Solved

Need help configuring Cisco 515E

Posted on 2007-11-16
15
332 Views
Last Modified: 2010-04-09
Hello experts.
I need to configure a Cisco 515E PIX with three interfaces (INSIDE, OUTSIDE and DMZ) in a Windows 2003 network but i don't know where to begin. I need some information to get it work. Can somebody tell me some tips to start the configuration?

Network schema:

192.168.128.x ----192.168.128.194(INSIDE)----(OUTSIDE)192.168.110.253------192.168.110.254(DSL ROUTER)-----213.x.x.x (INTERNET)

DMZ with one server. 2.2.2.253 (DMZ)--------(SERVER) 2.2.2.2

Thanks in advance!


0
Comment
Question by:_marcos_
  • 8
  • 7
15 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20302411
First, do you want people on the Internet to access the server in the dmz?  If so, what services are you wanting to allow access to?  HTTP, DNS, SMTP, FTP?

Depending on those services, you need to construct an access control list (ACL) to allow that inbound traffic.  You'll also need to statically translate the DMZ server to a public IP address that the world can route their traffic to.

Based on your diagram, it looks like you'll be double NATing (two NAT layers), so there is a little bit of added complexity.  You may want to consider putting your DSL router into "bridge mode" meaning it won't have an IP address on, it will just pass traffic from the phone line to the Ethernet interface and back...it would become a media transceiver of sorts (phone line to Ethernet media conversion) and it would not actually perform any routing or translation functions.

If you don't want to do that, then you can leave it like it is, only you'll need to allow the inbound traffic through the DSL router.

I think you need to provide more info on what you want to be able to do with your network setup and we can go from there.  You've already outlined what your network looks like, but what services do you want to allow?  What do you want to do with this network?
0
 

Author Comment

by:_marcos_
ID: 20302473
OK batry boy.

I need internal network and DMZ server to have access to Internet.

DMZ server has an application (not Web) installed and internal network need to run it.

On internal network i have a server with IIS (192.168.128.252) which i need to publish (web site and FTP) to outside.




0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20302571
I can't give you exact commands to enter since I don't know your current PIX configuration (you can post it and I can give you exact commands to put in), so here are some example commands:

static (inside,outside) 192.168.128.252 213.x.x.x netmask 255.255.255.255
access-list outside_access_in permit tcp any host 213.x.x.x.x eq www
access-list outside_access_in permit tcp any host 213.x.x.x.x eq ftp
access-group outside_access_in in interface outside

The above commands would create a static translation for your internal web server to look like 213.x.x.x to the outside world and allow inbound www and ftp traffic to it.

For internal hosts to get to the DMZ server, and also for internal hosts to get to the Internet, add the following commands:

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Thost commands will perform port address translation on inside source addresses going to either the outside (Internet) or to the dmz network segment.

There's probably more to the configuration than this that you need, but as far as what you've stated you want, I believe this will get you there...
0
 

Author Comment

by:_marcos_
ID: 20302681
Here is the actual config:

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname PIX
domain-name DOMAIN.COM
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_inside permit tcp any host 213.A.B.C eq www
access-list outside_inside permit tcp any host 213.A.B.C eq ftp
access-list outside_inside permit tcp any host 213.A.B.C eq ftp-data
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.110.253 255.255.255.0
ip address inside 192.168.128.194 255.255.255.0
ip address dmz 2.2.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.128.254 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 213.A.B.C 192.168.128.252 netmask 255.255.255.255 0 0
access-group outside_inside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.110.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 80.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
terminal width 80

Situation:

Internal network cannot access Internet. External access to Web server does not work.

Thanks.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20302912
The above PIX configuration will not work unless your DSL router is in "bridge" mode.  Has it been configured for bridge mode?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20302920
For example, here are the instructions for doing this on a Netopia (Cayman) Internet router:

http://www.netopia.com/support/technotes/hardware/CQG_020.html
0
 

Author Comment

by:_marcos_
ID: 20303567
No, it has not been configured as a bridge.

I'll try and tell u if it works.

Thanks.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:_marcos_
ID: 20315520
Hello.

I'm waiting for ISP because they need Cisco Mac Address to configure router in Bridge mode.

