?
Solved

Configure Cisco Pix 515E as an internet gateway

Posted on 2006-05-08
15
Medium Priority
?
7,823 Views
Last Modified: 2008-01-09
Hi Experts, I have a Cisco Pix 515E which I want to set up as an internet gateway for all P.C's. I currently have a netgear 834g for the adsl connection but I wiil set the Pix as a DMZ and it will act as the firewall. The lan users are on a 10.0.0.x address and the lan side of the pix is 10.0.0.1/ The wan side of the pix is a 10.0.1.1. the netgear is on a 10.0.1.2 address. I cant seem to get the config right so I have done a show run for you to have a look at hopefully advise me.

Thanks

cisco# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ********.******* encrypted
passwd ********.******* encrypted
hostname cisco
domain-name test.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 10.0.1.1 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.255.255.255 inside
pdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.0.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.1 255.255.255.255 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.0 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:35cced8d55320f4ae101c57b0ae1ac23
: end
cisco#
0
Comment
Question by:andrewforbes
  • 6
  • 5
  • 4
15 Comments
 
LVL 3

Expert Comment

by:Skyccord
ID: 16628573
The best bet might be to set the netgear modem in bridge mode and allow the pix to take over all your firewall functions for both the internal lan and dmz.  If you want to do this I will provide you with the full config.

Stanley Louissaint
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16629628
You have to enable NAT/global
 
  global (outside) 10 interface
  nat (inside) 10 0 0

You should also set the IP of the PIX outside as the "DMZ Host" on the Netgear. I think that is what you were referring to?

For testing you might want to allow ICMP which is all blocked by default.

  access-list testicmp permit icmp any any
  access-group testicmp in interface outside


0
 
LVL 1

Author Comment

by:andrewforbes
ID: 16632249
lrmoore

I ahve enabled the ICMP as above and set one of the P.C's gateway to the lan I.P of the Pix but I still can't ping the WAN side of the Pix. Also looking at my config what are the eact NAT rules I need to apply ?

Does the Pix Lan interface automatically route to the Wan side for traffic with a wan destination ?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 79

Expert Comment

by:lrmoore
ID: 16632427
>but I still can't ping the WAN side of the Pix.
Never will be able to. It's a design "feature" that you cannot ping the actual outside interface from inside.

>Does the Pix Lan interface automatically route to the Wan side for traffic with a wan destination ?
That's what your default gateway setting is for. Yes, if the destination is not the local lan then it will pass it on to the next hop as specified in the default route statement
     >route outside 0.0.0.0 0.0.0.0 10.0.1.1 1  

HOWEVER, you need to make the next hop the netgear is on a 10.0.1.2 address. I missed this little detail first time through.

  no route outside 0.0.0.0 0.0.0.0 10.0.1.1  <== not pointing to yourself
  route outside 0.0.0.0 0.0.0.0 10.0.1.2  <== point to the netgear for next hop

0
 
LVL 1

Author Comment

by:andrewforbes
ID: 16632674
thanks but what are the rules for the nat ?

Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16632887
Just as I posted above:

  global (outside) 10 interface  <== use my outside interface to nat everything going out
  nat (inside) 10 0 0  <== nat everything from inside going out

The router will only see the 10.0.1.1 IP address and will be happy because it is local to it and no other route statements are needed.


0
 
LVL 3

Expert Comment

by:Skyccord
ID: 16632912
This is why lrmoore runs this category.

Stanley Louissaint
0
 
LVL 1

Author Comment

by:andrewforbes
ID: 16633432
lrmoore

Thanks for being so patient and helping me. One last question , Ive tried adding an access rule which basiclly allow all http traffic from the ouside interface to be sent to 10.0.0.50. How would I do this.

I tried "access-list http permit http any 10.0.0.50" ?
0
 
LVL 3

Expert Comment

by:Skyccord
ID: 16634110
static (inside, outside) tcp interface 80 10.0.0.50 80 netmask 255.255.255.255 0 0
access-list 100 permit tcp any interface eq 80
access-group 100 in interface outside

Stanley Louissaint
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1600 total points
ID: 16634467
Stanley's got you covered with that (almost), but I want to add that you'll loose ping/icmp capability unless you include icmp rules in the access-list:

access-list 100 permit tcp any interface outside eq 80  <== notice "interface outside" vs "interface"
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded

access-group 100 in interface outside

Note that the above examples use the keyword "interface" which is *not* a placeholder for the ip address. It is used exactly as shown for both the access-list and the static.
0
 
LVL 1

Author Comment

by:andrewforbes
ID: 16636893
o.k, thanks all I have applied a few access rules but it appears that no traffic is getting to the Lan pc on 192.168.0.1. I have changed I.P addresses but this will not change anything. The wan side of the netgear is now 192.168.1.10. On the netgear I have set the Pix(192.168.1.1) as a DMZ. All P.C's can see the internet fine but the translation rules dont appear to be working. Almost there, THANKS EVERYONE SO FAR :0)

Heres my new config:

cisco# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password tyutyutyutyutyutyu
passwd tuytyutyutyutyutyu
hostname cisco
domain-name test.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list icmp permit icmp any any
access-list 100 permit tcp any interface outside eq www
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp any interface outside eq smtp
access-list 100 permit tcp any interface outside eq pop3
access-list 100 permit tcp any interface outside eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 192.168.1.1 255.255.255.0
ip address inside 192.168.0.15 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.255 inside
pdm location 192.168.0.1 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.0.1 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.0.1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.0.1 https netmask 255.255.255.255 0 0
access-group icmp in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.15 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e53c7e62125d7e93d3a844b687dc60ce
: end
cisco#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16637997
Your PIX config looks fine.
On the Netgear, do you have those same ports forwarded to the PIX outside, or have the PIX IP as the DMZ host where all ports are forwarded to it?
0
 
LVL 1

Author Comment

by:andrewforbes
ID: 16639899
I have the pix wan port set to a DMZ on the netgear so the pix should get everything.
0
 
LVL 3

Assisted Solution

by:Skyccord
Skyccord earned 400 total points
ID: 16640425
Here's your issue.  

access-group icmp in interface outside

run these two commands

no access-group icmp in interface outside
access-group 100 in interface outside

Your not specifying the actual access-list that you created therefore PIX doesn't know what it is.  ;)

Stanley Loussaint
0
 
LVL 1

Author Comment

by:andrewforbes
ID: 16641077
Thanks fellas, All working great now :)
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question