Solved

Cisco Pix 515E Policy based NAT for H323 Traffic - Help needed!

Posted on 2006-06-12
12
2,794 Views
Last Modified: 2013-11-16
I need some help on configuring my CISCO PIX 515E Firewall.

I have 3 interfaces;

interface Ethernet0
 description BT ADSL Connection (*external address) Static IP address assigned by DHCP from X-Modem
interface Ethernet1
 description Internal 10.x network (10.0.0.1)
interface Ethernet2
 description Interface connected to Easynet Router (*external address) Statically Assigned

I have two ISP's BT and Easynet, and I am trying to route types of traffic to each.

- I would like all my data and everyday traffic to go via the BT connection (i.e. Emails, FTP, WWW, etc etc)

- I ONLY want H323 Videoconferencing traffic to go via the Easynet connection, nothing else (but both the TCP & UDP parts of the H323 traffic)

I am trying to use something similar to this;

access-list policy-vc extended permit tcp any eq h323 any eq h323
nat (inside) 1 access-list policy-vc
nat (inside) 2 0.0.0.0 0.0.0.0
global (outside_bt) 2 interface
global (outside_easynet) 1 *external address

Im not sure if this will entirely work, as it will only work with the 'TCP part' of the H323 traffic. The 'UDP part' of the H323 traffic (the majority of it, i.e. Video & Audio) will still go out via the BT connection

I am correct?

Any help is very much appreciated!

Thanks!
Dave







0
Comment
Question by:foobar_666uk
  • 6
  • 2
  • 2
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 16886425
The primary problem is that your PIX does not support more than one default gateway and cannot perform the type of policy-based routing that you're looking for. It also does not support advanced policy-based routing like an IOS router will..
0
 
LVL 6

Author Comment

by:foobar_666uk
ID: 16892076
It is running the latest version (version 7) and I have been told it should be able to do what im trying to do.

I have setup the BT to be DHCP setroute and Easynet I have defined as normal with a default route.

Can anyone help please?

Thanks.
0
 
LVL 5

Assisted Solution

by:renill
renill earned 250 total points
ID: 16910372
can u post the pix config ???
<<<sanitize required ips>>>
0
 
LVL 6

Author Comment

by:foobar_666uk
ID: 16910416
I havnt yet implemented anything, but here is my current running-config;


