[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

pix 501 setup - Dazed and Confused !!

Posted on 2007-10-02
8
Medium Priority
?
287 Views
Last Modified: 2010-04-09
Hello Everyone,
I have basic skills when it comes to setting up a cisco pix 501. I am in the process of setting up two servers behind a pix 501 at a hosted facility.  The hosted facility gave me a contiguous ip structure  -
X.X.218.4 - X.X.218.64.  My first server will have an ip address of 218.4 and my second will have an address of 218.5

I am trying to set up the pix 501 so the outside world can see the routable addresses on the inside interface.  If I give the outside of the box an address of X.X.218.10 for example - I cant use the same X.X.218.?  ip structure on the inside.  If I use the default 192.168.1.? structure on the inside interface and servers, I dont understand how the outside world will see them unless you can somehow have several ip addresses on the outside interface and do some sort of one to one mapping.

The ideal way for me would be to keep the contiguous structure on the inside and somehow allow the outside world to see them.  Please let me know if there is a way of doing this.

Thanks in advance
john
0
Comment
Question by:hexvader
  • 4
  • 4
8 Comments
 
LVL 9

Expert Comment

by:QBRad
ID: 19999529
You dont want to assign the X.X addresses to your servers, this will make them visable on the internet and it would be like putting your servers outside your office in the street for anyone to access.  You want to give your servers private ip addresses, any will do just fine, such as the 192.168.1 addresses you speak of.  then in the pix you want to create access-lists which allow access to the servers on specific ports so that they can only access the servers you want them to access and they can only access them on the ports you choose.

Then you need to create static entries 1 to 1 mapping from public ip address to private ip address as you mentioned.  Your not adding any more than 1 single public ip address to your PIX.  The other addresses will be seen on the outside of you pix throught the 1 to 1 static mapping that you will setup.
0
 

Author Comment

by:hexvader
ID: 19999782
So if I am understanding you correctly - I keep all myservers on the inside of the pix with a private address lets say 192.168.1.5 and 1.6.   On the outside of the pix I assign an  addresses lets just say X.X.218.5 .  At this point I can make 1 to 1 mappings from the outside to the inside.
for example - can point all incoming ftp traffic to 192.168.1.5??
0
 
LVL 9

Expert Comment

by:QBRad
ID: 19999798
exactly.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:hexvader
ID: 19999985
Ok - I understand but In my real world situation here is my problem.
Both servers will be acting as mail servers.  I will be setting up pop 3 and smtp service and have 3 domains on both machines.  Each domain will be registered on the hosted facilities dns server mapped to a public ip address.  
for example:
Server 1 = ip address 192.168.1.5
Pix Outside interface = X.X.218.4
hosted facility has a dns entry of -  domain 1 = X.X.218.10 , domain 2 = X.X.218.11 , & domain 3 = X.X.218.12.

When people try to access the domain 1 mail server on server 1- I am confused how the traffic would pass to it??  How would I be able to do a one to one mapping if X.X.218.10 is not the outside interface of the pix box??
john
0
 
LVL 9

Accepted Solution

by:
QBRad earned 1000 total points
ID: 20011738
Ok this is a small piece of what your PIX would look like:

Keep in mind my names and ip addresses are made up at random for example.

nameif ethernet 0 outside security 0 <--- names the interface outside and gives it a security level 0 which means it is connected to insecure network "internet"

name "one of your outside ips" SERVER1 <---names the ip address server1 to identify what it is "insert 1 of your external ip address between quotes"

access-list incoming permit tcp any host SERVER1 eq smtp

static (inside,outside) SERVER1 "ip address of SERVER1, it's inside address" netmask 255.255.255.255 0 0 <-- this would create a static translation (1 to 1) mapping of the outside address listed above with the inside address of SERVER1

access-group incoming in interface outside <-- this applies all of your incoming access-lists to the interface you named outside above.

the static translation i listed above would have to be created for each server / service you wish to broadcast to the outside world.
0
 

Author Comment

by:hexvader
ID: 20016419
QBRad,
Thanks again - worked like a charm - I can see everything now and adding a new server is a breeze.
I do have one more question for you.  I have noticed from looking at different user configs, there seems to be many different ways of protecting your pix box from hacking.  I found one for ip spoofing that I am going to use.  Do you know of a site that has proven examples of this??
thanks again for all your help
john
0
 
LVL 9

Expert Comment

by:QBRad
ID: 20017658
The only site i know that has good reliable router / pix info is cisco.com.  However, most of the good examples are only accessible with a membership to the site.

Glad to hear you got it going.  As you said once you get it started it's fairly easy to add to the config.

GOOD LUCK!!!
0
 

Author Comment

by:hexvader
ID: 20020958
Thanks
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 23 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question