How to create isolated network with Pix 515E
I currently have a Pix 515E connected to my network. It has the add in card with 4 NICs. I'd like to create another network that can share the internet from the pix but not be able to access the other network on the PIX. We have enough IPs to be able to give this network it's own outside IP for remote desktop and the like, and I wouldn't need it to provide DHCP either as this network will have it's own server for DNS, DHCP, and domain services.
tdd97
What you would need to do is go ahead and setup the ip address of the pix interface and assign it a lower security level than the other network interfaces. The security level of the interface dictates whether it can access interfaces that are higher than it. If the interface is higher, than it can't access it, unless you can configure an access rule to allow it. Next, you need to set the NAT translation of the inter face (static or pat overload). If you're assigning the interface with a public ip then you may need to setup static routes on the pix for outside traffic to reach it.
ASKER
Ok, any chance I could get you to provide me the commands I need or a link to the commands?
Sure. Here you go:
hostname(config)# interface gigabitethernet 0/1
hostname(config-if)# ip address network netmask
hostname(config-if)# no shutdown
hostname(config-if)# nameif name
hostname(config-if)# security-level number <------------ make sure this is lower than the network you want to prevent access to.
Configure access-list for NAT is using private ip addresses
hostname(config)# access-list nat-policy ext permit ip X.X.X.X any <----------------- this can be tightened down more if you need it to be
hostname(config)# static (source interface, destination interface) 1 access-list nat-policy
By default lower level interfaces can't access higher ones.
hostname(config)# interface gigabitethernet 0/1
hostname(config-if)# ip address network netmask
hostname(config-if)# no shutdown
hostname(config-if)# nameif name
hostname(config-if)# security-level number <------------ make sure this is lower than the network you want to prevent access to.
Configure access-list for NAT is using private ip addresses
hostname(config)# access-list nat-policy ext permit ip X.X.X.X any <----------------- this can be tightened down more if you need it to be
hostname(config)# static (source interface, destination interface) 1 access-list nat-policy
By default lower level interfaces can't access higher ones.
ASKER
I've only configured the interface so far and attached the config as a code snippet. Some fo the commands were different from what you have listed but I was able to figure it out. The NAT, global, and access-list commands have me worried and I was hoping you could examine my current config to ensure the commands listed above won't interfere with any of our current setup.
For the moment I just want them to be able to access the internet and I need to be able to add a couple port forwards so users can remote desktop into their respective machines. They all use the same IP but different port numbers.
Sorry to drag it out but I'm doing this one a saturday and help won't be readily accessible and I want to make sure I'm doing it right.
Thank you.
For the moment I just want them to be able to access the internet and I need to be able to add a couple port forwards so users can remote desktop into their respective machines. They all use the same IP but different port numbers.
Sorry to drag it out but I'm doing this one a saturday and help won't be readily accessible and I want to make sure I'm doing it right.
Thank you.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 acv security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
names
name 10.10.1.0 PHL_LAN_VPN
name 10.8.5.0 NYLAN
access-list inside_outbound_nat0_acl permit ip 10.2.4.0 255.255.255.0 PHL_LAN_VPN 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.2.4.0 255.255.255.0 NYLAN 255.255.255.0
access-list outside_cryptomap_20 remark
access-list outside_cryptomap_20 permit ip 10.2.4.0 255.255.255.0 PHL_LAN_VPN 255.255.255.0
access-list outside_access_in remark all ip traffic from outside
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any host 70.X.X.29 eq www
access-list outside_access_in permit tcp any host 70.X.X.30 range 20001 20254
access-list outside_access_in permit tcp any host 70.X.X.28 eq www
access-list outside_access_in permit tcp any host 70.X.X.28 eq 20017
access-list outside_access_in permit tcp any host 70.X.X.28 eq citrix-ica
access-list outside_access_in permit tcp any host 70.X.X.29 eq ftp
access-list outside_access_in permit tcp any host 70.X.X.27 eq www
access-list outside_access_in permit tcp any host 70.X.X.26 eq www
access-list outside_access_in permit tcp any host 70.X.X.27 eq https
access-list outside_access_in permit tcp any host 70.X.X.25 eq 8201
access-list outside_access_in permit tcp any host 70.X.X.3 eq www
access-list outside_access_in permit tcp any host 70.X.X.24 eq www
access-list outside_access_in permit tcp any host 70.X.X.26 eq 2924
access-list outside_access_in permit tcp any host 70.X.X.3 eq smtp
access-list outside_access_in permit tcp any host 70.X.X.3 eq https
access-list outside_access_in permit tcp any host 70.X.X.24 eq 81
access-list outside_cryptomap_40 permit ip 10.2.4.0 255.255.255.0 NYLAN 255.255.255.0
ip address outside 70.X.X.2 255.255.255.224
ip address inside 10.2.4.1 255.255.255.0
ip address acv 10.9.8.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
global (outside) 70 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 70 10.2.4.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.X.X.1 1
Everything looks good on the device form what you've shown. I just have a couple of recommendations.