asdm image flash:/asdm-521.bin
no asdm history enable
: Saved
:
PIX Version 7.2(1)
!
hostname PIX
domain-name *
enable password *
names
name 10.0.0.10 server01
name 10.0.0.11 fileserver
name 10.0.0.200 supportpc01
name 10.0.0.13 tmsserver
name 217.*.*.* tmsserver-external
name 81.*.*.* BTexternalAddress
name 62.*.*.* MGC
!
interface Ethernet0
 description BT ADSL Connection Static IP address assigned by DHCP from X-Modem
 nameif outside_bt
 security-level 0
 ip address dhcp setroute
!
interface Ethernet1
 description Internal 10.x network
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Ethernet2
 description Interface connected to Easynet Router
 nameif outside_easynet
 security-level 0
 ip address 217.*.*.* 255.255.255.240
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name firstconnection
access-list outside_bt_cryptomap extended permit ip any 10.0.0.128 255.255.255.128
access-list outside_bt_access_in remark Port 80 access to Server01 for Outlook access and Remote Access etc
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq www
access-list outside_bt_access_in remark ICMP / Ping, Telnet etc from any on BT interface to Any
access-list outside_bt_access_in extended permit icmp any any
access-list outside_bt_access_in remark Secure web access to Server01 for Remote Outlook access
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq https
access-list outside_bt_access_in remark Used for RemoteAdmin on Server01
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq 4125
access-list outside_bt_access_in remark PPTP used for VPN pass through to Server01 for Windows VPN users
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq pptp
access-list outside_bt_access_in remark GRE is the protocol used for VPN connection
access-list outside_bt_access_in extended permit gre any host BTexternalAddress
access-list outside_bt_access_in remark Port 8080 to Server01
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq 8080
access-list outside_bt_access_in remark Rule to allow incoming access to the fileserver for Extranet access (see Dave)
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq 8081
access-list outside_easynet_access_in remark Allows www web access from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq www host tmsserver-external eq www
access-list outside_easynet_access_in remark Allows Secure Web access (https) to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq https host tmsserver-external eq https
access-list outside_easynet_access_in remark Allows telnet access from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq telnet host tmsserver-external eq telnet
access-list outside_easynet_access_in remark Allows port 57 from Easynet SDSL to TMS
access-list outside_easynet_access_in extended permit tcp any eq 57 host tmsserver-external eq 57
access-list outside_easynet_access_in remark Allows port 161 from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq 161 host tmsserver-external eq 161
access-list outside_easynet_access_in remark Allows FTP from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq ftp host tmsserver-external eq ftp
access-list outside_easynet_access_in remark Allows FTP-data from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq ftp-data host tmsserver-external eq ftp-data
access-list policy-vc remark Policy based NAT/Route. If packets = h323 then use NAT Pool ID 1 (Easynet)
access-list policy-vc extended permit tcp any eq h323 any eq h323
access-list mgc-con extended permit tcp any host MGCReading
!
tcp-map mss-mgc-map
  exceed-mss allow
!
pager lines 24
logging enable
logging asdm-buffer-size 200
logging asdm informational
logging from-address pix515e@*.co.uk
logging recipient-address *.co.uk level errors
logging host inside supportpc01
mtu outside_bt 1500
mtu inside 1500
mtu outside_easynet 1500
ip local pool fcvpnpool 10.0.0.185-10.0.0.199 mask 255.255.255.0
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (outside_bt) 2 interface
global (outside_easynet) 1 217.*.*.*
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list policy-vc
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside_bt) tcp interface www server01 www netmask 255.255.255.255
static (inside,outside_bt) tcp interface https server01 https netmask 255.255.255.255
static (inside,outside_bt) tcp interface 4125 server01 4125 netmask 255.255.255.255
static (inside,outside_bt) tcp interface pptp server01 pptp netmask 255.255.255.255
static (inside,outside_bt) tcp interface 8080 server01 8080 netmask 255.255.255.255
static (inside,outside_bt) tcp interface 8081 fileserver 8081 netmask 255.255.255.255
static (inside,outside_easynet) tmsserver-external tmsserver netmask 255.255.255.255
access-group outside_bt_access_in in interface outside_bt
access-group outside_easynet_access_in in interface outside_easynet
route outside_easynet 0.0.0.0 0.0.0.0 217.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy fcvpnusers internal
group-policy fcvpnusers attributes
 dns-server value 10.0.0.10
 vpn-tunnel-protocol IPSec
 default-domain value ******
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map mgc-con1
 description Policy to allow connection to MGC from MGC Manager Application
 match access-list mgc-con
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
 class mgc-con1
  set connection advanced-options mss-mgc-map
!
service-policy global_policy global
ntp server server01 source inside prefer
tftp-server inside supportpc01 \
smtp-server 10.0.0.10
prompt hostname context
: end
0
 
LVL 5

Expert Comment

by:renill
ID: 16910553
OOPs you wouldnt be able to go with two default routes in pix irmoore was correct.
route the traffic to a gateway router and place accesss-list on the router..

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008cd23.html#1025051

this may help you.

renill
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 6

Author Comment

by:foobar_666uk
ID: 16969589
What router would you reccomend for this scenario then?

I have a BT ADSL line, and I would like to use Policy Based Routing. Will the CISCO 850 Router support PBR?

Thanks in advanced.
0
 
LVL 6

Author Comment

by:foobar_666uk
ID: 16969706
To make things a little bit clearer;

WAN 1: BT ADSL presented as an RJ-11 connection
WAN 2: Easynet SDSL with Managed router, presented from Managed Router as Rj45
LAN: RJ45 Ethernet

I need the router to do Policy Based Routing so that I can route ONLY H323 traffic (both TCP and UDP ports) to Easynet SDSL  and anything else via the BT ADSL connection!

I hope thats enough information - I just need to know what Router to get?

Thanks!
0
 
LVL 6

Author Comment

by:foobar_666uk
ID: 16969766
Other info...

Our BT ADSL uses "PPPoA" I beleive, so the Router will need to support this?

Plz Help! :)
0
 
LVL 6

Author Comment

by:foobar_666uk
ID: 17089568
No-one able to help??
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17089630
Since you're getting 1 Rj11 and 1 RJ45 Ethernet and you still have Ethernet to the firewall, you will need a router with 2 FastEthernet ports and a WIC slot for ADSL WIC.
Suggest Cisco 1800 series, particularly the modular 1841 with the appropriate WIC-1ADSL
http://www.cisco.com/en/US/products/ps5853/products_data_sheet0900aecd8016a59b.html

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now