[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Connect two LANs on one PIX515UR --- Help, Please

Posted on 2007-10-21
7
Medium Priority
?
372 Views
Last Modified: 2010-04-21
I am sure this can be done but I am exhuasted and can't seem to figure this out. What I am attempting to get done is have eth 1 and eth 2 talk to each other. We have a Quickbridge 2 60 connection between two buildings that works fine if both building are on the 10.0.2.0 network, but I would like a to keep them on different networks. You see one of the proxims died a few weeks ago and I had to change all the IPs at the second building in order to get the L2L VPN working quickly and dont want to change the IPs again now that I have the working replacement proxim installed. so here is what I have got so far.
Site A (10.0.2.0) -- Proxim 1 (10.0.2.12) -- Proxim 2 (10.0.2.12) -- Site B -- PIX -- Eth2 (10.0.2.233) -- Eth1 (10.0.3.1) -- LAN at Site B (10.0.3.0)
BTW the Proxims have to both be on the 10.0.2.0
I think I need to do a VLAN but not sure or sure how to do it.
I hope this makes sense. Thanks
0
Comment
Question by:richakr
  • 5
  • 2
7 Comments
 
LVL 15

Accepted Solution

by:
wingatesl earned 1500 total points
ID: 20128558
Can you post your PIX config? The PIX can definitly do it, just treat the other site as a DMZ and not lock it down. Cisco has a good DMZ example for the PIX 515 if you search their page. Your ACLs would just be "permit any any". In all honesty this situation is best covered by a router or layer 3 switch.
0
 

Author Comment

by:richakr
ID: 20131848
Here you go, this is what I attempted and i could access site a but site but aite a could not access site b

PIX Version 7.2(2)
!
hostname pixfirewall
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 66.173.x.x 255.255.x.x
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.3.1 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 nameif ten2
 security-level 100
 ip address 10.0.2.2 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 10.0.3.0 255.255.255.0 host 10.0.2.40
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ten2 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface ten2
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (inside) 1 interface
global (ten2) 200 10.0.2.3-10.0.2.254 netmask 255.255.255.0
global (ten2) 1 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,ten2) 10.0.2.0 10.0.3.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.173.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp error
  inspect ftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e96c823bfe93c9fd9cfefed74d1b9ae7
: end
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20143708
You will need an access list to permit inside to Ten2
access-list ten2_acl permit ip any any
access-group ten2_acl in interface ten2
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:richakr
ID: 20146460
Ok I can connect from site b to site a but not the other way around. When I do get the connection up it hoses everything over at site a, kills internet, opening files on servers, basically shutdowns the whole network for some reason. here is the config again with what you tols me to add. Thanks.

Result of the command: "show run"

: Saved
:
PIX Version 7.2(2)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password y7zC4xxVCjhAdo9a encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 66.173.x.x 255.255.255.248
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.3.1 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 nameif ten2
 security-level 100
 ip address 10.0.2.2 255.255.255.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 10.0.3.0 255.255.255.0 host 10.0.2.40
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ten2 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface ten2
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (inside) 1 interface
global (ten2) 200 10.0.2.3-10.0.2.254 netmask 255.255.255.0
global (ten2) 1 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,ten2) 10.0.2.0 10.0.3.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.173.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp error
  inspect ftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e96c823bfe93c9fd9cfefed74d1b9ae7
: end
0
 

Author Comment

by:richakr
ID: 20195871
Ok small change in direction but still the same concept I just need to know how to get eth 1 to talk to eth 4 back and forth. Below is my current PIX config. PS the config include my L2L VPN that will go away as soon as I can get eth1 and eth4 talking and eth4 is shutdown for now till I test in the mornings. Thanks.

 Result of the command: "show run"

