?
Solved

Setup test domain on test network

Posted on 2008-11-13
8
Medium Priority
?
505 Views
Last Modified: 2012-05-07
I have sucessfully setup the routes for a secondary test network on a 192.168.0.0/24 subnet and the virtual machines setup for this network are accessing the internet as desired. My next question is that can i setup access to this domain from outside. Example I have an Exchange server in the test environment which I would like to be able to send email to. So I have to configure a static nat using one of my open external IP addresses to the Server on the test environment. is this possible?
0
Comment
Question by:Bill Warren
  • 4
  • 4
8 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22953936
Sure is.

You need a static NAT on the PIX and an access-list entry.  Only SMTP I would assume.

For example:

If using the interface IP address and you don't already have an SMTP NAT:

static (inside,outside) tcp interface 25 192.168.0.x 25 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host interface eq 25
access-group outside_access_in in interface outside

Where 192.168.0.x is the internal IP address of the exchange server.
0
 

Author Comment

by:Bill Warren
ID: 22954611
Well smtp and maybe http and https... I do have an exchange server on the production LAN so doing this can not interfere with that... can I specify an external IP to forward to that Server?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22956533
Do you have a block of external IP's from your ISP or just one?  If you have multiple, you can dedicate one to the test network.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 

Author Comment

by:Bill Warren
ID: 22956584
yes multiple IP's... what commands would I need to do that? And the SMTP/HTTP/HTTPS routes for the Test environment won't interfere with the production LAN right?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22956925
As long as you use a different external IP dedicated for Test.

static (inside,outside) tcp x.x.x.x 25 192.168.0.x 25 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 80 192.168.0.x 443 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 443 192.168.0.x 80 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host x.x.x.x eq 25
access-list outside_access_in extended permit tcp any host x.x.x.x eq 80
access-list outside_access_in extended permit tcp any host x.x.x.x eq 443
access-group outside_access_in in interface outside

x.x.x.x is a free external IP not in use.  Make sure the access-list bound to the outside interface is named properly.
0
 

Author Comment

by:Bill Warren
ID: 22961987
I have done this and so far i cannot ping the ip from outside (for these purposes 1.1.1.135). When I try to view the ip address of the server that we natted (should be 1.1.1.135 but it is showing 1.1.1.158 still), which is the outside interface ip of the pix. So the natting doesn't seem to be working yet. maybe a restart of the pix would do the trick you think? Here is the current config with changes made to personal info.
 
