foobar_666uk
asked on
Cisco Pix 515E Policy based NAT for H323 Traffic - Help needed!
I need some help on configuring my CISCO PIX 515E Firewall.
I have 3 interfaces;
interface Ethernet0
description BT ADSL Connection (*external address) Static IP address assigned by DHCP from X-Modem
interface Ethernet1
description Internal 10.x network (10.0.0.1)
interface Ethernet2
description Interface connected to Easynet Router (*external address) Statically Assigned
I have two ISP's BT and Easynet, and I am trying to route types of traffic to each.
- I would like all my data and everyday traffic to go via the BT connection (i.e. Emails, FTP, WWW, etc etc)
- I ONLY want H323 Videoconferencing traffic to go via the Easynet connection, nothing else (but both the TCP & UDP parts of the H323 traffic)
I am trying to use something similar to this;
access-list policy-vc extended permit tcp any eq h323 any eq h323
nat (inside) 1 access-list policy-vc
nat (inside) 2 0.0.0.0 0.0.0.0
global (outside_bt) 2 interface
global (outside_easynet) 1 *external address
Im not sure if this will entirely work, as it will only work with the 'TCP part' of the H323 traffic. The 'UDP part' of the H323 traffic (the majority of it, i.e. Video & Audio) will still go out via the BT connection
I am correct?
Any help is very much appreciated!
Thanks!
Dave
I have 3 interfaces;
interface Ethernet0
description BT ADSL Connection (*external address) Static IP address assigned by DHCP from X-Modem
interface Ethernet1
description Internal 10.x network (10.0.0.1)
interface Ethernet2
description Interface connected to Easynet Router (*external address) Statically Assigned
I have two ISP's BT and Easynet, and I am trying to route types of traffic to each.
- I would like all my data and everyday traffic to go via the BT connection (i.e. Emails, FTP, WWW, etc etc)
- I ONLY want H323 Videoconferencing traffic to go via the Easynet connection, nothing else (but both the TCP & UDP parts of the H323 traffic)
I am trying to use something similar to this;
access-list policy-vc extended permit tcp any eq h323 any eq h323
nat (inside) 1 access-list policy-vc
nat (inside) 2 0.0.0.0 0.0.0.0
global (outside_bt) 2 interface
global (outside_easynet) 1 *external address
Im not sure if this will entirely work, as it will only work with the 'TCP part' of the H323 traffic. The 'UDP part' of the H323 traffic (the majority of it, i.e. Video & Audio) will still go out via the BT connection
I am correct?
Any help is very much appreciated!
Thanks!
Dave
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I havnt yet implemented anything, but here is my current running-config;
asdm image flash:/asdm-521.bin
no asdm history enable
: Saved
:
PIX Version 7.2(1)
!
hostname PIX
domain-name *
enable password *
names
name 10.0.0.10 server01
name 10.0.0.11 fileserver
name 10.0.0.200 supportpc01
name 10.0.0.13 tmsserver
name 217.*.*.* tmsserver-external
name 81.*.*.* BTexternalAddress
name 62.*.*.* MGC
!
interface Ethernet0
description BT ADSL Connection Static IP address assigned by DHCP from X-Modem
nameif outside_bt
security-level 0
ip address dhcp setroute
!
interface Ethernet1
description Internal 10.x network
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet2
description Interface connected to Easynet Router
nameif outside_easynet
security-level 0
ip address 217.*.*.* 255.255.255.240
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name firstconnection
access-list outside_bt_cryptomap extended permit ip any 10.0.0.128 255.255.255.128
access-list outside_bt_access_in remark Port 80 access to Server01 for Outlook access and Remote Access etc
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq www
access-list outside_bt_access_in remark ICMP / Ping, Telnet etc from any on BT interface to Any
access-list outside_bt_access_in extended permit icmp any any
access-list outside_bt_access_in remark Secure web access to Server01 for Remote Outlook access
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq https
access-list outside_bt_access_in remark Used for RemoteAdmin on Server01
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq 4125
access-list outside_bt_access_in remark PPTP used for VPN pass through to Server01 for Windows VPN users
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq pptp
access-list outside_bt_access_in remark GRE is the protocol used for VPN connection
access-list outside_bt_access_in extended permit gre any host BTexternalAddress
access-list outside_bt_access_in remark Port 8080 to Server01
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq 8080
access-list outside_bt_access_in remark Rule to allow incoming access to the fileserver for Extranet access (see Dave)
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq 8081
access-list outside_easynet_access_in remark Allows www web access from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq www host tmsserver-external eq www
access-list outside_easynet_access_in remark Allows Secure Web access (https) to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq https host tmsserver-external eq https
access-list outside_easynet_access_in remark Allows telnet access from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq telnet host tmsserver-external eq telnet
access-list outside_easynet_access_in remark Allows port 57 from Easynet SDSL to TMS
access-list outside_easynet_access_in extended permit tcp any eq 57 host tmsserver-external eq 57
access-list outside_easynet_access_in remark Allows port 161 from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq 161 host tmsserver-external eq 161
access-list outside_easynet_access_in remark Allows FTP from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq ftp host tmsserver-external eq ftp
access-list outside_easynet_access_in remark Allows FTP-data from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq ftp-data host tmsserver-external eq ftp-data
access-list policy-vc remark Policy based NAT/Route. If packets = h323 then use NAT Pool ID 1 (Easynet)
access-list policy-vc extended permit tcp any eq h323 any eq h323
access-list mgc-con extended permit tcp any host MGCReading
!
