Solved

Router-firewall-switch

Posted on 2006-11-09
19
397 Views
Last Modified: 2010-04-17
Guys,

my current scenario is firewall-linksys[dhcp]- switch

Now i've got
Router 2500- firewall - switch

i cannot use NAT for 30 pc's on firewall as this blocks my VPN (secure computing vpn)
 can I use cisco2500 for NATing. I got only 16IPs.

Please give me the configuration for the cisco 2500 series and how I would cahnge the below firewall settings

my current config for firewall is
 Written by harry at 22:34:16.637 UTC Tue Oct 17 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mypix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit esp host x.x.x.x any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 55.22.22.243 255.255.255.0
ip address inside 192.168.30.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.15.105 255.255.255.255 inside
pdm history enable
arp timeout 14400
static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0  [192.168.30.2 is my linksys switch which NATs my rest of PC's]
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 55.22.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.x.x 255.255.255.255 outside
http 192.168.30.2 255.255.255.255 inside
http 192.0.0.0 255.0.0.0 inside
http 192.168.15.105 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet 192.168.30.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh 192.168.30.2 255.255.255.255 inside
ssh timeout 5
console timeout 0
0
Comment
Question by:harrymill
  • 8
  • 7
  • 3
19 Comments
 

Author Comment

by:harrymill
ID: 17907965
linksys router i used till now is my voip router RT31P2.
it just provides dhcp to all my machines.

My firewall is PIX 515.

When I used NATing on PIX no two VPNs would work on same IP. till now i had only 2 IP's now I 've 16 IP's.
I wanted to set this up so that at least 15 VPN's could work simultaneosly.
And all 30 PC's gets internet

Please Help Moore !!!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17910967
not understanding what you are getting at, but one thing I noticed is where is your global and nat commands
global (outside) 10 interface
nat (inside) 10 0 0

that will make it so the 515 with NAT for all internal hosts to its outside interface IP.  Am I wrong in assuming that is what you were getting at?
0
 

Author Comment

by:harrymill
ID: 17911849
I think I've to be more specific


My small network started as

switch----Linkys Voip Router----DSL MOdem----Internet
My Linksys did the NATing for all my 15 PC's.

we've been using third party vpn client(secure computing) to access http of our remote office.

A new PIX was bought which now changed my config as
switch----Linkys Voip Router----PIX 506E----DSL MOdem----Internet

There was problem in NATing with PIX as NAT traversal was not happening for my VPN. the problem was posted in experts exchange but was unsolved.
The only feasible solution was 1-1 NATing if I needed to do NAT on PIX. but I had only 2 public IP's.So still my Linksys did the NATing for all
my 15 PC's

like.....
static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0
where 192.168.30.2 is my linksys router.It gave 192.168.15.0 network to my 15 PCs.

I've learned that it is not good practice having PIX to end in internet
we are going for leased line internet,
we have 16 IPs now and
30 PCs
we have pix 515.

the new scenario expected is
switch----PIX 515----Cisco 2500----Internet [i need to take out my low end linksys router]


How will I configure cisco 2500 series router if I am going to do the following.

I have 16 IP's now. so i'll do 1-1 NATing for 15 PC's so that they can connect vpn simultaneously.
1 IP should be used for 1-many NATing for rest of the pc's.(let them connect to internet atleast!!)


Considering my workgroup as 192.168.30.0
My configuration on PIX for 1-1 NATing or more specefically static routing would be

static (inside,outside) 10.0.1.2 192.168.30.2 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.3 192.168.30.3 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.4 192.168.30.4 netmask 255.255.255.255 0 0
 .
 .
static (inside,outside) 10.0.1.16 192.168.30.16 netmask 255.255.255.255 0 0

????
How will I NAT 1-many for my rest of 15 PCs ?(do i do this on PIX or 2500???)

I am newbie to cisco i dunno whether this is correct.

