?
Solved

Adding a PIX to a network with an ASA already in place.

Posted on 2009-07-06
4
Medium Priority
?
315 Views
Last Modified: 2012-05-07
Currently we have DSL with 6 usable static IP's (49-54).  I'm pretty sure that our Modem has NAT disabled and Our ASA acts as the gateway.  Our DSL Modem/Router gets xxx.215.125.49.  Our ASA Takes xxx.215.125.50 with a global set as xxx.215.125.51 and a static route from xxx.215.125.52 to our SBS server 192.168.xxx.10.

What I want to do is set up our old PIX firewall for a Dev environment separate from our office network.  I want to use one (or both if necessary) of the remaining IPs xxx.215.125.53 and 54 for this and connect it straight to the DSL Modem/Router.  I would like the inside network to be 192.168.10.xxx.  I will probably have more than one computer connected to the Dev environment so they would have to share the 53 (and/or 54) IP.

It would look something like this:
                                   
                                   |-------  ASA ------- Switch -------- Office network
DSL Modem/Router ---|
                                   |------- PIX ------- Switch -------- Dev network

Can someone please help me configure the PIX for this.  Please include the PIX commands too.   Thanks!
0
Comment
Question by:jhulsey
  • 2
  • 2
4 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24791161
are you configuring a new one? or does it have an existing config in it?
Have you console or telnet access?
Is it currently connected to said networks?
What is the PIX model what version is it running?
Commands will be dependent..

Have you tried the web configuration wizard that comes with the pix?

Seems quite straigtforward, just define the ethernet ports (outside and inside)
Then the security levels (0 and 100 respectfully)
a nat command like:
nat (inside) 1 0.0.0.0 0.0.0.0 dns

and finally an access-list.
ie.
access-list inside_access_in extended allow tcp any any

0
 

Author Comment

by:jhulsey
ID: 24793040
It's a PIX 506e running 6.3(3).   I am connecting via hiper terminal and the console serial cable.  Yes, it is connected to the said network now.  It already has access-list set up for xxx.215.125.53 address, so yes, it has an existing configuration that I've effectively butchered trying to modify for this task.

Here are some of the current settings:
Routes:
outside 0.0.0.0 0.0.0.0 68.215.125.49 1 OTHER Static
outside xxx.215.125.48 255.255.255.248 xxx.215.125.53 1 Connect Static
inside 192.168.0.0 255.255.255.0 192.168.0.1 1 Connect Static

IP inside:   192.168.10.1
IP outside: xxx.215.125.53

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Static: (inside,outside) xxx.215.125.53 192.168.10.10 netmask 255.255.255.255 0 0

Some of these are from the original configuration and anything with the .53 is what I have changed.  It used to be configured with a global (outside) 1 xxx.215.125.51, but I removed that to try and use nat with a single IP.

Thanks for your help, I hope this helps.
0
 
LVL 23

Accepted Solution

by:
debuggerau earned 2000 total points
ID: 24799447
and what is it doing now?
Got access yet, or would you like me to look at the config.

I suggest trying a 'show tech' to get the config out without the password etc.
Then it just a matter of xx'ing your public IP, although I mask mine with the router firstly..

command reference here:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129
0
 

Author Closing Comment

by:jhulsey
ID: 31600454
Sorry for the delay... Thanks for your help!
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question