harrymill
asked on
Router-firewall-switch
Guys,
my current scenario is firewall-linksys[dhcp]- switch
Now i've got
Router 2500- firewall - switch
i cannot use NAT for 30 pc's on firewall as this blocks my VPN (secure computing vpn)
can I use cisco2500 for NATing. I got only 16IPs.
Please give me the configuration for the cisco 2500 series and how I would cahnge the below firewall settings
my current config for firewall is
Written by harry at 22:34:16.637 UTC Tue Oct 17 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mypix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit esp host x.x.x.x any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 55.22.22.243 255.255.255.0
ip address inside 192.168.30.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.15.105 255.255.255.255 inside
pdm history enable
arp timeout 14400
static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0 [192.168.30.2 is my linksys switch which NATs my rest of PC's]
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 55.22.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.x.x 255.255.255.255 outside
http 192.168.30.2 255.255.255.255 inside
http 192.0.0.0 255.0.0.0 inside
http 192.168.15.105 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet 192.168.30.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh 192.168.30.2 255.255.255.255 inside
ssh timeout 5
console timeout 0
my current scenario is firewall-linksys[dhcp]- switch
Now i've got
Router 2500- firewall - switch
i cannot use NAT for 30 pc's on firewall as this blocks my VPN (secure computing vpn)
can I use cisco2500 for NATing. I got only 16IPs.
Please give me the configuration for the cisco 2500 series and how I would cahnge the below firewall settings
my current config for firewall is
Written by harry at 22:34:16.637 UTC Tue Oct 17 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mypix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit esp host x.x.x.x any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 55.22.22.243 255.255.255.0
ip address inside 192.168.30.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.15.105 255.255.255.255 inside
pdm history enable
arp timeout 14400
static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0 [192.168.30.2 is my linksys switch which NATs my rest of PC's]
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 55.22.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.x.x 255.255.255.255 outside
http 192.168.30.2 255.255.255.255 inside
http 192.0.0.0 255.0.0.0 inside
http 192.168.15.105 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet 192.168.30.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh 192.168.30.2 255.255.255.255 inside
ssh timeout 5
console timeout 0
not understanding what you are getting at, but one thing I noticed is where is your global and nat commands
global (outside) 10 interface
nat (inside) 10 0 0
that will make it so the 515 with NAT for all internal hosts to its outside interface IP. Am I wrong in assuming that is what you were getting at?
global (outside) 10 interface
nat (inside) 10 0 0
that will make it so the 515 with NAT for all internal hosts to its outside interface IP. Am I wrong in assuming that is what you were getting at?
ASKER
I think I've to be more specific
My small network started as
switch----Linkys Voip Router----DSL MOdem----Internet
My Linksys did the NATing for all my 15 PC's.
we've been using third party vpn client(secure computing) to access http of our remote office.
A new PIX was bought which now changed my config as
switch----Linkys Voip Router----PIX 506E----DSL MOdem----Internet
There was problem in NATing with PIX as NAT traversal was not happening for my VPN. the problem was posted in experts exchange but was unsolved.
The only feasible solution was 1-1 NATing if I needed to do NAT on PIX. but I had only 2 public IP's.So still my Linksys did the NATing for all
my 15 PC's
like.....
static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0
where 192.168.30.2 is my linksys router.It gave 192.168.15.0 network to my 15 PCs.
I've learned that it is not good practice having PIX to end in internet
we are going for leased line internet,
we have 16 IPs now and
30 PCs
we have pix 515.
the new scenario expected is
switch----PIX 515----Cisco 2500----Internet [i need to take out my low end linksys router]
How will I configure cisco 2500 series router if I am going to do the following.
I have 16 IP's now. so i'll do 1-1 NATing for 15 PC's so that they can connect vpn simultaneously.
1 IP should be used for 1-many NATing for rest of the pc's.(let them connect to internet atleast!!)
Considering my workgroup as 192.168.30.0
My configuration on PIX for 1-1 NATing or more specefically static routing would be
static (inside,outside) 10.0.1.2 192.168.30.2 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.3 192.168.30.3 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.4 192.168.30.4 netmask 255.255.255.255 0 0
.
.
static (inside,outside) 10.0.1.16 192.168.30.16 netmask 255.255.255.255 0 0
????
How will I NAT 1-many for my rest of 15 PCs ?(do i do this on PIX or 2500???)
I am newbie to cisco i dunno whether this is correct.
Now I want my configuration on 2500 series router for NATing this 15 IPs 10.0.1.2-16 with my public 15 IPs.
