Solved

Subneting on a Pix506E

Posted on 2009-05-18
5
268 Views
Last Modified: 2012-05-07
I was looking to subnet one of our existing static IP addresses (69.128.X.164) from our carrier to allow our test websites to be able to be accessed from the web. I need to have 3 new addresses that connect to the internet through (69.128.X.164). I am new to this so any help would be greatly appreciated. Please give me the commands that would allow for this change. I thank you for your help in advance. Below is the current config of our Pix 506E:

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password X encrypted
passwd X encrypted
hostname X
domain-name X
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.2.1.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.1.2.0 255.255.255.0 10.2.1.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.1.20.0 255.255.255.0 10.2.1.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.1.21.0 255.255.255.0 10.2.1.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.1.22.0 255.255.255.0 10.2.1.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.2.1.0 255.255.255.224
access-list out_access_in permit tcp any host 69.128.X.162 eq smtp
access-list out_access_in permit tcp any host 69.128.X.162 eq www
access-list out_access_in permit tcp any host 69.128.X.163 eq www
access-list out_access_in permit tcp any host 69.128.X.162 eq https
access-list mml-vpn_splitTunnelAcl permit ip 10.1.1.0 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any 10.2.1.0 255.255.255.224
access-list out_in permit tcp any host 69.128.X.162 eq smtp
access-list out_in permit tcp any host 69.128.X.162 eq www
access-list out_in permit tcp any host 69.128.X.163 eq www
access-list out_in permit tcp any host 69.128.X.162 eq https
access-list out_in permit ip any host 69.128.X.164
access-list out_in permit tcp any host 69.128.X.164
access-list out_in permit icmp any host 69.128.X.164
access-list out_in permit icmp any host 69.128.X.166
access-list out_in_010708 permit tcp any host 69.128.X.162 eq smtp
access-list out_in_010708 permit tcp any host 69.128.X.162 eq www
access-list out_in_010708 permit tcp any host 69.128.X.163 eq www
access-list out_in_010708 permit tcp any host 69.128.X.162 eq https
access-list out_in_010708 permit tcp host 66.192.X.137 host 69.128.X.165 eq 1433
access-list out_in_010708 permit tcp any host 69.128.X.163 eq 3389
access-list inside_out_012208 permit ip 10.1.1.0 255.255.255.0 any
access-list inside_out_012208 permit ip 10.1.2.0 255.255.255.0 any
access-list inside_out_012208 permit ip 10.1.20.0 255.255.255.0 any
access-list inside_out_012208 permit ip 10.1.21.0 255.255.255.0 any
access-list inside_out_012208 permit ip 10.1.22.0 255.255.255.0 any
access-list inside_out_012208 permit ip 10.2.1.0 255.255.255.0 any
access-list out_in_072908 permit tcp any host 69.128.X.162 eq smtp
access-list out_in_072908 permit tcp any host 69.128.X.162 eq www
access-list out_in_072908 permit tcp any host 69.128.X.163 eq www
access-list out_in_072908 permit tcp any host 69.128.X.162 eq https
access-list out_in_072908 permit tcp host 66.192.X.137 host 69.128.X.165 eq 1433
access-list out_in_072908 permit tcp any host 69.128.X.163 eq 3389
access-list out_in_072908 permit tcp host 205.145.X.57 host 69.128.X.165 eq 1433
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap informational
logging host inside 10.1.1.10
mtu outside 1500
mtu inside 1500
ip address outside 69.128.X.166 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 10.2.1.1-10.2.1.30
pdm location 10.1.1.7 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 69.128.X.162 10.1.1.7 netmask 255.255.255.255 0 0
static (inside,outside) 69.128.X.163 10.1.1.6 netmask 255.255.255.255 0 0
static (inside,outside) 69.128.X.165 10.1.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 69.128.X.164 10.1.1.41 netmask 255.255.255.255 0 0
access-group out_in_072908 in interface outside
route outside 0.0.0.0 0.0.0.0 69.128.X.161 1
route inside 10.1.2.0 255.255.255.0 10.1.1.11 1
route inside 10.1.20.0 255.255.255.0 10.1.1.11 1
route inside 10.1.21.0 255.255.255.0 10.1.1.11 1
route inside 10.1.22.0 255.255.255.0 10.1.1.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 10.1.1.7 6a25a0f50251773c timeout 10
aaa-server LOCAL protocol local
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mml-vpn address-pool vpn-pool
vpngroup mml-vpn dns-server 10.1.1.7 10.1.1.8
vpngroup mml-vpn wins-server 10.1.1.7
vpngroup mml-vpn default-X
vpngroup mml-vpn split-tunnel mml-vpn_splitTunnelAcl
vpngroup mml-vpn idle-time 1800
vpngroup mml-vpn password ********
vpngroup mml-dyntek address-pool vpn-pool
vpngroup mml-dyntek dns-server 10.1.1.7 10.1.1.8
vpngroup mml-dyntek wins-server 10.1.1.7
vpngroup mml-dyntek default-X
vpngroup mml-dyntek idle-time 1800
vpngroup mml-dyntek password ********
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username inacomp password X encrypted privilege 2
username dyntek password X encrypted privilege 15
terminal width 80
Cryptochecksum:a8ff1437e908b65c0d95b0162ed8dfdd
: end

