Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!
Course Of The Month
9 days, 13 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Need help configuring Cisco 515E
Posted on 2007-11-16
Hello experts.
I need to configure a Cisco 515E PIX with three interfaces (INSIDE, OUTSIDE and DMZ) in a Windows 2003 network but i don't know where to begin. I need some information to get it work. Can somebody tell me some tips to start the configuration?
Network schema:
192.168.128.x ----192.168.128.194(INSIDE
DMZ with one server. 2.2.2.253 (DMZ)--------(SERVER) 2.2.2.2
Thanks in advance!
I need to configure a Cisco 515E PIX with three interfaces (INSIDE, OUTSIDE and DMZ) in a Windows 2003 network but i don't know where to begin. I need some information to get it work. Can somebody tell me some tips to start the configuration?
Network schema:
192.168.128.x ----192.168.128.194(INSIDE
DMZ with one server. 2.2.2.253 (DMZ)--------(SERVER) 2.2.2.2
Thanks in advance!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
8
-
7
15 Comments
First, do you want people on the Internet to access the server in the dmz? If so, what services are you wanting to allow access to? HTTP, DNS, SMTP, FTP?
Depending on those services, you need to construct an access control list (ACL) to allow that inbound traffic. You'll also need to statically translate the DMZ server to a public IP address that the world can route their traffic to.
Based on your diagram, it looks like you'll be double NATing (two NAT layers), so there is a little bit of added complexity. You may want to consider putting your DSL router into "bridge mode" meaning it won't have an IP address on, it will just pass traffic from the phone line to the Ethernet interface and back...it would become a media transceiver of sorts (phone line to Ethernet media conversion) and it would not actually perform any routing or translation functions.
If you don't want to do that, then you can leave it like it is, only you'll need to allow the inbound traffic through the DSL router.
I think you need to provide more info on what you want to be able to do with your network setup and we can go from there. You've already outlined what your network looks like, but what services do you want to allow? What do you want to do with this network?
Depending on those services, you need to construct an access control list (ACL) to allow that inbound traffic. You'll also need to statically translate the DMZ server to a public IP address that the world can route their traffic to.
Based on your diagram, it looks like you'll be double NATing (two NAT layers), so there is a little bit of added complexity. You may want to consider putting your DSL router into "bridge mode" meaning it won't have an IP address on, it will just pass traffic from the phone line to the Ethernet interface and back...it would become a media transceiver of sorts (phone line to Ethernet media conversion) and it would not actually perform any routing or translation functions.
If you don't want to do that, then you can leave it like it is, only you'll need to allow the inbound traffic through the DSL router.
I think you need to provide more info on what you want to be able to do with your network setup and we can go from there. You've already outlined what your network looks like, but what services do you want to allow? What do you want to do with this network?
OK batry boy.
I need internal network and DMZ server to have access to Internet.
DMZ server has an application (not Web) installed and internal network need to run it.
On internal network i have a server with IIS (192.168.128.252) which i need to publish (web site and FTP) to outside.
I need internal network and DMZ server to have access to Internet.
DMZ server has an application (not Web) installed and internal network need to run it.
On internal network i have a server with IIS (192.168.128.252) which i need to publish (web site and FTP) to outside.
I can't give you exact commands to enter since I don't know your current PIX configuration (you can post it and I can give you exact commands to put in), so here are some example commands:
static (inside,outside) 192.168.128.252 213.x.x.x netmask 255.255.255.255
access-list outside_access_in permit tcp any host 213.x.x.x.x eq www
access-list outside_access_in permit tcp any host 213.x.x.x.x eq ftp
access-group outside_access_in in interface outside
The above commands would create a static translation for your internal web server to look like 213.x.x.x to the outside world and allow inbound www and ftp traffic to it.
For internal hosts to get to the DMZ server, and also for internal hosts to get to the Internet, add the following commands:
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Thost commands will perform port address translation on inside source addresses going to either the outside (Internet) or to the dmz network segment.
There's probably more to the configuration than this that you need, but as far as what you've stated you want, I believe this will get you there...
static (inside,outside) 192.168.128.252 213.x.x.x netmask 255.255.255.255
access-list outside_access_in permit tcp any host 213.x.x.x.x eq www
access-list outside_access_in permit tcp any host 213.x.x.x.x eq ftp
access-group outside_access_in in interface outside
The above commands would create a static translation for your internal web server to look like 213.x.x.x to the outside world and allow inbound www and ftp traffic to it.
For internal hosts to get to the DMZ server, and also for internal hosts to get to the Internet, add the following commands:
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Thost commands will perform port address translation on inside source addresses going to either the outside (Internet) or to the dmz network segment.
There's probably more to the configuration than this that you need, but as far as what you've stated you want, I believe this will get you there...
