Solved

PIX501 bidirection nat outside to inside to internet

Posted on 2007-03-22
3
632 Views
Last Modified: 2008-01-09
Hopefully we have some PIX gurus who are able to help me out here :-)


I have a PIX501 firewall with a wireless network attached to the outside interface and our local network attached to the inside interface.
I've setup access lists to permit the wireless clients attached to the outside interface to be able to access services on our inside interfaces.
The wireless clients are on a totally seperate /24 subnet.
Now everything seems to work fine with nat statements for our local wired subnets for example wirelessClients accessing the email server etc however the wireless clients cannot access the internet.

For the wireless clients to get out onto our internet connection they have to take the following path

wirelessLaptop - CiscoAccessPoint - OutsideIntPIX501 - InsideIntPIX501 - CiscoSwitch - InsideCorporatePIX515E - OutsideCorporatePIX515E - Internet

Below is a cut of some of the PIX501 config that the wireless clients are connected to.


name 10.1.1.2 accessPoint
name 10.1.1.0 WirelessLan
name 100.100.100.1 pix515fw

 
object-group network WirelessLan
  network-object WirelessLan 255.255.255.0

object-group network WebAccessNetwork
  network-object pix515fw 255.255.255.255

object-group network InternalAccessNetwork
  network-object ..All our local servers here...


object-group service WebAccessUDP udp
  port-object eq domain
object-group service WebAccessTCP tcp
  port-object eq www
  port-object eq ftp-data
  port-object eq domain
  port-object eq ftp


object-group service InternalAccessUDP udp
port-object eq all our local server ports

object-group service InternalAccessTCP tcp
port-object eq all our local server ports

access-list outside_access_in permit udp object-group WirelessLan object-group InternalAccessNetwork object-group InternalAccessUDP
access-list outside_access_in permit tcp object-group WirelessLan object-group InternalAccessNetwork object-group InternalAccessTCP
access-list outside_access_in permit udp object-group WirelessLan object-group WebAccessNetwork object-group WebAccessUDP
access-list outside_access_in permit tcp object-group WirelessLan object-group WebAccessNetwork object-group WebAccessTCP

ip address outside 10.1.1.1 255.255.255.0
ip address inside 100.100.100.2 255.255.255.0

nat (outside) 0 WirelessLan 255.255.255.0 outside 0 0
static (outside,inside) accessPoint accessPoint netmask 255.255.255.255 0 0
static (inside,outside) InternalSubnet1 InternalSubnet1 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
route inside 0.0.0.0 0.0.0.0 pix515fw 1
route inside InternalSubnet1 255.255.255.0 OurLocalRouter 1




So my question is how should I go about giving the access for the WirelessClients to be able to open web pages on the internet? For that to happen
the traffic has to pass through the outside interface on the 501 firewall out of the inside interface onto the local switch and then back out of our
main PIX515E to reach the destionation.


I'm fairly sure I'd need to modify the WebAccessNetwork access-list to permit WirelessLan to any against the port listings so thats not a problem I can change that
how I'm not entirely sure I to go about it with the NAT statements.


Any suggestions appreciated. :-)
0
Comment
Question by:georgecooldude
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 18775388
This is what I would do...
Don't nat between wireless and inside.
 static (inside,outside) 100.100.100.0 100.100.100.0 netmask 255.255.255.0

Create the acls to allow local ports, then deny all other ports, then allow traffic to any
object-group network InternalServers
  <use actual 100.100.100.x ip addresses of servers>
 access-list outside_in permit udp object-group WirelessLan object-group InternalServers object-group WebAccessTCP
  <etc>
 access-list outside_in deny ip object-group WirelessLan 100.100.100.0 255.255.255.0
 access-list outside_in permit tcp object-group WirelessLan any eq http
 access-list outside_in permit tcp object-group WirelessLan any eq https

Now, on the PIX515 firewall, be sure to allow the wirelessLan 10.1.1.0 through with a nat (inside) statement
0
 
LVL 6

Assisted Solution

by:brasslan
brasslan earned 250 total points
ID: 18783503
Maybe I'm not reading it right, but I think you already have the nat turned off when you said
nat (outside) 0 WirelessLan 255.255.255.0 outside 0 0
static (inside,outside) InternalSubnet1 InternalSubnet1 netmask 255.255.255.0 0 0

But why do you have this line?
static (outside,inside) accessPoint accessPoint netmask 255.255.255.255 0 0

and like lrmoore said, check for this line on your 515
nat (inside) 1 10.1.1.0 255.255.255.0

And as a side note, (or you could call it idea 2)
Our wireless lan is only used by about 10 people, and for max security I also put a pix 501 in line like you did, but instead of worring about nat and ACL's I setup VPN and loaded the VPN client on the laptop's that needed wireless access.  Now I use 3des VPN encryption and leave the wireless (WPA, or WEP) turned off and I don't worry about people who claim they can crack wireless encryption.

0
 
LVL 5

Author Comment

by:georgecooldude
ID: 18896715
I ended up taking off NAT completely and redoing the entire config.

Splitting points 50/50

Thanks for assistance.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question