version is 6.3

All the Servers are connected to different PIX Interfaces(Internal) and are mapped to three different public IP Addresses using the Static

Now I want tranfer some files from one server to another .How to make it possible.

Thanks
0
lrmooreCommented:
If you will post your complete config we can customize a perfect solution for you.
0
inteqAuthor Commented:
HI Experts

Below is the current script as demanded by you to give a solution



PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz2 security50
nameif ethernet3 dmz1 security50
nameif ethernet4 dmz3 security50
nameif ethernet5 intf5 security10
enable password Jy7EX5L7IaBR3eYJ encrypted
passwd Jy7EX5L7IaBR3eYJ encrypted
hostname NVPIX
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 203.204.224.0 singtel
name 203.208.235.0 Singtel1
object-group network sing
  network-object 223.228.224.0 255.255.255.0
  network-object Singtel1 255.255.255.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 223.228.226.71 eq smtp
access-list outside_access_in permit tcp any host 223.228.226.70 eq www
access-list outside_access_in permit tcp any host 223.228.226.69 eq www
access-list outside_access_in permit tcp any host 223.228.226.69 eq ftp
access-list outside_access_in permit icmp 223.228.224.0 255.255.255.0 host 223.228.226.69 echo
access-list outside_access_in permit icmp 223.228.224.0 255.255.255.0 host 223.228.226.70 echo
access-list outside_access_in permit icmp 223.228.224.0 255.255.255.0 host 223.228.226.71 echo
access-list outside_access_in permit icmp Singtel1 255.255.255.0 host 223.228.226.71 echo
access-list outside_access_in permit icmp Singtel1 255.255.255.0 host 223.228.226.70 echo
access-list outside_access_in permit icmp Singtel1 255.255.255.0 host 223.228.226.69 echo
access-list outside_access_in permit tcp any host 223.228.226.70 eq ftp
access-list outside_access_in permit tcp any host 223.228.226.70 eq ftp-data
access-list outside_access_in permit tcp any host 223.228.226.70 eq smtp
access-list inside_nat0_outbound permit ip any 192.168.8.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.6.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.7.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.8.0 255.255.255.224
access-list dmz1_nat0_outbound permit ip any 192.168.5.0 255.255.255.224
access-list dmz2_nat0_outbound permit ip any 192.168.6.0 255.255.255.224
access-list dmz3_nat0_outbound permit ip any 192.168.7.0 255.255.255.224
access-list vpn4_splitTunnelAcl permit ip 10.1.200.0 255.255.255.0 any
access-list vpn3_splitTunnelAcl permit ip 192.168.3.0 255.255.255.0 any
access-list vpn1_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list vpn2_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging monitor informational
logging trap informational
logging host dmz1 192.168.1.10
mtu outside 1500
mtu inside 1500
mtu dmz2 1500
mtu dmz1 1500
mtu dmz3 1500
mtu intf5 1500
ip address outside 223.228.226.68 255.255.255.240
ip address inside 10.1.200.113 255.255.255.0
ip address dmz2 192.168.2.9 255.255.255.0
ip address dmz1 192.168.1.9 255.255.255.0
ip address dmz3 192.168.3.9 255.255.255.0
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn1 192.168.5.1-192.168.5.20
ip local pool vpn2 192.168.6.1-192.168.6.20
ip local pool vpn3 192.168.7.1-192.168.7.20
ip local pool vpn4 192.168.8.1-192.168.8.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz2
no failover ip address dmz1
no failover ip address dmz3
no failover ip address intf5
pdm location 10.1.200.2 255.255.255.255 inside
pdm location 10.1.200.0 255.255.255.240 outside
pdm location 192.168.1.10 255.255.255.255 dmz1
pdm location 192.168.3.10 255.255.255.255 dmz3
pdm location 192.168.2.10 255.255.255.255 dmz2
pdm location singtel 255.255.255.0 outside
pdm location 223.228.224.0 255.255.255.0 outside
pdm location Singtel1 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 223.228.226.77-223.228.226.78 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 0 access-list dmz2_nat0_outbound
nat (dmz1) 0 access-list dmz1_nat0_outbound
nat (dmz3) 0 access-list dmz3_nat0_outbound
static (dmz3,outside) 223.228.226.71 192.168.3.10 netmask 255.255.255.255 0 0
static (dmz2,outside) 223.228.226.70 192.168.2.10 netmask 255.255.255.255 0 0
static (dmz1,outside) 223.228.226.69 192.168.1.10 netmask 255.255.255.255 0 0
static (dmz1,outside) 223.228.226.72 192.168.1.11 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 223.228.226.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.200.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server dmzmed 192.168.1.10 TFTP-Root
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn1 address-pool vpn1
vpngroup vpn1 dns-server 223.228.224.91 223.228.224.92
vpngroup vpn1 default-domain xyz.com
vpngroup vpn1 split-tunnel vpn1_splitTunnelAcl
vpngroup vpn1 idle-time 1800
vpngroup vpn1 password ********
vpngroup vpn2 address-pool vpn2
vpngroup vpn2 dns-server 223.228.224.91 223.228.224.92
vpngroup vpn2 default-domain xyz.com
vpngroup vpn2 split-tunnel vpn2_splitTunnelAcl
vpngroup vpn2 idle-time 1800
vpngroup vpn2 password ********
vpngroup vpn3 address-pool vpn3
vpngroup vpn3 dns-server 192.168.3.10 203.208.224.92
vpngroup vpn3 default-domain xyz.com
vpngroup vpn3 split-tunnel vpn3_splitTunnelAcl
vpngroup vpn3 idle-time 43200
vpngroup vpn3 password ********
vpngroup vpn4 address-pool vpn4
vpngroup vpn4 dns-server 223.228.224.91 223.228.224.92
vpngroup vpn4 default-domain xyz.com
vpngroup vpn4 split-tunnel vpn4_splitTunnelAcl
vpngroup vpn4 idle-time 1800
vpngroup vpn4 password ********
telnet 192.168.3.10 255.255.255.255 dmz3
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:eb1ac0834de011c6f474cec42bc44d6d
: end
0
stressedout2004Commented:
Please provide the exact address of the two servers in question so we can provide you with the exact command you need. Which is server A and which is server C?
0
inteqAuthor Commented:
The Server with IP address 192.168.1.10 wants to transfer some files through FTP to Server with IP address 192.168.2.10
0
lrmooreCommented:
static (dmz1,dmz2) 192.168.1.10 192.168.1.10 netmask 255.255.255.255

