Link to home
Start Free TrialLog in
Avatar of jmanstream
jmanstream

asked on

Configuring PIX 515E with single static WAN address and internal CIDR block

I am in desperate need of help with my PIX 515 firewall. I am trying to configure it for use with my Cox Business Internet service. They have assigned me a single static public IP address with an internal CIDR block. I was able to successfully configure it with the WAN IP address on the outside interface and the first usable IP address of the CIDR as the gateway on my inside interface, but I cant seem to figure out how to allow outside access into my internal CIDR network. I am able to ping the outside interface from a remote server but cannot reach the inside interface.

I have a Linksys router with its WAN address specified as one of the CIDR block addresses, so I can have the rest of my LAN, which doesn't need to be publicly accessible, configured on a 192.168.1.0 subnet. The machines behind the Linksys have no problem getting out to the Internet. I also have one test server (not behind the Linksys), configured with one of the CIDR block usable addresses. That server is also able to get out to the Internet without issue.

But, when I try to ping the internal server or connect to the web server/ftp server from the outside, I get nothing. I think I have configured everything correctly on the PIX as far as the access lists, but, I am definitely NO Cisco expert. Its probably something really stupid that Im missing but I cant seem to find any examples on how to do this properly.

Here is my current config...

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ****** encrypted
passwd ****** encrypted
hostname pix515
domain-name tobias
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit udp any any eq ntp
access-list outside_access_in permit tcp any host x.y.z.93 eq www
access-list outside_access_in permit tcp any host x.y.z.93 eq ftp
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside a.b.c.143 255.255.255.224
ip address inside x.y.z.81 255.255.255.240
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 a.b.c.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.43.244.18 source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet x.y.z.80 255.255.255.240 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Where a.b.c.143 /27 is the WAN address with a.b.c.129 as its default gateway. x.y.z.80 /28 is the CIDR block. I am using z.y.z.81 as the internal default gateway.
ASKER CERTIFIED SOLUTION
Avatar of btassure
btassure
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Incidentally you just use the same address as the source and the destination of the NAT.
Avatar of jmanstream
jmanstream

ASKER

That did the trick! You're right... I was assuming it would just route as long as the access-list was in place. Thanks!