Solved

PIX501 bidirection nat outside to inside to internet

Posted on 2007-03-22
3
610 Views
Last Modified: 2008-01-09
Hopefully we have some PIX gurus who are able to help me out here :-)


I have a PIX501 firewall with a wireless network attached to the outside interface and our local network attached to the inside interface.
I've setup access lists to permit the wireless clients attached to the outside interface to be able to access services on our inside interfaces.
The wireless clients are on a totally seperate /24 subnet.
Now everything seems to work fine with nat statements for our local wired subnets for example wirelessClients accessing the email server etc however the wireless clients cannot access the internet.

For the wireless clients to get out onto our internet connection they have to take the following path

wirelessLaptop - CiscoAccessPoint - OutsideIntPIX501 - InsideIntPIX501 - CiscoSwitch - InsideCorporatePIX515E - OutsideCorporatePIX515E - Internet

Below is a cut of some of the PIX501 config that the wireless clients are connected to.


name 10.1.1.2 accessPoint
name 10.1.1.0 WirelessLan
name 100.100.100.1 pix515fw

 
object-group network WirelessLan
  network-object WirelessLan 255.255.255.0

object-group network WebAccessNetwork
  network-object pix515fw 255.255.255.255

object-group network InternalAccessNetwork
  network-object ..All our local servers here...


object-group service WebAccessUDP udp
  port-object eq domain
object-group service WebAccessTCP tcp
  port-object eq www
  port-object eq ftp-data
  port-object eq domain
  port-object eq ftp


object-group service InternalAccessUDP udp
port-object eq all our local server ports

object-group service InternalAccessTCP tcp
port-object eq all our local server ports

access-list outside_access_in permit udp object-group WirelessLan object-group InternalAccessNetwork object-group InternalAccessUDP
access-list outside_access_in permit tcp object-group WirelessLan object-group InternalAccessNetwork object-group InternalAccessTCP
access-list outside_access_in permit udp object-group WirelessLan object-group WebAccessNetwork object-group WebAccessUDP
access-list outside_access_in permit tcp object-group WirelessLan object-group WebAccessNetwork object-group WebAccessTCP

ip address outside 10.1.1.1 255.255.255.0
ip address inside 100.100.100.2 255.255.255.0

nat (outside) 0 WirelessLan 255.255.255.0 outside 0 0
static (outside,inside) accessPoint accessPoint netmask 255.255.255.255 0 0
static (inside,outside) InternalSubnet1 InternalSubnet1 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
route inside 0.0.0.0 0.0.0.0 pix515fw 1
route inside InternalSubnet1 255.255.255.0 OurLocalRouter 1




So my question is how should I go about giving the access for the WirelessClients to be able to open web pages on the internet? For that to happen
the traffic has to pass through the outside interface on the 501 firewall out of the inside interface onto the local switch and then back out of our
main PIX515E to reach the destionation.


I'm fairly sure I'd need to modify the WebAccessNetwork access-list to permit WirelessLan to any against the port listings so thats not a problem I can change that
how I'm not entirely sure I to go about it with the NAT statements.


Any suggestions appreciated. :-)
0
Comment
Question by:georgecooldude
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 18775388
This is what I would do...
Don't nat between wireless and inside.
 static (inside,outside) 100.100.100.0 100.100.100.0 netmask 255.255.255.0

Create the acls to allow local ports, then deny all other ports, then allow traffic to any
object-group network InternalServers
  <use actual 100.100.100.x ip addresses of servers>
 access-list outside_in permit udp object-group WirelessLan object-group InternalServers object-group WebAccessTCP
  <etc>
 access-list outside_in deny ip object-group WirelessLan 100.100.100.0 255.255.255.0
 access-list outside_in permit tcp object-group WirelessLan any eq http
 access-list outside_in permit tcp object-group WirelessLan any eq https

Now, on the PIX515 firewall, be sure to allow the wirelessLan 10.1.1.0 through with a nat (inside) statement
0
 
LVL 6

Assisted Solution

by:brasslan
brasslan earned 250 total points
ID: 18783503
Maybe I'm not reading it right, but I think you already have the nat turned off when you said
nat (outside) 0 WirelessLan 255.255.255.0 outside 0 0
static (inside,outside) InternalSubnet1 InternalSubnet1 netmask 255.255.255.0 0 0

But why do you have this line?
static (outside,inside) accessPoint accessPoint netmask 255.255.255.255 0 0

and like lrmoore said, check for this line on your 515
nat (inside) 1 10.1.1.0 255.255.255.0

And as a side note, (or you could call it idea 2)
Our wireless lan is only used by about 10 people, and for max security I also put a pix 501 in line like you did, but instead of worring about nat and ACL's I setup VPN and loaded the VPN client on the laptop's that needed wireless access.  Now I use 3des VPN encryption and leave the wireless (WPA, or WEP) turned off and I don't worry about people who claim they can crack wireless encryption.

0
 
LVL 5

Author Comment

by:georgecooldude
ID: 18896715
I ended up taking off NAT completely and redoing the entire config.

Splitting points 50/50

Thanks for assistance.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now