Pix 501 & SBS03

Unanswered Question
Feb 2nd, 2007

Hi,

I voluntarily look after a simple MS Small Business Server 03 network at a charity and made the mistake of buying a Pix 501 to replace a basic firewall we had. I say mistake because if I would have know about the dreadful user manuals and tricky setup I would have never spent the money.

But now I am here and hope that someone can perhaps answer some questions on how I can set up the PIX 501.

1. Is it a good idea to use a PIX501 on a SBS03 network.

2. If so, do I use the DHCP from the server or the PIX 501.

3. I set up the Pix on a spare computer for testing (after I failed getting the server to access the PDM) and managed initially to access the PDM via the browser. After ?pocking? around though the DHCP stopped working (I probably turned it off) and as a consequence cant access the PDM anymore. I did a ?Reset Factory Settings? via command line (not something I am too familiar with) but it didn?t seem to have restored the DHCP server. Any thoughts.

Any help greatly appreciated.

Thanks

Alex

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johnroche_2 Mon, 02/05/2007 - 01:22

Hi

I use the 501 on a SBS2003 environment with no issues

I use the DHCP server on the SBS rather than the PIX because it caused me some issues.

Pix limits the IP addresses that can log onto it.

If you open PDM on your PC under the administration tab you can add in more IP addresses to run the PDM gui from.

When you reset the PIX it will restore the DHCP server (its probably giving you 192.168.x.x addresses.

If you log on command line run the setup command it will take you through initial setup, including adding the IP address of a machine to run PDM.

mhellman Mon, 02/05/2007 - 13:21

1. Is it a good idea to use a PIX501 on a SBS03 network.

Sure, the PIX is a fine firewall for small network use. By default the 501 only supports 10 hosts though. I think there is a upgrade to support up to 50.

2. If so, do I use the DHCP from the server or the PIX 501.

Use the DHCP from the server.

3. I set up the Pix on a spare computer

Plug your computers network connection directly into eth1 on the Pix using a crossover cable. Assign your computer a static IP address of 192.168.1.10. You should now be able to connect using your browser (if the factory defaults were truly set). I would turn off DHCP and get a basic configuration going that allows outbound traffic. Then you can worry about what to allow inbound.

johnroche_2 Tue, 02/06/2007 - 00:42

You can IPSEC vpn on the 501 or allow pptp in to the SBS and use its Connection manager vpn.

If you pix only has 10 user licenses you will run into trouble fast, i.e PC not able to use the internet. If you can afford it upgrade to unrestricted.

amiller70 Fri, 02/09/2007 - 05:40

Thank you all for getting back to me on this. As I am not here all the time I didn't have a chance to test things through until now.

I managed to access PDM on the spare computer but still can't get the server to talk to the PIX (made changes as suggested via HyperTerminal).

I think the problem is that I need to change the IP address in TC/IP on the Ethernet card which connects the server to the Pix; as at the moment it has the static IP provided by our ISP. As I have two Ethernet cards in the server, is there anything I need to be aware of when I choose the IP address. Any pool I can take the address from? The IP address on the other Ethernet card (internal network) is 192.168.16.2 -which I think is standard SBS setup.

I also presume that I need to go to 'hosts/networks' > 'Select Interface:' outside > and change the 'outside' IP address and Subnet to the static IP address I received from the ISP in order to get the Pix to connect to the broadband. Could anyone confirm this.

Thanks in advance. I think I am starting to get my head around this.

Alex

johnroche_2 Fri, 02/09/2007 - 06:10

the inside address of the pix should be in the range of the SBS server.

Make sure the SBS is allowed to Web on to the pix with this command

http x.x.x.x 255.255.255.255 inside

where x.x.x.x is the ip of the server

Before you change the internet connection set the IP of the inside and connect the 501 to your network. You should be able to ping it from the server.

