PIX 515e Simple Config

I am attempting to teach myself how to configure a PIX.

I have attempted to setup the PIX in question with internal and external interfaces. I have also attempted to setup a VPN. I am still having trouble understanding ACLs and Routes.

I am using 192.168.1.99 as my outside wan address (this is for testing purposes this of course is not my outside wan but I have several private networks) and the gateway to the actual WAN on that network is 192.168.1.50

From the console I can ping the 192.168.1.x network. I just cant seem to figure out how to setup the routes and ACLs to allow clients to access that network.

As i stated, I tried to setup the VPN on the PIX, if you see anything a miss, let me know.

Here is my config:


: Saved
:
PIX Version 7.0(2)
names
!
interface Ethernet0
 nameif Outsite-WAN
 security-level 0
 ip address 192.168.1.99 255.255.255.0
!
interface Ethernet1
 nameif Inside-LAN
 security-level 100
 ip address 192.168.150.1 255.255.254.0
!
interface Ethernet2
 shutdown
 nameif NLS-DMZ
 security-level 0
 no ip address
!
enable password e6xcY53IgSrU6ice encrypted
passwd e6wdY5cIg3rU6ice encrypted
hostname NLS-PIX
domain-name nls.local
ftp mode passive
access-list 101 extended permit icmp any any
pager lines 24
mtu Outsite-WAN 1500
mtu Inside-LAN 1500
mtu NLS-DMZ 1500
ip local pool vpnpool 192.168.150.160-192.168.150.199
monitor-interface Outsite-WAN
monitor-interface Inside-LAN
monitor-interface NLS-DMZ
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy NLSVPN internal
group-policy NLSVPN attributes
 dns-server value 192.168.150.5
 vpn-idle-timeout 30
username admin password U2HElKwDf4IRgyZh encrypted privilege 15
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface Outsite-WAN
isakmp identity address
isakmp enable Outsite-WAN
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86000
isakmp nat-traversal  20
telnet 192.168.150.20 255.255.255.255 Inside-LAN
telnet timeout 5
ssh 192.168.150.20 255.255.255.255 Inside-LAN
ssh timeout 5
console timeout 0
tunnel-group NLSVPN type ipsec-ra
tunnel-group NLSVPN general-attributes
 address-pool vpnpool
 default-group-policy NLSVPN
tunnel-group NLSVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:58f7e0453ed9c82fbd7b49d6871d5b94
: end

Open in new window

LVL 9
CDCOPAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
You need to configure NAT to allow traffic to pass from the 192.168.150.x network to the 192.168.1.x network.  Add these statements:

global (Outsite-WAN) 1 interface
nat (Inside-LAN) 1 0.0.0.0 0.0.0.0
route Outsite-WAN 0.0.0.0 0.0.0.0 192.168.1.50

See if that gets you connectivity to your outside network.  Post back with questions...I'll be happy to explain any specific questions.
0
CDCOPAuthor Commented:
Nope.

I have tried so many combinations, that was probably one of them. I did try what you asked and it still didnt work. What about ACLs?
0
batry_boyCommented:
You don't need any ACL's to allow traffic from a higher security level interface (inside) to a lower security level interface (outside), just the nat and global statements.  If you want to be able to get to networks beyond the 192.168.1.x network, then you will need the route command as stated above.

Can you elaborate on the exact type of traffic you are trying to pass?  Meaning, TCP/UDP ports and source/destination IP addresses.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

CDCOPAuthor Commented:
I am still working on what I described above.

I want clients on my: 192.168.150.x segment to be able to contact the 192.168.1.x segment.
0
CDCOPAuthor Commented:
I don't know why, but I had to issue the clear xlate command. I've seen it used before when other have made config changes. Care to explain?

Can you explain ACL's and Split access?
0
batry_boyCommented:
When modifying translation statements that are in a PIX/ASA, you should issue the "clear xlat" command so that any existing translations that conflict with the modifications just made are cleared out.  However, in your situation where you didn't have any existing translation statements, I didn't think it would be necessary to issue that command because there shouldn't have been anything to clear out...guess I was wrong.

Access control lists (ACL's) allow you to define specific traffic for filtering or other purposes.  ACL's are used for different purposes in the firewall configuration.  The most common use of an ACL is to filter what traffic can flow between interfaces...in other words, block the traffic you don't want to get through, and allow the traffic that you do want to get through.  When using ACL's to filter traffic in this manner, the application of the ACL's is affected by the security levels that are assigned to the various firewall interfaces.  Looking at the interface definitions in your configuration:

interface Ethernet0
 nameif Outsite-WAN
 security-level 0
 ip address 192.168.1.99 255.255.255.0
!
interface Ethernet1
 nameif Inside-LAN
 security-level 100
 ip address 192.168.150.1 255.255.254.0
!
interface Ethernet2
 shutdown
 nameif NLS-DMZ
 security-level 0
 no ip address

we see that you have 3 interfaces (one of which is disabled, or shutdown) and the other two are enabled and should be passing traffic.  The interface named "Inside-LAN" has a security level of 100 which means that it is the most protected interface and the one named "Outsite-WAN" has a security level of 0 which means it is the least protected interface.  To allow traffic to flow sourced from a lower security level interface to a higher security level interface, an ACL must be applied to the lower security level interfae specifying the traffic you want to allow (or specifically deny).  The ACL is parsed by the firewall from top to bottom and if the traffic being inspected doesn't match any line in the ACL, then the traffic is implicitly dropped.

Traffic sourced from a higher security level interface destined for a lower security level interface is allowed by default by the firewall...no ACL is needed to permit this traffic flow.  However, proper NAT statements are required for traffic to flow from higher to lower security level interfaces, thus the need for the "nat" and "global" statements I mentioned above.

What do you mean by "split access"?  Do you mean split tunneling, split DNS, or something else?
0
CDCOPAuthor Commented:
Great read! Thanks.

I guess I should actually have the inside set as 0 and the outside set as 100. Is this more common?

When assigning access-lists, is the naming and number anyway tied to the security number above?

For example, I have used access-list 100 or access-list 101

I was able to create the access-lists for allowing and blocking access to ports. I then (correct me if I'm wrong) had to create a group and attach the group to an interface to apply the restricted access-list to the interface?
0
batry_boyCommented:
>>I guess I should actually have the inside set as 0 and the outside set as 100. Is this more common?

No, you have it right already.  The inside interface, which is typically treated as the most protected interface, should be set at 100.  The outside interface, which is typically treated as the least protected interface, should be set to 0.  I would leave them as is.

>>When assigning access-lists, is the naming and number anyway tied to the security number above?

No.  The ACL name is just an arbitrary name that can be either a number, or a more descriptive name that could describe how the ACL is being used, what type of traffic is being filtered with it, etc....

>>I was able to create the access-lists for allowing and blocking access to ports. I then (correct me if I'm wrong) had to create a group and attach the group to an interface to apply the restricted access-list to the interface?

You got it!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.