Making some testing i've a curious sitiation. With the actual configuration all hosts on Inside 192.168.128.x could connect to Internet but the server i want to publish throught the PIX is not getting Internet. It's IP is 192.168.128.252, if i configure this IP to another computer it cannot acces Internet.

How can it be possible? I' think there is no rule which denies that IP for accessing Internet.
0
 

Author Comment

by:_marcos_
ID: 20315879
Last comment solved! It was an static entry that makes host 192.168.128.251 the only one who access Internet. Sorry.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20316831
So where do you stand right now as far as getting everything that you want to work?
0
 

Author Comment

by:_marcos_
ID: 20326876
Well, right now all computers on inside are getting Internet as server on DMZ, but i want to publish web and ftp services situated on a inside server (192.168.128.252).

In theory i've to type those commands:

static (inside,outside) 192.168.128.252 213.x.x.x netmask 255.255.255.255
access-list outside_access_in permit tcp any host 213.x.x.x.x eq www
access-list outside_access_in permit tcp any host 213.x.x.x.x eq ftp
access-group outside_access_in in interface outside

but when i do that, all computers on inside and DMZ stop browsing the web.

Are those commands right to publish services on 192.168.128.252?

Thanks.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20327697
No, the correct syntax for the static command above is:

static (inside,outside) 213.x.x.x 192.168.128.252 netmask 255.255.255.255

The others are OK.

0
 

Author Comment

by:_marcos_
ID: 20340104
OK.

I will not extend too much this question. Only one more:

Is possible to publish the inside server with router in ROUTER mode instead of BRIDGE mode?

Thanks.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20345739
I don't know since it depends on the capabilities of the DSL router.  The DSL router will need to be able to perform the NAT from the public IP to the private IP you choose.  For example, you could perform NAT in this way as long as the DSL router can be configured to do it:

192.168.128.252 <-----> 192.168.110.x <--------------> 213.x.x.x
inside real IP address     intermediate translation         public translation

So, on the PIX, you would use:

static (inside,outside) 192.168.110.x 192.168.128.252 netmask 255.255.255.255

You would pick a 192.168.110.x address to use which would be any IP address that is unused on that network segment.  You would then have to configure the DSL router to translate 192.168.110.x into 213.x.x.x and I can't tell you how to do that since I don't know what kind router you have.
0
 

Author Comment

by:_marcos_
ID: 20345783
Thanks batry_boy.

With router in router mode i've been able to publish WebServer on DMZ and WebServer on INSIDE. Opening all ports in DSL router to Cisco external IP and using commands from accepted solution but changing real public IP address with internal DSL router IP address it seems to work.

I know it's not the ideal config but right now the ISP is not offering solutions to change router to bridge mode so i have to deal with router mode.

I also trying to setup hardware VPN with another Cisco PIX (501) but it's not working. Probably because "router mode" on DSL. Maybe next year i shall try to setup correctly :)

Here is the actual config:

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname pix
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_inside permit tcp any host 192.168.110.253 eq www
access-list outside_inside permit tcp any host 192.168.110.253 eq ftp
access-list outside_inside permit tcp any host 192.168.110.253 eq ftp-data
access-list outside_inside permit icmp any any
access-list outside_inside permit tcp any host 192.168.110.253 eq 8080
access-list nonat permit ip 192.168.128.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list nonat permit ip 2.2.2.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list 101 permit ip 2.2.2.0 255.255.255.0 192.168.90.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.110.253 255.255.255.0
ip address inside 192.168.128.194 255.255.255.0
ip address dmz 2.2.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.128.0 255.255.255.0 0 0
nat (dmz) 1 2.2.2.0 255.255.255.0 0 0
static (inside,outside) tcp 192.168.110.253 www 192.168.128.252 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.110.253 ftp 192.168.128.252 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.110.253 ftp-data 192.168.128.252 ftp-data netmask 255.255.255.255 0 0
static (dmz,outside) tcp 192.168.110.253 8080 2.2.2.2 www netmask 255.255.255.255 0 0
access-group outside_inside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.110.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set mytrans esp-des esp-sha-hmac
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 101
crypto map mymap 20 set peer 87.x.x.x
crypto map mymap 20 set transform-set mytrans
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 87.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 20 3
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 80.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
terminal width 80

Thanks again for all your comments batry_boy.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now