Solved

Adding a PIX to a network with an ASA already in place.

Posted on 2009-07-06
4
212 Views
Last Modified: 2012-05-07
Currently we have DSL with 6 usable static IP's (49-54).  I'm pretty sure that our Modem has NAT disabled and Our ASA acts as the gateway.  Our DSL Modem/Router gets xxx.215.125.49.  Our ASA Takes xxx.215.125.50 with a global set as xxx.215.125.51 and a static route from xxx.215.125.52 to our SBS server 192.168.xxx.10.

What I want to do is set up our old PIX firewall for a Dev environment separate from our office network.  I want to use one (or both if necessary) of the remaining IPs xxx.215.125.53 and 54 for this and connect it straight to the DSL Modem/Router.  I would like the inside network to be 192.168.10.xxx.  I will probably have more than one computer connected to the Dev environment so they would have to share the 53 (and/or 54) IP.

It would look something like this:
                                   
                                   |-------  ASA ------- Switch -------- Office network
DSL Modem/Router ---|
                                   |------- PIX ------- Switch -------- Dev network

Can someone please help me configure the PIX for this.  Please include the PIX commands too.   Thanks!
0
Comment
Question by:jhulsey
  • 2
  • 2
4 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24791161
are you configuring a new one? or does it have an existing config in it?
Have you console or telnet access?
Is it currently connected to said networks?
What is the PIX model what version is it running?
Commands will be dependent..

Have you tried the web configuration wizard that comes with the pix?

Seems quite straigtforward, just define the ethernet ports (outside and inside)
Then the security levels (0 and 100 respectfully)
a nat command like:
nat (inside) 1 0.0.0.0 0.0.0.0 dns

and finally an access-list.
ie.
access-list inside_access_in extended allow tcp any any

0
 

Author Comment

by:jhulsey
ID: 24793040
It's a PIX 506e running 6.3(3).   I am connecting via hiper terminal and the console serial cable.  Yes, it is connected to the said network now.  It already has access-list set up for xxx.215.125.53 address, so yes, it has an existing configuration that I've effectively butchered trying to modify for this task.

Here are some of the current settings:
Routes:
outside 0.0.0.0 0.0.0.0 68.215.125.49 1 OTHER Static
outside xxx.215.125.48 255.255.255.248 xxx.215.125.53 1 Connect Static
inside 192.168.0.0 255.255.255.0 192.168.0.1 1 Connect Static

IP inside:   192.168.10.1
IP outside: xxx.215.125.53

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Static: (inside,outside) xxx.215.125.53 192.168.10.10 netmask 255.255.255.255 0 0

Some of these are from the original configuration and anything with the .53 is what I have changed.  It used to be configured with a global (outside) 1 xxx.215.125.51, but I removed that to try and use nat with a single IP.

Thanks for your help, I hope this helps.
0
 
LVL 23

Accepted Solution

by:
debuggerau earned 500 total points
ID: 24799447
and what is it doing now?
Got access yet, or would you like me to look at the config.

I suggest trying a 'show tech' to get the config out without the password etc.
Then it just a matter of xx'ing your public IP, although I mask mine with the router firstly..

command reference here:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129
0
 

Author Closing Comment

by:jhulsey
ID: 31600454
Sorry for the delay... Thanks for your help!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question