• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 301
  • Last Modified:

Pix config question - routes and multiple external ip's

OK sorry about this, but I am in no way a cisco guru, much less pix.  However thats what i have to work with.

So here is what I am trying to do.  I have two domains, I want them on seperate subnets, but I want to set up trusts between the domains.  I also want to host two ssl servers and need people to get to them from the outside.

The two subnets are 172.16.32.0 and 172.16.100.0

One ssl server in each subnet

I am going to post the config below...any help would be highly appreciated.

: Saved
: Written by enable_15 at 00:54:13.734 UTC Sat May 13 2006
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name domain.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.32.20 Mustang
name 172.16.32.90 Hargrove
name 172.16.32.30 Charger
name 172.16.32.11 Corvette
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in remark HTTP to Mustang firewall hole
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in remark HTTPS to Mustang
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in remark Terminal Services to Hargrove
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in remark CVS Firewall hole for Charger
access-list outside_access_in permit tcp any host x.x.x.194 eq 2401
access-list outside_access_in remark CVS Locking firewall hole for Charger
access-list outside_access_in permit tcp any host x.x.x.194 eq 2402
access-list outside_access_in remark FTP Firewall hole for Charger
access-list outside_access_in permit tcp any host x.x.x.194 eq ftp
access-list outside_access_in remark Deny all other traffic
access-list outside_access_in deny tcp any any
access-list outside_access_in remark HTTP to Mustang firewall hole
access-list outside_access_in remark HTTPS to Mustang
access-list outside_access_in remark Terminal Services to Hargrove
access-list outside_access_in remark CVS Firewall hole for Charger
access-list outside_access_in remark CVS Locking firewall hole for Charger
access-list outside_access_in remark FTP Firewall hole for Charger
access-list outside_access_in remark Deny all other traffic
access-list inside_outbound_nat0_acl permit ip any 10.99.99.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip any 10.99.35.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.99.99.0 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip any 10.99.35.0 255.255.255.224
access-list HargroveVPN_splitTunnelAcl permit ip 172.16.32.0 255.255.255.0 any
access-list DTVPN_splitTunnelAcl permit ip 172.16.32.0 255.255.255.0 any
access-list inside_access_in permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.194 255.255.255.240
ip address inside 172.16.32.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool HargroveVPNPool 10.99.99.1-10.99.99.100
ip local pool DTVPNPool 10.99.35.1-10.99.35.30
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 10.99.35.0 255.255.255.224 inside
pdm location Mustang 255.255.255.255 inside
pdm location Hargrove 255.255.255.255 inside
pdm location Charger 255.255.255.255 inside
pdm location Corvette 255.255.255.255 inside
pdm location 172.16.100.0 255.255.255.255 inside
pdm location 172.16.100.200 255.255.255.255 inside
pdm location 172.16.100.0 255.255.255.0 inside
pdm location 172.16.0.0 255.255.0.0 inside
pdm location 176.16.32.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www Mustang www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Mustang https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 Hargrove 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.194 2401 Charger 2401 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.194 2402 Charger 2402 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.194 ftp Charger ftp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
route inside 172.16.100.0 255.255.255.0 172.16.32.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.32.0 255.255.255.0 inside
http 10.99.35.0 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside Corvette /pix
floodguard enable
sysopt connection permit-ipsec
telnet Corvette 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

I removed a bunch of isakmp and vpngroup info to make this a little shorter.

Thanks
0
rafordhargrove
Asked:
rafordhargrove
  • 2
1 Solution
 
Cyclops3590Commented:
first do
no access-list inside_access_in permit ip any any
by default there is an implicit rule that already does this
second
if you have a /28 range, personally, I wouldn't use the IP assigned to the outside interface for anything but WAN traffic and the connection IP for VPN
third
I only see mustang on the 172.16.32.0/24 lan accepting traffic.  you already have the route to the 172.16.100.0/24 lan which is good, but should do is full NAT's instead of PAT's.  Just curious, but is there a reason that you are doing NATs instead of PATs
All I need to know is what public IP is assigned to the 172.16.32.X ssl server and which to the 172.16.100.Y ssl server and I can help you.  Also, do you want it to be a PAT entry (tcp port specified) or a NAT entry (IP to IP transfer indescriminate of tcp port)
0
 
rafordhargroveAuthor Commented:
I dont know what the difference between full nats and pats are really...thats the only reason that its done that way...the public ip addresses arent determined as of yet, and I cant make that decision, the guy that just left to go to bed has to do that, but lets just call the public ip of 172.16.32.x 555.555.555.555 and the 172.16.100.y 777.777.777.777...

I think that should work, if i can get the commands to do this i will wake him up, otherwise he wouldnt like to be bothered.

thanks
0
 
Cyclops3590Commented:
ok, first the NAT version

access-list outside_access_in permit tcp any host 555.555.555.555 eq 443
access-list outside_access_in permit tcp any host 777.777.777.777 eq 443
access-group outside_access_in in interface outside

static (inside, outside) 555.555.555.555 172.16.32.x netmask 255.255.255.255
static (inside, outside) 777.777.777.777 172.16.100.y netmask 255.255.255.255

The PAT version
access-list outside_access_in permit tcp any host 555.555.555.555 eq 443
access-list outside_access_in permit tcp any host 777.777.777.777 eq 443
access-group outside_access_in in interface outside

static (inside, outside) tcp 555.555.555.555 eq 443 172.16.32.x eq 443 netmask 255.255.255.255 0 0
static (inside, outside) tcp 777.777.777.777 eq 443 172.16.100.y eq 443 netmask 255.255.255.255 0 0

The only difference between NAT and PAT is that NAT is 1-to-1 on the IP level whereas PAT is 1-to-1 on the port level, thus if you have few public IPs than servers you want publicly available, you can take advantage of PAT and get the result you want.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now