One public IP I need to do 1- many NATing
Do I confuse again ?
My small network started as
switch----Linkys Voip Router----DSL MOdem----Internet
My Linksys did the NATing for all my 15 PC's.
we've been using third party vpn client(secure computing) to access http of our remote office.
A new PIX was bought which now changed my config as
switch----Linkys Voip Router----PIX 506E----DSL MOdem----Internet
There was problem in NATing with PIX as NAT traversal was not happening for my VPN. the problem was posted in experts exchange but was unsolved.
The only feasible solution was 1-1 NATing if I needed to do NAT on PIX. but I had only 2 public IP's.So still my Linksys did the NATing for all
my 15 PC's
like.....
static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0
where 192.168.30.2 is my linksys router.It gave 192.168.15.0 network to my 15 PCs.
I've learned that it is not good practice having PIX to end in internet
we are going for leased line internet,
we have 16 IPs now and
30 PCs
we have pix 515.
the new scenario expected is
switch----PIX 515----Cisco 2500----Internet [i need to take out my low end linksys router]
How will I configure cisco 2500 series router if I am going to do the following.
I have 16 IP's now. so i'll do 1-1 NATing for 15 PC's so that they can connect vpn simultaneously.
1 IP should be used for 1-many NATing for rest of the pc's.(let them connect to internet atleast!!)
Considering my workgroup as 192.168.30.0
My configuration on PIX for 1-1 NATing or more specefically static routing would be
static (inside,outside) 10.0.1.2 192.168.30.2 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.3 192.168.30.3 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.4 192.168.30.4 netmask 255.255.255.255 0 0
.
.
static (inside,outside) 10.0.1.16 192.168.30.16 netmask 255.255.255.255 0 0
????
How will I NAT 1-many for my rest of 15 PCs ?(do i do this on PIX or 2500???)
I am newbie to cisco i dunno whether this is correct.
Now I want my configuration on 2500 series router for NATing this 15 IPs 10.0.1.2-16 with my public 15 IPs.
One public IP I need to do 1- many NATing
Do I confuse again ?
I'm still confused why you think you need the 2500 router. Just plug the line from the CSU/DSU into the pix outside interface.
>>I've learned that it is not good practice having PIX to end in internet
where did you learn that?
It is far, far easier to do NAT on the pix than the router and then nonat on the pix (just my opinion anyway)
as for the vpn, I think I know what you are talking about but just want to make sure.
your internal users want to connect to a vpn server outside of your network. This worked with the Linksys? If so I don't see why its not possible with the pix.
try
isakmp nat-traversal 10
Assuming you are using ESP ipsec anyway, if you are using AH ipsec, then 1-to-1 is only way. PPTP is also questionable
as for the natting issue, you can use what I already posted
even though the ranges overlap, static entries are always processed by the pix for NATing before the global/nat entries and thus won't cause a problem.
>>I've learned that it is not good practice having PIX to end in internet
where did you learn that?
It is far, far easier to do NAT on the pix than the router and then nonat on the pix (just my opinion anyway)
as for the vpn, I think I know what you are talking about but just want to make sure.
your internal users want to connect to a vpn server outside of your network. This worked with the Linksys? If so I don't see why its not possible with the pix.
try
isakmp nat-traversal 10
Assuming you are using ESP ipsec anyway, if you are using AH ipsec, then 1-to-1 is only way. PPTP is also questionable
as for the natting issue, you can use what I already posted
even though the ranges overlap, static entries are always processed by the pix for NATing before the global/nat entries and thus won't cause a problem.
Agree with Cyclops that you don't need this router. The PIX 515 is a much better Internet termination than a router. You only need the router if you are connecting to the ISP by way of T1 or other serial type connection that is not supported by the PIX.
>static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0 [192.168.30.2 is my linksys switch which NATs my rest of PC's]
This is part of the problem. Take the Linksys out of the mix. It is not doing you any good and is actually a big part of the problem. You can use the PIX as the DHCP server if that is all it's doing. The reason that you can't get more than one VPN client out at a time is a limitation of this Linksys and Not the PIX.
>I wanted to set this up so that at least 15 VPN's could work simultaneosly.
Unless you want to be specific as to which 15 users can work at the same time, then you can use a global pool so that the first 15 of the day will get a 1-1 nat automatically, and all others will use PAT.