0
Comment
Question by:WIll2Pwr
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:3nerds
ID: 24413370
WIll2Pwr,

I will attempt to assist you in what you want to accomplish but I am going to need some clarification so that I can do so.

Firstly thank you for posting the full config from you PIX as it helps to get a full picture of what you have going on.

What I am reading is that you want to use your IP address 69.128.X.164 as a test and be able to point different services to this address.

Key points:
You currently have a static translation pointing your outside address 69.128.X.164 to your inside address of 10.1.1.41. The line below is what defines that in your config.

static (inside,outside) 69.128.X.164 10.1.1.41 netmask 255.255.255.255 0 0

That is a true 1 to 1 NAT translation, as it sits right now everything that hits your outside interface will be translated to your internal address of .41

I am assuming you are asking to break that up and set up a PAT translation. Here is the catch you can only direct one service(port) to each address. Meaning if you want WWW traffic to goto .41 and ftp traffic to go to .42 that will work fine. But you can not make WWW traffic go to both .41 and .42 to service 2 different website.

Please read through what I have asked and let me know what details you can add and we can continue from there.

Regards,

3nerds


0
 

Author Comment

by:WIll2Pwr
ID: 24416075
Ok, I see what you mean. If I wanted specific port (1521) to map to 10.1.1.42... How could I achieve this? Please give me a specific answer as I am new to this. I thank you for your response.

Cheers
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24416350
Your current ACL on your outside interface is out_in_072908 and that is the only ACL you are currently using on any of your interfaces. Looking through that ACL I do not see anything open to 69.128.x.164. So it appears to me that you are not currently using .164 for anything right now. If that is the case then we could just change the static.

no static (inside,outside) 69.128.X.164 10.1.1.41 netmask 255.255.255.255 0 0
static (inside,outside) 69.128.X.164 10.1.1.42 netmask 255.255.255.255 0 0

and then add the openings in the fire wall to the acl

access-list out_in_072908 permit tcp any host 69.128.X.164 eq 1521

This is using 1 to 1 NAT.

If you want a PAT example let me know.

Regards,

3nerds

0
 

Author Comment

by:WIll2Pwr
ID: 24416374
That would be great if you could give me a PAT example... the 10.1.1.41 is being used for remote desktop currently... I must have grabed the old config file... Sorry about that =(

Best regards,
0
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
ID: 24416470
no static (inside,outside) 69.128.X.164 10.1.1.41 netmask 255.255.255.255 0 0

static (inside,outside) tcp 69.128.x.164 3389 10.1.1.41 3389 netmask 255.255.255.255 0 0  
static (inside,outside) tcp 69.128.x.164 1521 10.1.1.42 1521 netmask 255.255.255.255 0 0

if your port 1521 is not tcp but udp change the tcp in the above line to udp same goes with the ACL.

access-list out_in_072908 permit tcp any host 69.128.X.164 eq 1521
access-list out_in_072908 permit tcp any host 69.128.X.164 eq 3389 - Should already be there!

Good Luck!

3Nerds
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Sonicwall NSA240 AppFlow 2 30
NSD FAIL 2 24
Choosing a firewall for our broadband cable connection 2 30
cisco VIRL 3 19
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now