I personally don't like setting my firewall interfaces to auto because I've ran into isssues where the other side would go to a inconsistent state and cause the interface to flap. Just set it to Full Duplex and 100mb. The second thing is that you have a major security hole with line 22 of your access rules. That rule nullifies all subsequent rules, thus allowing anyone from the internet to access your network (provided that they know what there doing).
I personally don't like setting my firewall interfaces to auto because I've ran into isssues where the other side would go to a inconsistent state and cause the interface to flap. Just set it to Full Duplex and 100mb. The second thing is that you have a major security hole with line 22 of your access rules. That rule nullifies all subsequent rules, thus allowing anyone from the internet to access your network (provided that they know what there doing).
ASKER
Excellent, thank you. I'll be sure to remove that line. I'm not huge on Pix configs but that was there when I inherited these pixes. I believe that line is in my other pix configs as well. It never looked right but I was afraid to remove it.
ASKER
Sorry for the delay, out of the office the last two days. But this move is happening tomorrow so I need to nail this down today.
The other commands I need to enter should be something like this right? 10.9.8.0 is the network address of the new network I want to add. Or is that supposed to be the outside IP?
hostname(config)# access-list outside_access_in ext permit ip 10.9.8.0 any
hostname(config)# static (acv,outside) 1 outside_access_in nat-policy <------I'm not sure what the nat policy is.
My two current NAT entries are:
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 70 10.2.4.0 255.255.255.0 0 0
Not sure if ours is set up properly or fi I'm getting ahead of myself but our static entries look like this:
static (inside,outside) tcp 70.X.X.30 20081 10.2.4.81 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.X.X.30 20082 10.2.4.82 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.X.X.30 20083 10.2.4.83 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.X.X.30 20084 10.2.4.84 3389 netmask 255.255.255.255 0 0
The other commands I need to enter should be something like this right? 10.9.8.0 is the network address of the new network I want to add. Or is that supposed to be the outside IP?
hostname(config)# access-list outside_access_in ext permit ip 10.9.8.0 any
hostname(config)# static (acv,outside) 1 outside_access_in nat-policy <------I'm not sure what the nat policy is.
My two current NAT entries are:
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 70 10.2.4.0 255.255.255.0 0 0
Not sure if ours is set up properly or fi I'm getting ahead of myself but our static entries look like this:
static (inside,outside) tcp 70.X.X.30 20081 10.2.4.81 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.X.X.30 20082 10.2.4.82 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.X.X.30 20083 10.2.4.83 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 70.X.X.30 20084 10.2.4.84 3389 netmask 255.255.255.255 0 0
You need to add the public ip address to the "outside" access-list for inbound traffic on specific ports (not "any"). The "nat-policy" word is not an actual Cisco command, but just a name I used for the access-list. Make sure that the nat id matches the id you setup for the global id and you need to reference a different access-list in your static nat command. Reference an access-list that includes the new network, so that the host can access the internet.
ASKER
I terribly sorry but I'm having a very hard time understanding all this.
Here's what I think I got out of it. I need to add the following lines but I don't think I have the syntax correct.
# nat (acv) 70 10.9.8.0.255.255.255.0 0 0
# access-list outside_acv ext permit ip 70.X.X.2 any
# static (acv,outside) 1 access-list outside_acv
outside_acv is a name I made up and doesn't exist in my current config. Does this look correct?
I would appreciate it incredible if you could write out the commands I need to run if I don't have it right.
Here's what I think I got out of it. I need to add the following lines but I don't think I have the syntax correct.
# nat (acv) 70 10.9.8.0.255.255.255.0 0 0
# access-list outside_acv ext permit ip 70.X.X.2 any
# static (acv,outside) 1 access-list outside_acv
outside_acv is a name I made up and doesn't exist in my current config. Does this look correct?
I would appreciate it incredible if you could write out the commands I need to run if I don't have it right.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent. Thank you very very much.
And yes all we're concerned with at this moment is that they can access the internet.
Appreciate the help!
And yes all we're concerned with at this moment is that they can access the internet.
Appreciate the help!
ASKER
I'm praying you're around on a saturday. I entered all the commands but I can't get internet still.
I can ping the interface on the pix and it shows it up/up but I can't get a website to come up.
if you're around your help would be immensely appreciated.
jsands
at
ldiscovery
com
I can ping the interface on the pix and it shows it up/up but I can't get a website to come up.
if you're around your help would be immensely appreciated.
jsands
at
ldiscovery
com
ASKER
Nevermind, figured out the problem. One of the commands you told me to run listed the wrong interface.
hostname(config)# nat (inside) 71 access-list ACV_NAT
should have been
hostname(config)# nat (acv) 71 access-list ACV_NAT
All is working now, thank you!
hostname(config)# nat (inside) 71 access-list ACV_NAT
should have been
hostname(config)# nat (acv) 71 access-list ACV_NAT
All is working now, thank you!
Oops..... I didn't catch that typo. I'm glad everything is working for you.