Solved

Cisco PIX 515E Security Appliance - External IP mapping

Posted on 2008-06-10
15
1,244 Views
Last Modified: 2010-04-21
Background Info:

I have recently taken over all IT duties at a small company.  We have a relatively (for the size of company) complicated system.  The general make-up is as follows:

Cisco PIX 515E firewall
Inside Interface: A computer running SQL database, A Computer running Exchange, A computer running our webserver
DMZ: A Citrix Gateway server

We just got our first mobile device and I found out the hard way that ActiveSync will not work with anything other than the default ports 80/443.  We were running OWA on port 81/444 and mapping those ports to the server running Exchange.

My research seems to indicate that a good solution is to use multiple external IP addresses, which we have.  People seem to be of the opinion that mapping external IPs to internal IPs is easy, but I just can't seem to figure this out.  Can it be done without moving the Exchange and/or Webserver to the DMZ interface?

Thanks.
0
Comment
Question by:mthomas4
  • 8
  • 4
  • 3
15 Comments
 
LVL 7

Expert Comment

by:dphantom
ID: 21754099
Yes you can with the PIX

static (inside,outside) <tcp | upd> PUBLIC_address <port number> PRIVATE_address <port number>

also know as NAT overload.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21754114
What you are looking to do is possible but the specifics depend on your current environment/config.
Would you be able to post your relevant pix config for inspection?

0
 

Author Comment

by:mthomas4
ID: 21754483
dphantom:
I added this rule with the CLI and everything seemed to work (no error messages anyway).  Changed the DNS entry to route the OWA header to the new external IP, and changed the port on OWA to 80 in IIS.  The site doesn't seem to work externally.  Something I find odd is that our IP block 216.16.243.176/29 isn't pingable.

raptorjb007:
How do I export the environement/config?  This device is a blackbox to me and I can't afford to accidentally delete anything.
0
 

Author Comment

by:mthomas4
ID: 21754519
Some additional information:

This information was supplied to me by our ISP and the terminology seemed a little funny.

IP Address  ISP interface (your gateway to Internet):  216.16.243.133 /30
IP Address  Our interface:  216.16.243.134/30
routed (to 216.16.243.134) IP Netblocks: 216.16.243.176 /29

It almost seems like this stack block gets mapped to x.x.x.134 and I never see any of these IPs at my end, is this the case?
0
 
LVL 7

Expert Comment

by:dphantom
ID: 21754667
With the PIX I think the command to see the running config is show run.  You should be able to copy and paste from that.
0
 

Author Comment

by:mthomas4
ID: 21754825
Here's the configuration of the device

: Saved
:
PIX Version 7.2(2)
!
hostname eei-pix
domain-name eei.com
enable password i3uQts.pw9kIVdvO encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 216.16.243.134 255.255.255.252
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 10.30.30.10 255.255.255.0
 ospf cost 10
!
passwd i3uQts.pw9kIVdvO encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name eei.com
access-list outside_access_in remark Providing Public HTTP access to the DMZ Web Server
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 4443
access-list outside_access_in extended permit tcp any interface outside eq 81
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list eeiPIX_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list dmz_to_inside extended permit ip any any
access-list nonatdmz extended permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list split extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list split extended permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool eeivpnpool 10.10.10.1-10.10.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 200 interface
global (inside) 1 192.168.1.200 netmask 255.255.255.255
global (inside) 1 192.168.1.198 netmask 255.255.255.255
global (dmz) 200 interface
nat (outside) 1 216.16.243.132 255.255.255.252 outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 200 192.168.1.0 255.255.255.0
nat (dmz) 0 access-list nonatdmz
nat (dmz) 200 10.30.30.30 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.200 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.200 pop3 netmask 255.255.255.255
static (dmz,outside) tcp interface 8443 10.30.30.30 8443 netmask 255.255.255.255
static (inside,outside) tcp interface 444 192.168.1.200 444 netmask 255.255.255.255
static (dmz,outside) tcp interface 4443 10.30.30.30 4443 netmask 255.255.255.255
static (dmz,outside) tcp interface https 10.30.30.30 https netmask 255.255.255.255
static (dmz,outside) tcp interface 8081 10.30.30.30 8081 netmask 255.255.255.255
static (inside,outside) tcp interface 81 192.168.1.200 81 netmask 255.255.255.255
static (dmz,outside) tcp interface 8080 10.30.30.30 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.199 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.198 www netmask 255.255.255.255
static (inside,dmz) 192.168.1.198 192.168.1.198 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group dmz_to_inside in interface dmz
route outside 0.0.0.0 0.0.0.0 216.16.243.133 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy eeiPIX internal
group-policy eeiPIX attributes
 wins-server value 192.168.1.200 192.168.1.199
 dns-server value 192.168.1.200 63.208.196.92
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value eeiPIX_splitTunnelAcl
 default-domain value eei.com
group-policy eeiPIX! internal
group-policy eeiPIX! attributes
 wins-server value 192.168.1.200 192.168.1.199
 dns-server value 192.168.1.200 63.208.196.92
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value eei.com
username eeipix password /45rrSNjp3k60Lvu encrypted privilege 15
username eeivpn password HVW5R.B6EtbSjJ5f encrypted privilege 0
username eeivpn attributes
 vpn-group-policy eeiPIX!
http server enable
http 192.168.1.10 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1200
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group eeiPIX type ipsec-ra
tunnel-group eeiPIX general-attributes
 address-pool eeivpnpool
 default-group-policy eeiPIX!
tunnel-group eeiPIX ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6d962b9a9a979d1c133b4143c50fc3b3
: end
asdm image flash:/asdm
no asdm history enable

0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21755144
Based on this configuration, you were only allotted a single IP address(216.16.243.134). Port 80 is being utilized by host 192.168.1.198  and port 443 is being utilized by host 10.30.30.30.