Just set up a global pool:
global (outside) 1 55.22.22.242-55.22.22.254 netmask 255.255.255.240
global (outside) 1 interface <== all others use this for PAT
nat (inside) 1 192.168.30.0 255.255.255.0
>static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0 [192.168.30.2 is my linksys switch which NATs my rest of PC's]
This is part of the problem. Take the Linksys out of the mix. It is not doing you any good and is actually a big part of the problem. You can use the PIX as the DHCP server if that is all it's doing. The reason that you can't get more than one VPN client out at a time is a limitation of this Linksys and Not the PIX.
>I wanted to set this up so that at least 15 VPN's could work simultaneosly.
Unless you want to be specific as to which 15 users can work at the same time, then you can use a global pool so that the first 15 of the day will get a 1-1 nat automatically, and all others will use PAT.
Just set up a global pool:
global (outside) 1 55.22.22.242-55.22.22.254 netmask 255.255.255.240
global (outside) 1 interface <== all others use this for PAT
nat (inside) 1 192.168.30.0 255.255.255.0
btw, i just want to clarify something incase there was confusion.
in my commands I gave
global (outside) 10 interface
nat (inside) 10 0 0
compared to the ones lrmoore gave
global (outside) 1 55.22.22.242-55.22.22.254 netmask 255.255.255.240
global (outside) 1 interface <== all others use this for PAT
nat (inside) 1 192.168.30.0 255.255.255.0
The number after the (<interface>), for me 10, for lrmoore 1, is the priority number in which the nat commands are processed. Most people use 1 I believe as 0 is reserved for no nat entries. The reason I chose 10 is in case you come up with a more complicated config later that requires a higher priority processing than general NAT. For me I needed policy NAT configs on my pix.
So it doesn't matter what number you use there so long as its not 0, just as long as you give them a number representing the order in which you want them to be evaluated. And like I said before static entries are always processed first.
in my commands I gave
global (outside) 10 interface
nat (inside) 10 0 0
compared to the ones lrmoore gave
global (outside) 1 55.22.22.242-55.22.22.254 netmask 255.255.255.240
global (outside) 1 interface <== all others use this for PAT
nat (inside) 1 192.168.30.0 255.255.255.0
The number after the (<interface>), for me 10, for lrmoore 1, is the priority number in which the nat commands are processed. Most people use 1 I believe as 0 is reserved for no nat entries. The reason I chose 10 is in case you come up with a more complicated config later that requires a higher priority processing than general NAT. For me I needed policy NAT configs on my pix.
So it doesn't matter what number you use there so long as its not 0, just as long as you give them a number representing the order in which you want them to be evaluated. And like I said before static entries are always processed first.
ASKER
im sorry again!!
the new connection that im having now is T1 1:1 I just confirmed with ISP.
we'll be dropping the DSL now. So the internet will end only in Router.
Even I need to get rid of the Linksys router but the hard fact is that my ageold VPN client is not connecting to my Host office Sidewinder.
the new connection that im having now is T1 1:1 I just confirmed with ISP.
we'll be dropping the DSL now. So the internet will end only in Router.
Even I need to get rid of the Linksys router but the hard fact is that my ageold VPN client is not connecting to my Host office Sidewinder.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This sounds Great and finally I got something I was expecting :)))
sorry for the poor communcation and troubles caused by this
But I got to try this out at Office once I reach there !!
still thinking y the nat confgured on router did not allow my vpn to work
i'hd just used Internet----Router----swit
Not a prob ! i'll try out in my pix.
All on PIX!!
sorry for the poor communcation and troubles caused by this
But I got to try this out at Office once I reach there !!
still thinking y the nat confgured on router did not allow my vpn to work
i'hd just used Internet----Router----swit
Not a prob ! i'll try out in my pix.
All on PIX!!
Add one more command on the PIX. I forgot to add it above..
global (outside) 10 interface
This will let all other PC's use PAT many-one
global (outside) 10 interface
This will let all other PC's use PAT many-one
i don't know personally I'm still not convince you even need the one to one NAT global command for 15 IPs for vpn to work, but again, I'm not entirely clear about your vpn setup.
personally, i'd say try without the
global (outside) 10 34.56.7.3-34.56.7.14 netmask 255.255.255.240
and add it in if you the vpn doesn't work as expected.
personally, i'd say try without the
global (outside) 10 34.56.7.3-34.56.7.14 netmask 255.255.255.240
and add it in if you the vpn doesn't work as expected.
ASKER
Am at my new office
swithc----PIX 515----cisco2500---Interne
Well I did without
global (outside) 10 34.56.7.3-34.56.7.14 netmask 255.255.255.240
i get internet shared but only one vpn client works( connects to my remote office)
i use global (outside) 10 34.56.7.3-34.56.7.12 netmask 255.255.255.240
i get 10 vpn clients connecting to remote m/c.
