Bill Warren
asked on
Setup test domain on test network
I have sucessfully setup the routes for a secondary test network on a 192.168.0.0/24 subnet and the virtual machines setup for this network are accessing the internet as desired. My next question is that can i setup access to this domain from outside. Example I have an Exchange server in the test environment which I would like to be able to send email to. So I have to configure a static nat using one of my open external IP addresses to the Server on the test environment. is this possible?
ASKER
Well smtp and maybe http and https... I do have an exchange server on the production LAN so doing this can not interfere with that... can I specify an external IP to forward to that Server?
Do you have a block of external IP's from your ISP or just one? If you have multiple, you can dedicate one to the test network.
ASKER
yes multiple IP's... what commands would I need to do that? And the SMTP/HTTP/HTTPS routes for the Test environment won't interfere with the production LAN right?
As long as you use a different external IP dedicated for Test.
static (inside,outside) tcp x.x.x.x 25 192.168.0.x 25 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 80 192.168.0.x 443 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 443 192.168.0.x 80 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host x.x.x.x eq 25
access-list outside_access_in extended permit tcp any host x.x.x.x eq 80
access-list outside_access_in extended permit tcp any host x.x.x.x eq 443
access-group outside_access_in in interface outside
x.x.x.x is a free external IP not in use. Make sure the access-list bound to the outside interface is named properly.
static (inside,outside) tcp x.x.x.x 25 192.168.0.x 25 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 80 192.168.0.x 443 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 443 192.168.0.x 80 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host x.x.x.x eq 25
access-list outside_access_in extended permit tcp any host x.x.x.x eq 80
access-list outside_access_in extended permit tcp any host x.x.x.x eq 443
access-group outside_access_in in interface outside
x.x.x.x is a free external IP not in use. Make sure the access-list bound to the outside interface is named properly.
ASKER
I have done this and so far i cannot ping the ip from outside (for these purposes 1.1.1.135). When I try to view the ip address of the server that we natted (should be 1.1.1.135 but it is showing 1.1.1.158 still), which is the outside interface ip of the pix. So the natting doesn't seem to be working yet. maybe a restart of the pix would do the trick you think? Here is the current config with changes made to personal info.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password !!!!!!!!!!!!!! encrypted
passwd !!!!!!!!!!!!!! encrypted
hostname fw-p501
domain-name domain.com
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside deny ip x.x.x.x 255.255.255.0 any
access-list outside permit icmp any any
access-list outside permit tcp any host 1.1.1.130 eq smtp
access-list outside permit tcp any host 1.1.1.130 eq pop3
access-list outside permit tcp any host 1.1.1.130 eq ftp
access-list outside permit tcp any host 1.1.1.130 eq www
access-list outside permit tcp any host 1.1.1.130 eq 8080
access-list outside permit tcp any host 1.1.1.130 eq https
access-list outside permit tcp any host 1.1.1.130 eq 26
access-list outside permit tcp any host 1.1.1.133 eq www
access-list outside permit tcp any host 1.1.1.130 eq pptp
access-list outside permit udp any host 1.1.1.130 eq 1723
access-list outside permit udp any 1.1.1.128 255.255.255.224 eq isakmp
access-list outside permit udp any 1.1.1.128 255.255.255.224 eq 4500
access-list outside permit tcp any 1.1.1.128 255.255.255.224 eq https
access-list outside permit tcp any host 1.1.1.135 eq smtp
access-list outside permit tcp any host 1.1.1.135 eq www
access-list outside permit tcp any host 1.1.1.135 eq https
access-list outside permit tcp any host 1.1.1.135 eq 987
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.9.0 255.255.255.0
access-list 101 permit ip 10.10.8.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 192.192.192.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 192.192.192.0 255.255.255.0
access-list inside-acl permit ip any any
access-list 199 permit tcp host 10.10.15.110 host 10.10.10.250 eq 135
access-list 199 permit tcp host 10.10.10.250 eq 135 host 10.10.15.110
access-list crypto_outside permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list crypto_outside permit ip 10.10.10.0 255.255.255.0 10.10.9.0 255.255.255.0
access-list split-acl permit ip 10.10.9.0 255.255.255.0 any
access-list split-acl permit ip 10.10.10.0 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered critical
logging trap informational
logging host inside 10.10.10.251
logging host inside 10.10.10.120
mtu outside 1500
mtu inside 1462
ip address outside 1.1.1.158 255.255.255.224
ip address inside 10.10.9.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool !!!!!!! 10.10.11.1-10.10.11.253
ip local pool !!!!!! 10.10.10.170-10.10.10.180
ip local pool !!!!!!!! 10.10.9.170-10.10.9.180
ip local pool !!!!!!!! 192.192.192.1-192.192.192. 50
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.1.1.135 smtp 192.168.0.250 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 www 192.168.0.250 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 https 192.168.0.250 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 987 192.168.0.250 987 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.130 10.10.10.250 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.132 10.10.10.14 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.134 10.10.10.67 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.133 10.10.10.130 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside-acl in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.129 1
route inside 10.10.10.0 255.255.255.0 10.10.9.230 1
route inside 192.168.0.0 255.255.255.0 10.10.9.230 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 10.10.10.250 source inside prefer
ntp server 10.10.12.250 source inside
http server enable
http 10.10.10.0 255.255.255.0 inside