tcp-map mss-mgc-map
exceed-mss allow
!
pager lines 24
logging enable
logging asdm-buffer-size 200
logging asdm informational
logging from-address pix515e@*.co.uk
logging recipient-address *.co.uk level errors
logging host inside supportpc01
mtu outside_bt 1500
mtu inside 1500
mtu outside_easynet 1500
ip local pool fcvpnpool 10.0.0.185-10.0.0.199 mask 255.255.255.0
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (outside_bt) 2 interface
global (outside_easynet) 1 217.*.*.*
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list policy-vc
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside_bt) tcp interface www server01 www netmask 255.255.255.255
static (inside,outside_bt) tcp interface https server01 https netmask 255.255.255.255
static (inside,outside_bt) tcp interface 4125 server01 4125 netmask 255.255.255.255
static (inside,outside_bt) tcp interface pptp server01 pptp netmask 255.255.255.255
static (inside,outside_bt) tcp interface 8080 server01 8080 netmask 255.255.255.255
static (inside,outside_bt) tcp interface 8081 fileserver 8081 netmask 255.255.255.255
static (inside,outside_easynet) tmsserver-external tmsserver netmask 255.255.255.255
access-group outside_bt_access_in in interface outside_bt
access-group outside_easynet_access_in in interface outside_easynet
route outside_easynet 0.0.0.0 0.0.0.0 217.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy fcvpnusers internal
group-policy fcvpnusers attributes
dns-server value 10.0.0.10
vpn-tunnel-protocol IPSec
default-domain value ******
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map mgc-con1
description Policy to allow connection to MGC from MGC Manager Application
match access-list mgc-con
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
class mgc-con1
set connection advanced-options mss-mgc-map
!
service-policy global_policy global
ntp server server01 source inside prefer
tftp-server inside supportpc01 \
smtp-server 10.0.0.10
prompt hostname context
: end
asdm image flash:/asdm-521.bin
no asdm history enable
: Saved
:
PIX Version 7.2(1)
!
hostname PIX
domain-name *
enable password *
names
name 10.0.0.10 server01
name 10.0.0.11 fileserver
name 10.0.0.200 supportpc01
name 10.0.0.13 tmsserver
name 217.*.*.* tmsserver-external
name 81.*.*.* BTexternalAddress
name 62.*.*.* MGC
!
interface Ethernet0
description BT ADSL Connection Static IP address assigned by DHCP from X-Modem
nameif outside_bt
security-level 0
ip address dhcp setroute
!
interface Ethernet1
description Internal 10.x network
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet2
description Interface connected to Easynet Router
nameif outside_easynet
security-level 0
ip address 217.*.*.* 255.255.255.240
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name firstconnection
access-list outside_bt_cryptomap extended permit ip any 10.0.0.128 255.255.255.128
access-list outside_bt_access_in remark Port 80 access to Server01 for Outlook access and Remote Access etc
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq www
access-list outside_bt_access_in remark ICMP / Ping, Telnet etc from any on BT interface to Any
access-list outside_bt_access_in extended permit icmp any any
access-list outside_bt_access_in remark Secure web access to Server01 for Remote Outlook access
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq https
access-list outside_bt_access_in remark Used for RemoteAdmin on Server01
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq 4125
access-list outside_bt_access_in remark PPTP used for VPN pass through to Server01 for Windows VPN users
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq pptp
access-list outside_bt_access_in remark GRE is the protocol used for VPN connection
access-list outside_bt_access_in extended permit gre any host BTexternalAddress
access-list outside_bt_access_in remark Port 8080 to Server01
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq 8080
access-list outside_bt_access_in remark Rule to allow incoming access to the fileserver for Extranet access (see Dave)
access-list outside_bt_access_in extended permit tcp any host BTexternalAddress eq 8081
access-list outside_easynet_access_in remark Allows www web access from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq www host tmsserver-external eq www
access-list outside_easynet_access_in remark Allows Secure Web access (https) to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq https host tmsserver-external eq https
access-list outside_easynet_access_in remark Allows telnet access from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq telnet host tmsserver-external eq telnet
access-list outside_easynet_access_in remark Allows port 57 from Easynet SDSL to TMS
access-list outside_easynet_access_in extended permit tcp any eq 57 host tmsserver-external eq 57
access-list outside_easynet_access_in remark Allows port 161 from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq 161 host tmsserver-external eq 161
access-list outside_easynet_access_in remark Allows FTP from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq ftp host tmsserver-external eq ftp
access-list outside_easynet_access_in remark Allows FTP-data from Easynet SDSL to TMS Server
access-list outside_easynet_access_in extended permit tcp any eq ftp-data host tmsserver-external eq ftp-data
access-list policy-vc remark Policy based NAT/Route. If packets = h323 then use NAT Pool ID 1 (Easynet)
access-list policy-vc extended permit tcp any eq h323 any eq h323
access-list mgc-con extended permit tcp any host MGCReading
!