Now I want my configuration on 2500 series router for NATing this 15 IPs 10.0.1.2-16 with my public 15 IPs.
One public IP I need to do 1- many NATing

Do I confuse again ?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17913726
I'm still confused why you think you need the 2500 router.  Just plug the line from the CSU/DSU into the pix outside interface.
>>I've learned that it is not good practice having PIX to end in internet
where did you learn that?
It is far, far easier to do NAT on the pix than the router and then nonat on the pix (just my opinion anyway)

as for the vpn, I think I know what you are talking about but just want to make sure.
your internal users want to connect to a vpn server outside of your network.  This worked with the Linksys?  If so I don't see why its not possible with the pix.
try
isakmp nat-traversal 10
Assuming you are using ESP ipsec anyway, if you are using AH ipsec, then 1-to-1 is only way.  PPTP is also questionable

as for the natting issue, you can use what I already posted
even though the ranges overlap, static entries are always processed by the pix for NATing before the global/nat entries and thus won't cause a problem.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17914438
Agree with Cyclops that you don't need this router. The PIX 515 is a much better Internet termination than a router. You only need the router if you are connecting to the ISP by way of T1 or other serial type connection that is not supported by the PIX.

>static (inside,outside) 55.22.22.244 192.168.30.2 netmask 255.255.255.255 0 0  [192.168.30.2 is my linksys switch which NATs my rest of PC's]
This is part of the problem. Take the Linksys out of the mix. It is not doing you any good and is actually a big part of the problem. You can use the PIX as the DHCP server if that is all it's doing. The reason that you can't get more than one VPN client out at a time is a limitation of this Linksys and Not the PIX.

>I wanted to set this up so that at least 15 VPN's could work simultaneosly.
Unless you want to be specific as to which 15 users can work at the same time, then you can use a global pool so that the first 15 of the day will get a 1-1 nat automatically, and all others will use PAT.
Just set up a global pool:

global (outside) 1 55.22.22.242-55.22.22.254 netmask 255.255.255.240
global (outside) 1 interface   <== all others use this for PAT
nat (inside) 1 192.168.30.0 255.255.255.0


0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17914527
btw, i just want to clarify something incase there was confusion.

in my commands I gave
global (outside) 10 interface
nat (inside) 10 0 0

compared to the ones lrmoore gave
global (outside) 1 55.22.22.242-55.22.22.254 netmask 255.255.255.240
global (outside) 1 interface   <== all others use this for PAT
nat (inside) 1 192.168.30.0 255.255.255.0

The number after the (<interface>), for me 10, for lrmoore 1, is the priority number in which the nat commands are processed.  Most people use 1 I believe as 0 is reserved for no nat entries.  The reason I chose 10 is in case you come up with a more complicated config later that requires a higher priority processing than general NAT.  For me I needed policy NAT configs on my pix.

So it doesn't matter what number you use there so long as its not 0, just as long as you give them a number representing the order in which you want them to be evaluated. And like I said before static entries are always processed first.
0
 

Author Comment

by:harrymill
ID: 17915936
im sorry again!!

the new connection that im having now is T1 1:1 I just confirmed with ISP.
we'll be dropping the DSL now. So the internet will end only in Router.

Even I need to get rid of the Linksys router but the hard fact is that my ageold VPN client is not connecting to my Host office Sidewinder.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17916057
OK, so you have a new T1 coming into your 2500 router.
And you've configured NAT on this 2500 router instead of letting the PIX handle it?

T1 router --> PIX -->LAN switch --> VPN client

The T1 router simply passes packets between T1 and Ethernet
PIX does all the NAT

T1 router:
 interface Serial 0/0
  ip address 12.34.56.2 255.255.255.252
 interface Ethernet0
  ip address 34.56.7.1 255.255.255.240
 
ip route 0.0.0.0 0.0.0.0 12.34.56.1

PIX:
ip address outside 34.56.7.2 255.255.255.240
ip address inside 192.168.30.1 255.255.255.0
global (outside) 10 34.56.7.3-34.56.7.14 netmask 255.255.255.240
nat (inside) 10 0 0
route outside 0.0.0.0 0.0.0.0 34.56.7.1

VPN Client:
 IP address 192.168.30.30 255.255.255.0
 Default gateway 192.168.30.1

Done. No linksys, no DSL modem, nothing else in the way.