I do swithc---Linksys-------PIX
REMOVED NAT FROM PIX. did NAT on Linksys
i get all my VPN clients connecting under ONE SINGLE IP.
How do you all experts justify this???
swithc----PIX 515----cisco2500---Interne
Well I did without
global (outside) 10 34.56.7.3-34.56.7.14 netmask 255.255.255.240
i get internet shared but only one vpn client works( connects to my remote office)
i use global (outside) 10 34.56.7.3-34.56.7.12 netmask 255.255.255.240
i get 10 vpn clients connecting to remote m/c.
I do swithc---Linksys-------PIX
REMOVED NAT FROM PIX. did NAT on Linksys
i get all my VPN clients connecting under ONE SINGLE IP.
How do you all experts justify this???
did you enter this command?
isakmp nat-traversal 10
also, can you give more specifics on the VPN you are doing: Ipsec (AH or ESP), PPTP, L2TP
if Ipsec. does it allow for tcp or udp tunneling or is it unencapsulated ipsec protocol 50.
isakmp nat-traversal 10
also, can you give more specifics on the VPN you are doing: Ipsec (AH or ESP), PPTP, L2TP
if Ipsec. does it allow for tcp or udp tunneling or is it unencapsulated ipsec protocol 50.
ASKER
did you enter this command?
isakmp nat-traversal 10
yes i did
IPSec esp
i need to add
access-list 101 permit esp host *.*.*.* any
other wise http pages wont display
does it allow for tcp or udp tunneling or is it unencapsulated ipsec protocol 50.
let me check with--i dunno iat the moment
isakmp nat-traversal 10
yes i did
IPSec esp
i need to add
access-list 101 permit esp host *.*.*.* any
other wise http pages wont display
does it allow for tcp or udp tunneling or is it unencapsulated ipsec protocol 50.
let me check with--i dunno iat the moment
ASKER
esp protocol 50
ok, i need to read up on this as my superior....lol....underst
I'm pretty sure that's why though. protocol 50, like protocol 47 (GRE for PPTP) doesn't have the builtin capability to allow for tracking multiple prot50 tunnels. if you tunnel this through udp/tcp then you can divide the tunnels up by source ports and NAT them.
Is everyone VPN'ing to the same place (in other words is a site-to-site VPN a more logical choice) or is it possible to switch the VPN to tunneling thru udp/tcp.
Why you could do it on the linksys and not the pix I'm unsure. I know lrmoore is far more intelligable on PIX technology than I am, but I'll see if I can find something out as I'm now curious.
I'm pretty sure that's why though. protocol 50, like protocol 47 (GRE for PPTP) doesn't have the builtin capability to allow for tracking multiple prot50 tunnels. if you tunnel this through udp/tcp then you can divide the tunnels up by source ports and NAT them.
Is everyone VPN'ing to the same place (in other words is a site-to-site VPN a more logical choice) or is it possible to switch the VPN to tunneling thru udp/tcp.
Why you could do it on the linksys and not the pix I'm unsure. I know lrmoore is far more intelligable on PIX technology than I am, but I'll see if I can find something out as I'm now curious.
ASKER
I need to be faithful to my question.
I got all that I required.
Latest update or solution is expected
i know site to site vpn is the ideal suit.
so here is the new thread
https://www.experts-exchange.com/questions/22057371/Sidewinder-PIX-site-to-site-VPN.html
I got all that I required.
Latest update or solution is expected
i know site to site vpn is the ideal suit.
so here is the new thread
https://www.experts-exchange.com/questions/22057371/Sidewinder-PIX-site-to-site-VPN.html
From what I can tell, I am right. ESP Ipsec doesn't support level 4 information thus isn't supported thru NAT/PAT devices. This is why Cisco applied for the NAT-T standardization.
How the Linksys did it, I have no clue. I know it supports ipsec passthrough but wouldn't think it'd support multiple ipsec tunnels.
How the Linksys did it, I have no clue. I know it supports ipsec passthrough but wouldn't think it'd support multiple ipsec tunnels.
ASKER
it just provides dhcp to all my machines.
My firewall is PIX 515.
When I used NATing on PIX no two VPNs would work on same IP. till now i had only 2 IP's now I 've 16 IP's.
I wanted to set this up so that at least 15 VPN's could work simultaneosly.
And all 30 PC's gets internet
Please Help Moore !!!