with dmz1 and dmz2 same security level, that may be all you need.
0
stressedout2004Commented:
Unfortunately with PIX version 6.3, when two interfaces has the same security level, they will not be able to communicate with each other. This is one of the enhancement of PIX version 7.X. With 7.x there is a feature called same-security-traffic for inter-interfaces which allows interfaces with the same security level to communicate freely without having to add any NAT or access-rules by enabling the command "same-security-traffic permit inter-interface".

Upgrading to PIX 7.x would seem a very drastic solution for such a simple file transfer unless you wanted to have some of the features of the new 7.x (and I mean very coooool features!)

So here are the commands that you need in order to meet your requirement:

nameif ethernet3 dmz1 security60
static (dmz1,dmz2) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
clear xlate

Please take note that this command will allow 192.168.1.10 to transfer file to 192.168.2.10 but not vice versa.
If you want 192.168.2.10 to be able to transfer file to 192.168.1.10 then you need to add an access-rule as shown below:

access-list dmz2_rules permit tcp host 192.168.2.10 host 192.168.1.10 eq ftp
access-list dmz2_rules permit tcp host 192.168.2.10 host 192.168.1.10 eq ftp-data
access-list dmz2_rules deny ip any host 192.168.1.10
access-list dmz2_rules permit ip any any
access-group dmz2_rules in interface dmz2

Good luck.



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
inteqAuthor Commented:
Thanx a lot

The thing finally worked
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.