tcp-map mss-mgc-map
exceed-mss allow
!
pager lines 24
logging enable
logging asdm-buffer-size 200
logging asdm informational
logging from-address pix515e@*.co.uk
logging recipient-address *.co.uk level errors
logging host inside supportpc01
mtu outside_bt 1500
mtu inside 1500
mtu outside_easynet 1500
ip local pool fcvpnpool 10.0.0.185-10.0.0.199 mask 255.255.255.0
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (outside_bt) 2 interface
global (outside_easynet) 1 217.*.*.*
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list policy-vc
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside_bt) tcp interface www server01 www netmask 255.255.255.255
static (inside,outside_bt) tcp interface https server01 https netmask 255.255.255.255
static (inside,outside_bt) tcp interface 4125 server01 4125 netmask 255.255.255.255
static (inside,outside_bt) tcp interface pptp server01 pptp netmask 255.255.255.255
static (inside,outside_bt) tcp interface 8080 server01 8080 netmask 255.255.255.255
static (inside,outside_bt) tcp interface 8081 fileserver 8081 netmask 255.255.255.255
static (inside,outside_easynet) tmsserver-external tmsserver netmask 255.255.255.255
access-group outside_bt_access_in in interface outside_bt
access-group outside_easynet_access_in in interface outside_easynet
route outside_easynet 0.0.0.0 0.0.0.0 217.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy fcvpnusers internal
group-policy fcvpnusers attributes
dns-server value 10.0.0.10
vpn-tunnel-protocol IPSec
default-domain value ******
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map mgc-con1
description Policy to allow connection to MGC from MGC Manager Application
match access-list mgc-con
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
class mgc-con1
set connection advanced-options mss-mgc-map
!
service-policy global_policy global
ntp server server01 source inside prefer
tftp-server inside supportpc01 \
smtp-server 10.0.0.10
prompt hostname context
: end
OOPs you wouldnt be able to go with two default routes in pix irmoore was correct.
route the traffic to a gateway router and place accesss-list on the router..
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008cd23.html#1025051
this may help you.
renill
route the traffic to a gateway router and place accesss-list on the router..
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008cd23.html#1025051
this may help you.
renill
ASKER
What router would you reccomend for this scenario then?
I have a BT ADSL line, and I would like to use Policy Based Routing. Will the CISCO 850 Router support PBR?
Thanks in advanced.
I have a BT ADSL line, and I would like to use Policy Based Routing. Will the CISCO 850 Router support PBR?
Thanks in advanced.
ASKER
To make things a little bit clearer;
WAN 1: BT ADSL presented as an RJ-11 connection
WAN 2: Easynet SDSL with Managed router, presented from Managed Router as Rj45
LAN: RJ45 Ethernet
I need the router to do Policy Based Routing so that I can route ONLY H323 traffic (both TCP and UDP ports) to Easynet SDSL and anything else via the BT ADSL connection!
I hope thats enough information - I just need to know what Router to get?
Thanks!
WAN 1: BT ADSL presented as an RJ-11 connection
WAN 2: Easynet SDSL with Managed router, presented from Managed Router as Rj45
LAN: RJ45 Ethernet
I need the router to do Policy Based Routing so that I can route ONLY H323 traffic (both TCP and UDP ports) to Easynet SDSL and anything else via the BT ADSL connection!
I hope thats enough information - I just need to know what Router to get?
Thanks!
ASKER
Other info...
Our BT ADSL uses "PPPoA" I beleive, so the Router will need to support this?
Plz Help! :)
Our BT ADSL uses "PPPoA" I beleive, so the Router will need to support this?
Plz Help! :)
ASKER
No-one able to help??
Since you're getting 1 Rj11 and 1 RJ45 Ethernet and you still have Ethernet to the firewall, you will need a router with 2 FastEthernet ports and a WIC slot for ADSL WIC.
Suggest Cisco 1800 series, particularly the modular 1841 with the appropriate WIC-1ADSL
http://www.cisco.com/en/US/products/ps5853/products_data_sheet0900aecd8016a59b.html
Suggest Cisco 1800 series, particularly the modular 1841 with the appropriate WIC-1ADSL
http://www.cisco.com/en/US/products/ps5853/products_data_sheet0900aecd8016a59b.html
ASKER
I have setup the BT to be DHCP setroute and Easynet I have defined as normal with a default route.
Can anyone help please?
Thanks.