Solved

Adding a PIX to a network with an ASA already in place.

Posted on 2009-07-06
4
221 Views
Last Modified: 2012-05-07
Currently we have DSL with 6 usable static IP's (49-54).  I'm pretty sure that our Modem has NAT disabled and Our ASA acts as the gateway.  Our DSL Modem/Router gets xxx.215.125.49.  Our ASA Takes xxx.215.125.50 with a global set as xxx.215.125.51 and a static route from xxx.215.125.52 to our SBS server 192.168.xxx.10.

What I want to do is set up our old PIX firewall for a Dev environment separate from our office network.  I want to use one (or both if necessary) of the remaining IPs xxx.215.125.53 and 54 for this and connect it straight to the DSL Modem/Router.  I would like the inside network to be 192.168.10.xxx.  I will probably have more than one computer connected to the Dev environment so they would have to share the 53 (and/or 54) IP.

It would look something like this:
                                   
                                   |-------  ASA ------- Switch -------- Office network
DSL Modem/Router ---|
                                   |------- PIX ------- Switch -------- Dev network

Can someone please help me configure the PIX for this.  Please include the PIX commands too.   Thanks!
0
Comment
Question by:jhulsey
  • 2
  • 2
4 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24791161
are you configuring a new one? or does it have an existing config in it?
Have you console or telnet access?
Is it currently connected to said networks?
What is the PIX model what version is it running?
Commands will be dependent..

Have you tried the web configuration wizard that comes with the pix?

Seems quite straigtforward, just define the ethernet ports (outside and inside)
Then the security levels (0 and 100 respectfully)
a nat command like:
nat (inside) 1 0.0.0.0 0.0.0.0 dns

and finally an access-list.
ie.
access-list inside_access_in extended allow tcp any any

0
 

Author Comment

by:jhulsey
ID: 24793040
It's a PIX 506e running 6.3(3).   I am connecting via hiper terminal and the console serial cable.  Yes, it is connected to the said network now.  It already has access-list set up for xxx.215.125.53 address, so yes, it has an existing configuration that I've effectively butchered trying to modify for this task.

Here are some of the current settings:
Routes:
outside 0.0.0.0 0.0.0.0 68.215.125.49 1 OTHER Static
outside xxx.215.125.48 255.255.255.248 xxx.215.125.53 1 Connect Static
inside 192.168.0.0 255.255.255.0 192.168.0.1 1 Connect Static

IP inside:   192.168.10.1
IP outside: xxx.215.125.53

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

Static: (inside,outside) xxx.215.125.53 192.168.10.10 netmask 255.255.255.255 0 0

Some of these are from the original configuration and anything with the .53 is what I have changed.  It used to be configured with a global (outside) 1 xxx.215.125.51, but I removed that to try and use nat with a single IP.

Thanks for your help, I hope this helps.
0
 
LVL 23

Accepted Solution

by:
debuggerau earned 500 total points
ID: 24799447
and what is it doing now?
Got access yet, or would you like me to look at the config.

I suggest trying a 'show tech' to get the config out without the password etc.
Then it just a matter of xx'ing your public IP, although I mask mine with the router firstly..

command reference here:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1032129
0
 

Author Closing Comment

by:jhulsey
ID: 31600454
Sorry for the delay... Thanks for your help!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question