Setup test domain on test network

I have sucessfully setup the routes for a secondary test network on a 192.168.0.0/24 subnet and the virtual machines setup for this network are accessing the internet as desired. My next question is that can i setup access to this domain from outside. Example I have an Exchange server in the test environment which I would like to be able to send email to. So I have to configure a static nat using one of my open external IP addresses to the Server on the test environment. is this possible?
Bill WarrenIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JFrederick29Commented:
Sure is.

You need a static NAT on the PIX and an access-list entry.  Only SMTP I would assume.

For example:

If using the interface IP address and you don't already have an SMTP NAT:

static (inside,outside) tcp interface 25 192.168.0.x 25 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host interface eq 25
access-group outside_access_in in interface outside

Where 192.168.0.x is the internal IP address of the exchange server.
0
Bill WarrenIT ManagerAuthor Commented:
Well smtp and maybe http and https... I do have an exchange server on the production LAN so doing this can not interfere with that... can I specify an external IP to forward to that Server?
0
JFrederick29Commented:
Do you have a block of external IP's from your ISP or just one?  If you have multiple, you can dedicate one to the test network.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Bill WarrenIT ManagerAuthor Commented:
yes multiple IP's... what commands would I need to do that? And the SMTP/HTTP/HTTPS routes for the Test environment won't interfere with the production LAN right?
0
JFrederick29Commented:
As long as you use a different external IP dedicated for Test.

static (inside,outside) tcp x.x.x.x 25 192.168.0.x 25 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 80 192.168.0.x 443 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.x 443 192.168.0.x 80 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host x.x.x.x eq 25
access-list outside_access_in extended permit tcp any host x.x.x.x eq 80
access-list outside_access_in extended permit tcp any host x.x.x.x eq 443
access-group outside_access_in in interface outside

x.x.x.x is a free external IP not in use.  Make sure the access-list bound to the outside interface is named properly.
0
Bill WarrenIT ManagerAuthor Commented:
I have done this and so far i cannot ping the ip from outside (for these purposes 1.1.1.135). When I try to view the ip address of the server that we natted (should be 1.1.1.135 but it is showing 1.1.1.158 still), which is the outside interface ip of the pix. So the natting doesn't seem to be working yet. maybe a restart of the pix would do the trick you think? Here is the current config with changes made to personal info.
 