Here is the actual config:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname PIX
domain-name DOMAIN.COM
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_inside permit tcp any host 213.A.B.C eq www
access-list outside_inside permit tcp any host 213.A.B.C eq ftp
access-list outside_inside permit tcp any host 213.A.B.C eq ftp-data
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.110.253 255.255.255.0
ip address inside 192.168.128.194 255.255.255.0
ip address dmz 2.2.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.128.254 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 213.A.B.C 192.168.128.252 netmask 255.255.255.255 0 0
access-group outside_inside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.110.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 80.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Situation:
Internal network cannot access Internet. External access to Web server does not work.
Thanks.
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname PIX
domain-name DOMAIN.COM
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_inside permit tcp any host 213.A.B.C eq www
access-list outside_inside permit tcp any host 213.A.B.C eq ftp
access-list outside_inside permit tcp any host 213.A.B.C eq ftp-data
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.110.253 255.255.255.0
ip address inside 192.168.128.194 255.255.255.0
ip address dmz 2.2.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.128.254 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 213.A.B.C 192.168.128.252 netmask 255.255.255.255 0 0
access-group outside_inside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.110.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 80.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Situation:
Internal network cannot access Internet. External access to Web server does not work.
Thanks.
The above PIX configuration will not work unless your DSL router is in "bridge" mode. Has it been configured for bridge mode?
For example, here are the instructions for doing this on a Netopia (Cayman) Internet router:
http://www.netopia.com/support/technotes/hardware/CQG_020.html
http://www.netopia.com/support/technotes/hardware/CQG_020.html
Hello.
I'm waiting for ISP because they need Cisco Mac Address to configure router in Bridge mode.
Making some testing i've a curious sitiation. With the actual configuration all hosts on Inside 192.168.128.x could connect to Internet but the server i want to publish throught the PIX is not getting Internet. It's IP is 192.168.128.252, if i configure this IP to another computer it cannot acces Internet.
How can it be possible? I' think there is no rule which denies that IP for accessing Internet.
I'm waiting for ISP because they need Cisco Mac Address to configure router in Bridge mode.
Making some testing i've a curious sitiation. With the actual configuration all hosts on Inside 192.168.128.x could connect to Internet but the server i want to publish throught the PIX is not getting Internet. It's IP is 192.168.128.252, if i configure this IP to another computer it cannot acces Internet.
How can it be possible? I' think there is no rule which denies that IP for accessing Internet.
Last comment solved! It was an static entry that makes host 192.168.128.251 the only one who access Internet. Sorry.
Well, right now all computers on inside are getting Internet as server on DMZ, but i want to publish web and ftp services situated on a inside server (192.168.128.252).
In theory i've to type those commands:
static (inside,outside) 192.168.128.252 213.x.x.x netmask 255.255.255.255
access-list outside_access_in permit tcp any host 213.x.x.x.x eq www
access-list outside_access_in permit tcp any host 213.x.x.x.x eq ftp
access-group outside_access_in in interface outside
but when i do that, all computers on inside and DMZ stop browsing the web.
Are those commands right to publish services on 192.168.128.252?
Thanks.
In theory i've to type those commands:
static (inside,outside) 192.168.128.252 213.x.x.x netmask 255.255.255.255
access-list outside_access_in permit tcp any host 213.x.x.x.x eq www
access-list outside_access_in permit tcp any host 213.x.x.x.x eq ftp
access-group outside_access_in in interface outside
but when i do that, all computers on inside and DMZ stop browsing the web.
Are those commands right to publish services on 192.168.128.252?
Thanks.
No, the correct syntax for the static command above is:
static (inside,outside) 213.x.x.x 192.168.128.252 netmask 255.255.255.255
The others are OK.
static (inside,outside) 213.x.x.x 192.168.128.252 netmask 255.255.255.255
The others are OK.
OK.
I will not extend too much this question. Only one more:
Is possible to publish the inside server with router in ROUTER mode instead of BRIDGE mode?
Thanks.
I will not extend too much this question. Only one more:
Is possible to publish the inside server with router in ROUTER mode instead of BRIDGE mode?
Thanks.
I don't know since it depends on the capabilities of the DSL router. The DSL router will need to be able to perform the NAT from the public IP to the private IP you choose. For example, you could perform NAT in this way as long as the DSL router can be configured to do it:
192.168.128.252 <-----> 192.168.110.x <--------------> 213.x.x.x
inside real IP address intermediate translation public translation
So, on the PIX, you would use:
static (inside,outside) 192.168.110.x 192.168.128.252 netmask 255.255.255.255
You would pick a 192.168.110.x address to use which would be any IP address that is unused on that network segment. You would then have to configure the DSL router to translate 192.168.110.x into 213.x.x.x and I can't tell you how to do that since I don't know what kind router you have.