To support the configuration you requested you would need an additional IP address so that you can utilize port 80 and 443 for active sync. When you obtain an additional IP, you can forward the outside ports 80 and 443 to the exchange servers non-stand ports 81 and 444 using the following commands(replace x.x.x.x with an IP that has 80 and 443 unused)

static (inside,outside) tcp x.x.x.x 80 192.168.1.200 81 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x https 192.168.1.200 444 netmask 255.255.255.255

Unfortunately, unless your ISP can give you IP's that are consecutive to your current IP, you may have some major configuration involved with changing to a new set of IP addresses.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:mthomas4
ID: 21759599
I' talking to my ISP about IPs.  Once I get this sorted out, would I need to modify my outside interface properties or make a new interface?  I'm not sure how the PIX works, will it accept multiple IPs on the outside interface?
0
 
LVL 7

Expert Comment

by:dphantom
ID: 21760295
Just use the code raptor gave you.  No need to reate a separate interface.  What you are essentially doing is telling the PIX to allow traffic from outside to go to a specific location inside using a specific external ip address that the PIX translates to an inside adress.  

So you are not really assigning an IP to an interface, just telling the interface how and where to move particular traffic.
0
 

Author Comment

by:mthomas4
ID: 21761094
My contact at my ISP gave me some story about the statck block IPs being forwarded through

216.16.243.134 (our interface to ISP for incoming traffic) and
216.16.243.133 (our interface to IPS for outgoing traffic)

He claims that those addresses are part of a "transport layer" and the IPs should be seen by the router as all separate.  Does this make sense to any of you?  All our other DNS entries all point to x.x.x.134.  Do I need an access list entry or something more sophistocated?  The more I find out, the less straightforward this seems.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21762280
Your current Ip address as configured in your firewall is:
 ip address 216.16.243.134 255.255.255.252

This subnet has four address total
x.x.x.132
x.x.x.133
x.x.x.134
x.x.x.135

.132 is the network address and is not usable
.135 is the broadcast address and is also not usable

This leaves .133 and .134

.134 is your current IP address and is assigned to your firewall's outside interface.
.133 is the IP of your ISP's router/gateway, this is where your firewall sends outbound traffic.

This means you only have 1 usable IP address, .134, to add more you would have to either move to an whole new IP range which would require much configuration changes on your part. Or, if you are lucky, the ISP has unused IP's directly next to your current range(ie .136 or .131), this is unlikely.

Beyond that, if you cannot move to a new IP range or get an additional IP, you could look into moving the hosts that are currently using port 80 and 443 to alternate ports to make them available for exchange. If the current hosts are web based services, you may be able to use a online DNS service to redirect requests to your alternate port numbers so the change is transparent. I.e DynDNS's webredirect.

http://www.dyndns.com/services/webredirect/
0
 

Author Comment

by:mthomas4
ID: 21763812
Very informative, Raptorjb007

I'm going to talk to my ISP and see what they can do about a consecutive IP.  I'm assuming changing my subnet mask on the outside interface to 255.255.255.192 to include the static block is not advised and may not even work?

We currently use DynDns to manage our DNS records, so I've looked at the webhop feature.  We currenly have MANY websites in IIS, and DynDnS says they provide 5 webhops for free, not to mention the hastle of remapping all the other sites.  I've added a hop to mask port 81 from the url for OWA, but I'm not sure how "smart" activesync is.  OWA works rather well from a web-browser (the only thing I've noticed it that the close browser button on log-out doesn't work), but activesync won't recognize an exchange server.  I'm guessing the IIS site must be running on standard ports, no exceptions.

I'm going to go through our headers and see if we really need all of them.
0
 

Author Comment

by:mthomas4
ID: 21781254
It would appear that there are not anymore consecutive IPs available.  I guess this would mean a totally new IP block would have to be negotiated.

Upon further reflection, using webhops in DynDns to remap our main website would be undesireable.  Most of our customers operate behind a firewall and do not have non-standard ports open.  It defeats the purpose of a company website if it's not widely accessable.

If there's really no way to use the 216.16.243.176/29 block of IPs with the Cisco PIX 515E then the only viable solution left to me is to renegotiate a new IP block with consecutive IPs, although I'm still not quite sure how this would make any difference.  Would the new block have to be structured something like this:

x.x.x.168/29

x.x.x.168 - subnet IP
x.x.x.169 - ISP's IP
x.x.x.170
to             - our external IPs
x.x.x.174
x.x.x.175 - Broadcast IP

I guess I just don't understand why having an extra IP "close" to the other one will work, but the range we've been assigned will not.  I would hate to go through the exercise of changing all the IPs in the router and DynDns just to find out it still doesn't work.  Does it have something to do with only being allowed 3 interfaces on the PIX?
0
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 250 total points
ID: 21781956
The consecutive requirement is just a side effect of the fact that you cannot assign multiple different subnets to a interface. Your current subnet contains only four IP's, however three are always consumed by the network address, broadcast address, and ISP gateway as previously mentioned. If the ISP had consecutive IP's conveniently available, you could extend your current subnet from say 216.16.243.134/30(x.x.x.134-135) to say for example 216.16.243.129/29 (x.x.x.129-135) which would add two IP's for your use.

Thee main problem is that each port can only be allocated once per IP. With additional IP's, you could allocate additional services on common ports like 80 and 443.

Since your ISP is unable to extend your current subnet, and you are unable to free the ports you need for activesync on your current IP, you would have no choice but to move to a larger subnet.
0
 

Author Closing Comment

by:mthomas4
ID: 31467053
Thanks for sticking with me and explaining these concepts in detail.  I'm still pretty new to networking and have some knowledge gaps to fill.
-Cheers!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now