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password !!!!!!!!!!!!!! encrypted
passwd !!!!!!!!!!!!!! encrypted
hostname fw-p501
domain-name domain.com
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside deny ip x.x.x.x 255.255.255.0 any
access-list outside permit icmp any any
access-list outside permit tcp any host 1.1.1.130 eq smtp
access-list outside permit tcp any host 1.1.1.130 eq pop3
access-list outside permit tcp any host 1.1.1.130 eq ftp
access-list outside permit tcp any host 1.1.1.130 eq www
access-list outside permit tcp any host 1.1.1.130 eq 8080
access-list outside permit tcp any host 1.1.1.130 eq https
access-list outside permit tcp any host 1.1.1.130 eq 26
access-list outside permit tcp any host 1.1.1.133 eq www
access-list outside permit tcp any host 1.1.1.130 eq pptp
access-list outside permit udp any host 1.1.1.130 eq 1723
access-list outside permit udp any 1.1.1.128 255.255.255.224 eq isakmp
access-list outside permit udp any 1.1.1.128 255.255.255.224 eq 4500
access-list outside permit tcp any 1.1.1.128 255.255.255.224 eq https
access-list outside permit tcp any host 1.1.1.135 eq smtp
access-list outside permit tcp any host 1.1.1.135 eq www
access-list outside permit tcp any host 1.1.1.135 eq https
access-list outside permit tcp any host 1.1.1.135 eq 987
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.9.0 255.255.255.0
access-list 101 permit ip 10.10.8.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list 101 permit ip 10.10.9.0 255.255.255.0 192.192.192.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 192.192.192.0 255.255.255.0
access-list inside-acl permit ip any any
access-list 199 permit tcp host 10.10.15.110 host 10.10.10.250 eq 135
access-list 199 permit tcp host 10.10.10.250 eq 135 host 10.10.15.110
access-list crypto_outside permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list crypto_outside permit ip 10.10.10.0 255.255.255.0 10.10.9.0 255.255.255.0
access-list split-acl permit ip 10.10.9.0 255.255.255.0 any
access-list split-acl permit ip 10.10.10.0 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered critical
logging trap informational
logging host inside 10.10.10.251
logging host inside 10.10.10.120
mtu outside 1500
mtu inside 1462
ip address outside 1.1.1.158 255.255.255.224
ip address inside 10.10.9.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool !!!!!!! 10.10.11.1-10.10.11.253
ip local pool !!!!!! 10.10.10.170-10.10.10.180
ip local pool !!!!!!!! 10.10.9.170-10.10.9.180
ip local pool !!!!!!!! 192.192.192.1-192.192.192.50
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.1.1.135 smtp 192.168.0.250 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 www 192.168.0.250 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 https 192.168.0.250 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 987 192.168.0.250 987 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.130 10.10.10.250 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.132 10.10.10.14 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.134 10.10.10.67 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.133 10.10.10.130 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside-acl in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.129 1
route inside 10.10.10.0 255.255.255.0 10.10.9.230 1
route inside 192.168.0.0 255.255.255.0 10.10.9.230 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 10.10.10.250 source inside prefer
ntp server 10.10.12.250 source inside
http server enable
http 10.10.10.0 255.255.255.0 inside
http 10.10.12.0 255.255.255.0 inside
http 10.10.11.0 255.255.255.0 inside
floodguard enable
sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map abcmap 20 ipsec-isakmp
crypto map abcmap 20 match address crypto_outside
crypto map abcmap 20 set peer x.x.x.x
crypto map abcmap 20 set transform-set myset
crypto map abcmap 1000 ipsec-isakmp dynamic dynmap
crypto map abcmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngrp address-pool test-pool
vpngroup vpngrp dns-server 10.10.10.250
vpngroup vpngrp wins-server 10.10.10.250
vpngroup vpngrp default-domain domain.com
vpngroup vpngrp split-tunnel split-acl
vpngroup vpngrp idle-time 1800
vpngroup vpngrp password ********
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.10.11.0 255.255.255.0 inside
telnet 10.10.12.0 255.255.255.0 inside
telnet timeout 30
ssh 10.10.10.0 255.255.255.0 inside
ssh 10.10.11.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 10.10.9.170-10.10.9.180 inside
dhcpd dns 10.10.10.250
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain.com
dhcpd auto_config outside
terminal width 80
: end
[OK]
0
JFrederick29Commented:
Oops, here is the issue:

static (inside,outside) tcp 1.1.1.135 www 192.168.0.250 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 https 192.168.0.250 www netmask 255.255.255.255 0 0

Should be:

static (inside,outside) tcp 1.1.1.135 www 192.168.0.250 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.135 https 192.168.0.250 https netmask 255.255.255.255 0 0

Also keep in mind that the server will only appear to the Internet as 1.1.1.135 when SMTP, HTTP or HTTPS traffic is in question.  You won't be able to ping it.  If you want all ports to be forwarded to the server, you can do the following instead (including ICMP traffic):

no static (inside,outside) tcp 1.1.1.135 smtp 192.168.0.250 smtp netmask 255.255.255.255 0 0
no static (inside,outside) tcp 1.1.1.135 www 192.168.0.250 https netmask 255.255.255.255 0 0
no static (inside,outside) tcp 1.1.1.135 https 192.168.0.250 www netmask 255.255.255.255 0 0
no static (inside,outside) tcp 1.1.1.135 987 192.168.0.250 987 netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.135 192.168.0.250 netmask 255.255.255.255 0 0

If you do the 1-1 static NAT, you won't be able to say forward port 3389 to a different 192.168.0.x host using the 1.1.1.135 host.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bill WarrenIT ManagerAuthor Commented:
I did the 1-1 and I think that is what I was looking for... every think is cool now. Thanks a bunch
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.