0
 

Author Comment

by:harrymill
ID: 17916392
This sounds Great and finally I got something I was expecting :)))
sorry for the poor communcation and troubles caused by this

But I got to try this out at Office once I reach there !!

still thinking y the  nat confgured on router did not allow my vpn to work
i'hd just used Internet----Router----switch----workgrup.

Not a prob ! i'll try out in my pix.
All on PIX!!
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 79

Expert Comment

by:lrmoore
ID: 17916506
Add one more command on the PIX. I forgot to add it above..

global (outside) 10 interface

This will let all other PC's use PAT many-one
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17916608
i don't know personally I'm still not convince you even need the one to one NAT global command for 15 IPs for vpn to work, but again, I'm not entirely clear about your vpn setup.

personally, i'd say try without the
global (outside) 10 34.56.7.3-34.56.7.14 netmask 255.255.255.240

and add it in if you the vpn doesn't work as expected.
0
 

Author Comment

by:harrymill
ID: 17922564
Am at my new office

swithc----PIX 515----cisco2500---Internet

Well I did without
global (outside) 10 34.56.7.3-34.56.7.14 netmask 255.255.255.240
i get internet shared but only one vpn client works( connects to my remote office)

i use global (outside) 10 34.56.7.3-34.56.7.12 netmask 255.255.255.240
i get 10 vpn clients connecting to remote m/c.

I do swithc---Linksys-------PIX 515----cisco2500
REMOVED NAT FROM PIX. did NAT on Linksys
i get all my VPN clients connecting under ONE SINGLE IP.


How do you all experts justify this???

0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17922773
did you enter this command?
isakmp nat-traversal 10

also, can you give more specifics on the VPN you are doing:  Ipsec (AH or ESP), PPTP, L2TP
if Ipsec.  does it allow for tcp or udp tunneling or is it unencapsulated ipsec protocol 50.
0
 

Author Comment

by:harrymill
ID: 17922809
did you enter this command?
isakmp nat-traversal 10
yes i did

IPSec esp
i need to add
access-list 101 permit esp host *.*.*.* any
other wise http pages wont  display


does it allow for tcp or udp tunneling or is it unencapsulated ipsec protocol 50.
let me check with--i dunno iat the moment
0
 

Author Comment

by:harrymill
ID: 17922817
esp protocol 50
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17922855
ok, i need to read up on this as my superior....lol....understanding of vpn technology is fading a little.

I'm pretty sure that's why though.  protocol 50, like protocol 47 (GRE for PPTP) doesn't have the builtin capability to allow for tracking multiple prot50 tunnels.  if you tunnel this through udp/tcp then you can divide the tunnels up by source ports and NAT them.

Is everyone VPN'ing to the same place (in other words is a site-to-site VPN a more logical choice) or is it possible to switch the VPN to tunneling thru udp/tcp.

Why you could do it on the linksys and not the pix I'm unsure.  I know lrmoore is far more intelligable on PIX technology than I am, but I'll see if I can find something out as I'm now curious.
0
 

Author Comment

by:harrymill
ID: 17923039
I need to be faithful to my question.
I got all that I required.

Latest update or solution is expected

i know site to site vpn is the ideal suit.
so here is the new thread
http://www.experts-exchange.com/Networking/Q_22057371.html
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17923288
From what I can tell, I am right.  ESP Ipsec doesn't support level 4 information thus isn't supported thru NAT/PAT devices.  This is why Cisco applied for the NAT-T standardization.

How the Linksys did it, I have no clue.  I know it supports ipsec passthrough but wouldn't think it'd support multiple ipsec tunnels.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now