192.168.128.252 <-----> 192.168.110.x <--------------> 213.x.x.x
inside real IP address intermediate translation public translation
So, on the PIX, you would use:
static (inside,outside) 192.168.110.x 192.168.128.252 netmask 255.255.255.255
You would pick a 192.168.110.x address to use which would be any IP address that is unused on that network segment. You would then have to configure the DSL router to translate 192.168.110.x into 213.x.x.x and I can't tell you how to do that since I don't know what kind router you have.
Thanks batry_boy.
With router in router mode i've been able to publish WebServer on DMZ and WebServer on INSIDE. Opening all ports in DSL router to Cisco external IP and using commands from accepted solution but changing real public IP address with internal DSL router IP address it seems to work.
I know it's not the ideal config but right now the ISP is not offering solutions to change router to bridge mode so i have to deal with router mode.
I also trying to setup hardware VPN with another Cisco PIX (501) but it's not working. Probably because "router mode" on DSL. Maybe next year i shall try to setup correctly :)
Here is the actual config:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname pix
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_inside permit tcp any host 192.168.110.253 eq www
access-list outside_inside permit tcp any host 192.168.110.253 eq ftp
access-list outside_inside permit tcp any host 192.168.110.253 eq ftp-data
access-list outside_inside permit icmp any any
access-list outside_inside permit tcp any host 192.168.110.253 eq 8080
access-list nonat permit ip 192.168.128.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list nonat permit ip 2.2.2.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list 101 permit ip 2.2.2.0 255.255.255.0 192.168.90.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.110.253 255.255.255.0
ip address inside 192.168.128.194 255.255.255.0
ip address dmz 2.2.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.128.0 255.255.255.0 0 0
nat (dmz) 1 2.2.2.0 255.255.255.0 0 0
static (inside,outside) tcp 192.168.110.253 www 192.168.128.252 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.110.253 ftp 192.168.128.252 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.110.253 ftp-data 192.168.128.252 ftp-data netmask 255.255.255.255 0 0
static (dmz,outside) tcp 192.168.110.253 8080 2.2.2.2 www netmask 255.255.255.255 0 0
access-group outside_inside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.110.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set mytrans esp-des esp-sha-hmac
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 101
crypto map mymap 20 set peer 87.x.x.x
crypto map mymap 20 set transform-set mytrans
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 87.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 20 3
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 80.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Thanks again for all your comments batry_boy.
With router in router mode i've been able to publish WebServer on DMZ and WebServer on INSIDE. Opening all ports in DSL router to Cisco external IP and using commands from accepted solution but changing real public IP address with internal DSL router IP address it seems to work.
I know it's not the ideal config but right now the ISP is not offering solutions to change router to bridge mode so i have to deal with router mode.
I also trying to setup hardware VPN with another Cisco PIX (501) but it's not working. Probably because "router mode" on DSL. Maybe next year i shall try to setup correctly :)
Here is the actual config:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname pix
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_inside permit tcp any host 192.168.110.253 eq www
access-list outside_inside permit tcp any host 192.168.110.253 eq ftp
access-list outside_inside permit tcp any host 192.168.110.253 eq ftp-data
access-list outside_inside permit icmp any any
access-list outside_inside permit tcp any host 192.168.110.253 eq 8080
access-list nonat permit ip 192.168.128.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list nonat permit ip 2.2.2.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list 101 permit ip 2.2.2.0 255.255.255.0 192.168.90.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.110.253 255.255.255.0
ip address inside 192.168.128.194 255.255.255.0
ip address dmz 2.2.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.128.0 255.255.255.0 0 0
nat (dmz) 1 2.2.2.0 255.255.255.0 0 0
static (inside,outside) tcp 192.168.110.253 www 192.168.128.252 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.110.253 ftp 192.168.128.252 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 192.168.110.253 ftp-data 192.168.128.252 ftp-data netmask 255.255.255.255 0 0
static (dmz,outside) tcp 192.168.110.253 8080 2.2.2.2 www netmask 255.255.255.255 0 0
access-group outside_inside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.110.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set mytrans esp-des esp-sha-hmac
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 101
crypto map mymap 20 set peer 87.x.x.x
crypto map mymap 20 set transform-set mytrans
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 87.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 20 3
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 80.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 84.x.x.x 255.255.255.255 outside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Thanks again for all your comments batry_boy.
Featured Post
Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a
glance.
You may as well want to read official Cisco published AS…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal.
As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’
As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month9 days, 13 hours left to enroll
Earn Certification
Cisco CCNA R&S: ICND2 v3
$197.00$177.30
Earn Certification
Cisco CCNP Security: SIMOS
$197.00$177.30
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.