http 10.10.12.0 255.255.255.0 inside
http 10.10.11.0 255.255.255.0 inside
floodguard enable
sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map abcmap 20 ipsec-isakmp
crypto map abcmap 20 match address crypto_outside
crypto map abcmap 20 set peer x.x.x.x
crypto map abcmap 20 set transform-set myset
crypto map abcmap 1000 ipsec-isakmp dynamic dynmap
crypto map abcmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngrp address-pool test-pool
vpngroup vpngrp dns-server 10.10.10.250
vpngroup vpngrp wins-server 10.10.10.250
vpngroup vpngrp default-domain domain.com
vpngroup vpngrp split-tunnel split-acl
vpngroup vpngrp idle-time 1800
vpngroup vpngrp password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.10.11.0 255.255.255.0 inside
telnet 10.10.12.0 255.255.255.0 inside
telnet timeout 30
ssh 10.10.10.0 255.255.255.0 inside
ssh 10.10.11.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 10.10.9.170-10.10.9.180 inside
dhcpd dns 10.10.10.250
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain.com
dhcpd auto_config outside
terminal width 80
: end
[OK]
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password !!!!!!!!!!!!!! encrypted
passwd !!!!!!!!!!!!!! encrypted
hostname fw-p501
domain-name domain.com
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside deny ip x.x.x.x 255.255.255.0 any
access-list outside permit icmp any any
access-list outside permit tcp any host 1.1.1.130 eq smtp
access-list outside permit tcp any host 1.1.1.130 eq pop3
access-list outside permit tcp any host 1.1.1.130 eq ftp
access-list outside permit tcp any host 1.1.1.130 eq www
access-list outside permit tcp any host 1.1.1.130 eq 8080
access-list outside permit tcp any host 1.1.1.130 eq https
access-list outside permit tcp any host 1.1.1.130 eq 26
access-list outside permit tcp any host 1.1.1.133 eq www
access-list outside permit tcp any host 1.1.1.130 eq pptp
access-list outside permit udp any host 1.1.1.130 eq 1723
access-list outside permit udp any 1.1.1.128 255.255.255.224 eq isakmp
access-list outside permit udp any 1.1.1.128 255.255.255.224 eq 4500
access-list outside permit tcp any 1.1.1.128 255.255.255.224 eq https
access-list outside permit tcp any host 1.1.1.135 eq smtp
access-list outside permit tcp any host 1.1.1.135 eq www
access-list outside permit tcp any host 1.1.1.135 eq https
access-list outside permit tcp any host 1.1.1.135 eq 987
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.9.0 255.255.255.0
access-list 101 permit ip 10.10.8.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 192.192.192.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 192.192.192.0 255.255.255.0
access-list inside-acl permit ip any any
access-list 199 permit tcp host 10.10.15.110 host 10.10.10.250 eq 135
access-list 199 permit tcp host 10.10.10.250 eq 135 host 10.10.15.110
access-list crypto_outside permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list crypto_outside permit ip 10.10.10.0 255.255.255.0 10.10.9.0 255.255.255.0
access-list split-acl permit ip 10.10.9.0 255.255.255.0 any
access-list split-acl permit ip 10.10.10.0 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered critical
logging trap informational
logging host inside 10.10.10.251
logging host inside 10.10.10.120
mtu outside 1500
mtu inside 1462
ip address outside 1.1.1.158 255.255.255.224
ip address inside 10.10.9.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool !!!!!!! 10.10.11.1-10.10.11.253
ip local pool !!!!!! 10.10.10.170-10.10.10.180
ip local pool !!!!!!!! 10.10.9.170-10.10.9.180
ip local pool !!!!!!!! 192.192.192.1-192.192.192.
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.1.1.135 smtp 192.168.0.250 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 www 192.168.0.250 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 https 192.168.0.250 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 987 192.168.0.250 987 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.130 10.10.10.250 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.132 10.10.10.14 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.134 10.10.10.67 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.133 10.10.10.130 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside-acl in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.129 1
route inside 10.10.10.0 255.255.255.0 10.10.9.230 1
route inside 192.168.0.0 255.255.255.0 10.10.9.230 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 10.10.10.250 source inside prefer
ntp server 10.10.12.250 source inside
http server enable
http 10.10.10.0 255.255.255.0 inside
http 10.10.12.0 255.255.255.0 inside
http 10.10.11.0 255.255.255.0 inside
floodguard enable
sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map abcmap 20 ipsec-isakmp
crypto map abcmap 20 match address crypto_outside
crypto map abcmap 20 set peer x.x.x.x
crypto map abcmap 20 set transform-set myset
crypto map abcmap 1000 ipsec-isakmp dynamic dynmap
crypto map abcmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngrp address-pool test-pool
vpngroup vpngrp dns-server 10.10.10.250
vpngroup vpngrp wins-server 10.10.10.250
vpngroup vpngrp default-domain domain.com
vpngroup vpngrp split-tunnel split-acl
vpngroup vpngrp idle-time 1800
vpngroup vpngrp password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.10.11.0 255.255.255.0 inside
telnet 10.10.12.0 255.255.255.0 inside
telnet timeout 30
ssh 10.10.10.0 255.255.255.0 inside
ssh 10.10.11.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 10.10.9.170-10.10.9.180 inside
dhcpd dns 10.10.10.250
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain.com
dhcpd auto_config outside
terminal width 80
: end
[OK]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did the 1-1 and I think that is what I was looking for... every think is cool now. Thanks a bunch
You need a static NAT on the PIX and an access-list entry. Only SMTP I would assume.
For example:
If using the interface IP address and you don't already have an SMTP NAT:
static (inside,outside) tcp interface 25 192.168.0.x 25 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host interface eq 25
access-group outside_access_in in interface outside
Where 192.168.0.x is the internal IP address of the exchange server.