: Saved
:
PIX Version 7.2(2)
!
hostname masterpoe
domain-name ics-corporation.com
enable password y7zC4xxVCjhAdo9a encrypted
names
name 10.0.2.13 dc
name 10.0.2.33 file
name 10.0.2.17 mail
name 10.0.2.19 vpn
name 10.30.30.12 web
name 192.168.8.33 file_ext
name 192.168.8.11 mail_ext
name 192.168.8.19 vpn_ext
name 192.168.8.12 web_ext
name 10.0.2.5 ssl
name 192.168.8.22 ssl_ext
name 192.168.8.101 it_ext
name 192.168.8.34 dc_ext
name 10.0.2.14 it
name 10.0.2.67 cuda
name 192.168.8.67 cuda_ext
name 10.30.30.16 mms_ftp
name 192.168.8.16 mms_ftp_ext
name 10.0.2.30 mms_app
name 192.168.8.13 mms_app_ext
name 10.0.2.22 wp
name 192.168.8.35 wp_ext
name 10.30.30.13 mms_web
name 192.168.8.36 mms_web_ext
name 10.30.30.15 ftp2
name 192.168.8.21 ftp2_ext
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.8.254 255.255.255.0
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 10.30.30.1 255.255.255.0
 ospf cost 10
!
interface Ethernet3
 nameif vendor
 security-level 40
 ip address 192.168.1.254 255.255.255.0
 ospf cost 10
!
interface Ethernet4
 shutdown
 nameif 3_0
 security-level 100
 ip address 10.0.3.1 255.255.255.0
 ospf cost 10
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server dc
 domain-name ics-corporation.com
same-security-traffic permit inter-interface
object-group service DNS tcp-udp
 port-object eq domain
object-group service rpc tcp
 port-object range 1024 65535
object-group service TCP_WindowsDomain tcp
 description TCP access back to Windows DC
 port-object eq 135
 port-object eq 3268
 port-object eq 445
 port-object eq ldap
 port-object eq netbios-ssn
 port-object eq 88
 port-object eq domain
object-group service UDP_WindowsDomain udp
 description UDP access back to Windows DC
 port-object eq 389
 port-object eq netbios-ns
 port-object eq ntp
 port-object eq 88
 port-object eq domain
object-group service HTTP_HTTPS tcp
 description Includes HTTP and HTTPS
 port-object eq www
 port-object eq https
object-group service Spam_Firewall tcp
 description TCP Ports for the Barracuda
 port-object eq 8000
 port-object eq smtp
 port-object eq ssh
object-group network HTTP_HTTPS_Servers
 description Servers that require HTTP and HTTPS access
 network-object host ssl_ext
 network-object host mail_ext
 network-object host web_ext
 network-object host vpn_ext
 network-object host mms_web_ext
object-group network HTTPS_Servers
 description Server the need only HTTPS access
 network-object host mms_app_ext
 network-object host wp_ext
object-group network FTP_Servers
 description Servers that need only FTP access
 network-object host mms_ftp_ext
 network-object host ftp2_ext
access-list outside_access_in extended permit tcp any object-group HTTP_HTTPS_Servers object-group HTTP_HTTPS
access-list outside_access_in extended permit tcp any object-group HTTPS_Servers eq https
access-list outside_access_in extended permit tcp any object-group FTP_Servers eq ftp
access-list outside_access_in extended permit tcp any host file_ext eq ssh
access-list outside_access_in extended permit gre any host vpn_ext
access-list outside_access_in extended permit tcp any host vpn_ext eq pptp
access-list outside_access_in extended permit tcp any host cuda_ext object-group Spam_Firewall
access-list outside_access_in extended permit tcp any host it_ext eq 3101
access-list outside_access_in extended permit tcp any host dc_ext eq www inactive
access-list outside_access_in extended permit tcp any host dc_ext eq 3389 inactive
access-list outside_access_in extended permit icmp any any
access-list 3_0_access_in extended permit ip any any
access-list outside_20_cryptomap extended permit ip 10.0.2.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list acl_dmz_in extended permit tcp host ftp2 host mail eq smtp
access-list acl_dmz_in extended permit tcp host ftp2 host dc object-group TCP_WindowsDomain
access-list acl_dmz_in extended permit udp host ftp2 host dc object-group UDP_WindowsDomain
access-list acl_dmz_in extended deny ip any 10.0.2.0 255.255.255.0
access-list acl_dmz_in extended permit ip any any
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vendor 1500
mtu 3_0 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit name Outside attack action alarm drop reset
ip audit name inside attack action alarm drop reset
ip audit interface outside Outside
ip audit interface inside inside
ip audit interface dmz Outside
ip audit attack action alarm drop
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
monitor-interface vendor
monitor-interface 3_0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (dmz) 101 10.30.30.50-10.30.30.200 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.0.2.0 255.255.255.0
nat (dmz) 101 10.0.2.0 255.255.255.0
nat (vendor) 101 192.168.1.0 255.255.255.0
nat (3_0) 101 10.0.3.0 255.255.255.0
static (dmz,outside) web_ext web netmask 255.255.255.255
static (inside,outside) vpn_ext vpn netmask 255.255.255.255
static (inside,outside) mail_ext mail netmask 255.255.255.255
static (inside,outside) file_ext file netmask 255.255.255.255
static (inside,outside) mms_app_ext mms_app netmask 255.255.255.255
static (inside,outside) ssl_ext ssl netmask 255.255.255.255
static (dmz,outside) mms_web_ext mms_web netmask 255.255.255.255
static (dmz,outside) mms_ftp_ext mms_ftp netmask 255.255.255.255
static (dmz,outside) ftp2_ext ftp2 netmask 255.255.255.255
static (inside,dmz) mail mail netmask 255.255.255.255
static (inside,dmz) dc dc netmask 255.255.255.255
static (inside,outside) dc_ext dc netmask 255.255.255.255
static (inside,outside) wp_ext wp netmask 255.255.255.255
static (inside,outside) cuda_ext cuda netmask 255.255.255.255
static (inside,outside) it_ext it netmask 255.255.255.255
static (dmz,inside) 76.160.x.x mms_web netmask 255.255.255.255
static (dmz,3_0) 76.160.x.x mms_web netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group acl_dmz_in in interface dmz
access-group 3_0_access_in in interface 3_0
route outside 0.0.0.0 0.0.0.0 192.168.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server icsad protocol nt
aaa-server icsad host dc
 timeout 5
 nt-auth-domain-controller dc
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.0.2.13 10.0.2.15
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelall
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value ics-corporation.com
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
http server enable
http 10.0.2.0 255.255.255.0 inside
snmp-server host inside 10.0.2.40 community public
snmp-server location 2225
snmp-server contact IT Dept
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 66.173.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable vendor
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group icsad
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
tunnel-group 66.173.x.x type ipsec-l2l
tunnel-group 66.173.x.x ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200 vendor
dhcpd dns 209.137.171.10 64.83.1.10 interface vendor
dhcpd enable vendor
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
  inspect ftp
!
service-policy global_policy global
smtp-server 10.0.2.17
prompt hostname context
Cryptochecksum:d354127d3b1b1dc4723ff34c4bb3cf96
: end
0
 

Author Comment

by:richakr
ID: 20234075
I figured it out on my own. Please close this question. Thanks
0
 

Author Closing Comment

by:richakr
ID: 31408258
It did not solve my problem but lead me down the right path to my solution
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 5 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question