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password !!!!!!!!!!!!!! encrypted
passwd !!!!!!!!!!!!!! encrypted
hostname fw-p501
domain-name domain.com
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside deny ip x.x.x.x 255.255.255.0 any
access-list outside permit icmp any any
access-list outside permit tcp any host 1.1.1.130 eq smtp
access-list outside permit tcp any host 1.1.1.130 eq pop3
access-list outside permit tcp any host 1.1.1.130 eq ftp
access-list outside permit tcp any host 1.1.1.130 eq www
access-list outside permit tcp any host 1.1.1.130 eq 8080
access-list outside permit tcp any host 1.1.1.130 eq https
access-list outside permit tcp any host 1.1.1.130 eq 26
access-list outside permit tcp any host 1.1.1.133 eq www
access-list outside permit tcp any host 1.1.1.130 eq pptp
access-list outside permit udp any host 1.1.1.130 eq 1723
access-list outside permit udp any 1.1.1.128 255.255.255.224 eq isakmp
access-list outside permit udp any 1.1.1.128 255.255.255.224 eq 4500
access-list outside permit tcp any 1.1.1.128 255.255.255.224 eq https
access-list outside permit tcp any host 1.1.1.135 eq smtp
access-list outside permit tcp any host 1.1.1.135 eq www
access-list outside permit tcp any host 1.1.1.135 eq https
access-list outside permit tcp any host 1.1.1.135 eq 987
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.9.0 255.255.255.0
access-list 101 permit ip 10.10.8.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 192.192.192.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 192.192.192.0 255.255.255.0
access-list inside-acl permit ip any any
access-list 199 permit tcp host 10.10.15.110 host 10.10.10.250 eq 135
access-list 199 permit tcp host 10.10.10.250 eq 135 host 10.10.15.110
access-list crypto_outside permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list crypto_outside permit ip 10.10.10.0 255.255.255.0 10.10.9.0 255.255.255.0
access-list split-acl permit ip 10.10.9.0 255.255.255.0 any
access-list split-acl permit ip 10.10.10.0 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered critical
logging trap informational
logging host inside 10.10.10.251
logging host inside 10.10.10.120
mtu outside 1500
mtu inside 1462
ip address outside 1.1.1.158 255.255.255.224
ip address inside 10.10.9.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool !!!!!!! 10.10.11.1-10.10.11.253
ip local pool !!!!!! 10.10.10.170-10.10.10.180
ip local pool !!!!!!!! 10.10.9.170-10.10.9.180
ip local pool !!!!!!!! 192.192.192.1-192.192.192.50
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.1.1.135 smtp 192.168.0.250 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 www 192.168.0.250 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 https 192.168.0.250 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 987 192.168.0.250 987 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.130 10.10.10.250 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.132 10.10.10.14 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.134 10.10.10.67 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.133 10.10.10.130 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside-acl in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.129 1
route inside 10.10.10.0 255.255.255.0 10.10.9.230 1
route inside 192.168.0.0 255.255.255.0 10.10.9.230 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 10.10.10.250 source inside prefer
ntp server 10.10.12.250 source inside
http server enable
http 10.10.10.0 255.255.255.0 inside
http 10.10.12.0 255.255.255.0 inside
http 10.10.11.0 255.255.255.0 inside
floodguard enable
sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map abcmap 20 ipsec-isakmp
crypto map abcmap 20 match address crypto_outside
crypto map abcmap 20 set peer x.x.x.x
crypto map abcmap 20 set transform-set myset
crypto map abcmap 1000 ipsec-isakmp dynamic dynmap
crypto map abcmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngrp address-pool test-pool
vpngroup vpngrp dns-server 10.10.10.250
vpngroup vpngrp wins-server 10.10.10.250
vpngroup vpngrp default-domain domain.com
vpngroup vpngrp split-tunnel split-acl
vpngroup vpngrp idle-time 1800
vpngroup vpngrp password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.10.11.0 255.255.255.0 inside
telnet 10.10.12.0 255.255.255.0 inside
telnet timeout 30
ssh 10.10.10.0 255.255.255.0 inside
ssh 10.10.11.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 10.10.9.170-10.10.9.180 inside
dhcpd dns 10.10.10.250
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain.com
dhcpd auto_config outside
terminal width 80
: end
[OK]
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 22962087
Oops, here is the issue:

static (inside,outside) tcp 1.1.1.135 www 192.168.0.250 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 https 192.168.0.250 www netmask 255.255.255.255 0 0

Should be:

static (inside,outside) tcp 1.1.1.135 www 192.168.0.250 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 https 192.168.0.250 https netmask 255.255.255.255 0 0

Also keep in mind that the server will only appear to the Internet as 1.1.1.135 when SMTP, HTTP or HTTPS traffic is in question.  You won't be able to ping it.  If you want all ports to be forwarded to the server, you can do the following instead (including ICMP traffic):

no static (inside,outside) tcp 1.1.1.135 smtp 192.168.0.250 smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 1.1.1.135 www 192.168.0.250 https netmask 255.255.255.255 0 0
no static (inside,outside) tcp 1.1.1.135 https 192.168.0.250 www netmask 255.255.255.255 0 0
no static (inside,outside) tcp 1.1.1.135 987 192.168.0.250 987 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.135 192.168.0.250 netmask 255.255.255.255 0 0

If you do the 1-1 static NAT, you won't be able to say forward port 3389 to a different 192.168.0.x host using the 1.1.1.135 host.
0
 

Author Comment

by:Bill Warren
ID: 22962344
I did the 1-1 and I think that is what I was looking for... every think is cool now. Thanks a bunch
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question