Solved

PIX 501 Firewall Configuration

Posted on 2006-06-15
11
393 Views
Last Modified: 2013-11-16
Currently I have a 501 protecting out corporate LAN from the outside.  I also have another 501 that segments our corporate LAN from another subnet that is not connected to the Internet.

I would like to be able to gain access to that second PIX from the outside so that I can access the computers on that network.

Currently that 2nd PIX is setup with a VPN group that allows PC's from our corporate LAN to securely access data on the other LAN.  That PIX has an IP address assigned to it that is part of the subnet of our corporate LAN.  This works great.

Would it be possible for assign a public IP address to the internal IP address of the 2nd PIX on the first PIX?  I was thinking that if there was a public address pointing to the IP address of the 2nd PIX, I could then authenticate to the VPN group in the 2nd PIX.

First, is this at all possible?  I am getting told by the vendor that set up this 2nd firewall and network that it is, but they are not willing to assist.  Just wondering if there is an easier way or if I am just wasting my time.

Thanks,
Matthew
0
Comment
Question by:spectraflame
  • 3
  • 3
  • 2
  • +1
11 Comments
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16914316
Is your setup something like this? (IP addressing is just for illustration.)

 ----------corporate LAN----------(192.168.1.1)-corporate PIX 501-(1.1.1.1)----------------internet---
                                           |
                                           | (192.168.1.2)
                                        2nd PIX
                                           |
                                           | (192.168.2.0/24)
                                        2nd PIX LAN


If you have the above setup, then yes it is possible. All you have to do is create a static NAT on the corporate PIX and add an access-rule and apply it on the outside interface of the Corporate PIX.

e.g.

static (inside, outside) 1.1.1.2 192.168.1.2 netmask 255.255.255.255
access-list acl_out permit esp any host 1.1.1.2
access-list acl_out permit udp any host 1.1.1.2 eq 500
access-list acl_out permit udp any host 1.1.1.2 eq 4500
access-group acl_out in interface outside





0
 
LVL 5

Expert Comment

by:renill
ID: 16919285


-------------------  Pix1 ----------------------- Internet
                             |
                             |
                             |
                         Pix2
                            |
                            |
-----Corp Lan------------Internal LAN


  is this the conf iguration you are having??
0
 

Author Comment

by:spectraflame
ID: 16922896
Our configuration is like this:

Internet ---------------------------------- Pix 1 (9.9.9.9 - Outside (Public) Address)) - 172.16.11.XXX (Internal Address)
                                                                     |
                                                                     |
                                                                     |
                                                        Corporate LAN (172.16.11.XXX)
                                                                     |
                                                                     |
                                                                     |
                                                         Pix 2 (Corporate address of 172.16.11.XXX) External
                                                                 (Internal address for the LAN of 172.16.12.XXX)
                                                                     |
                                                                     |
                                                                     |
                                                         Internal LAN (172.16.12.XXX)

I hope this is easy to understand.  Routing and firewalls are still new to me.

What I have so far I have been able to do using the PDM.  This is what I have so far.

static (inside,outside) EXTERNAL_PUBLIC_IP INTERNAL_ADDRESS_OF_2ND_PIX netmask 255.255.255.255 0 0

The way I read the statements from stressedout2004 is that I need to create a new access group to allow this to function properly.  My question is how can I do this with the PDM?  I am not very comfortable with the command line programming.

Thanks for your help thus far,
Matthew
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Accepted Solution

by:
prueconsulting earned 63 total points
ID: 16929781
No new access group required. Add the acl to allow access from the outside to the inside to yuor existing outside access-list entries.. Be sure to make sure that it doesnt get put in place after the deny statement
0
 

Author Comment

by:spectraflame
ID: 16934667
Should I add a 2nd access list if I currently have one already configured?  Should I just use its name in place of the acl_out?

Matthew
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16934704
Yes.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16934733
Yes simply use its name in place of acl_out because you can not have 2 access lists applied to a single interface
0
 

Author Comment

by:spectraflame
ID: 16935673
So once these statements are applied, would I have to configure anything on the 2nd PIX?  I currently have a VPN group on that PIX but it is setup specifically that the outside interface is coming from out internal LAN.

Also if there is no other changes necessary, would I be passing through the first PIX and authenicating to the 2nd with the VPN client?

0
 
LVL 9

Assisted Solution

by:stressedout2004
stressedout2004 earned 62 total points
ID: 16947126
There's no changes that needs to be done on the 2nd PIX. You can use the same vpngroup you have. The first PIX is just pretty much a pass through , the clients will be connecting and authenticating with the 2nd PIX, not the first.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
eigrp routing loop 5 61
Cisco Maximum Prefixes Allowed for Customer 5 33
ASA 5505 packet drops 14 45
Poll Active Directory user information 11 43
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question