The outside interface should be the address given by your ISP

You will need to make changes to your DHCP server for the default gateway, which will now be the address of the PIX.

nagel Thu, 02/15/2007 - 14:05

The PIX 501 is a good entry level firewall. As for resetting to factory defaults - you will need to console in to the pix using some type of termianl software (hyperterm, etc) and go into configuration mode

en

config t

Once there you can enter the commands

write erase

reload

This will take the PIX back to defaults.

As for dhcp it largely depends on the licensing you bought with pix. I believe the SOHO license is for only 10 users and the upgrade allows up to 50 users.

Programming the pix is like everything cisco - until you get past the learning curve - it's a bit tuff. However, once you have the programming side down the PIX is an excellent choice for firewall

johnroche_2 Fri, 02/16/2007 - 00:34

Hi

I am sure you can reset the PIX to default from the top left menu of Device manager.

There is also an initial setup wizard (i think under a wizard menu). This will take you through inital setup if you not to familiar with command line.

PS. There is also an unrestricted pix 501 license. This will unrestrict the amount of inside hosts but you are still limited to the number of Client IPsec session (I think 10 users).

John

vsurillo Fri, 02/16/2007 - 00:42

Alex,

I'd like to follow-up and try to tie together all the good responses you've received about your PIX 501.

First, a few things about the PIX firewall. While some of the commands on the PIX are related to Cisco IOS commands, these are really different operating systems and it takes a bit of getting used to before a new user becomes comfortable.

Please be aware that when working at the CLI, almost EVERYTHING is done from CONFIGURATION mode as opposed to Privileged mode like a router.

Okay, let's get the server talking to the PIX and while we're at it, provide access via the spare computer if you'd like. Go to the command line of the PIX via the console port and follow these commands after resetting to factory defaults as nagel suggests -- I'm going to assume the hostname on the PIX is "pixfirewall":

pixfirewall> enable

password: (hit return - the default "password")

pixfirewall# config t

!

! your default interface names are "outside" for ethernet0 and inside for e1

!

pixfirewall(config)# ip address outside x.x.x.x 255.255.x.x ! This is the static IP address & netmask that the ISP provided to you

[ You can also set this up to use the ISP's DHCP server to obtain an IP address... ]

[ pixfirewall(config)# ip address outside dhcp ]

pixfirewall(config)# ip address inside 192.168.16.1 255.255.x.x ! I'm assuming the .1 address is available - use your internal netmask

pixfirewall(config)# interface e0 10full ! Your other options besides 10full are auto and 10baset (half-duplex)

pixfirewall(config)# interface e1 100full ! This is your internal 4-port FE switch

[ use the following if you need to shutdown your outside interface in the future ]

[ pixfirewall(config)# interface e0 shut ]

pixfirewall(config)# http 192.168.16.0 255.255.255.248 inside ! This allows the first 13 addresses to access the PIX via PDM or you can dedicate a single host (the server) as johnroche suggests

pixfirewall(config)# http server enable

pixfirewall(config)# nat (inside) 192 192.168.16.0 255.255.x.x ! Your inside network; the 192 is your NAT_ID

pixfirewall(config)# global (outside) 192 interface ! This is PAT or NAT overload

pixfirewall(config)# route outside 0 0 y.y.y.y ! The 0 0 is short for 0.0.0.0 0.0.0.0 --- y.y.y.y is your ISPs router

[ If you setup the outside interface using DHCP, the ISP will pass the PIX the default route when you use the "setroute" option as follows: ]

[ pixfirewall(config)# ip address e0 dhcp setroute ]

pixfirewall(config)# static (inside,outside) tcp interface 80 192.168.16.2 80 ! maps http requests to the SBS

pixfirewall(config)# access-list outside_in permit tcp any host x.x.x.x eq 80 ! allows the http requests inside

pixfirewall(config)# access-list outside_in permit icmp any host x.x.x.x echo-reply ! allows responses to inside echo-requests that are blocked by default

pixfirewall(config)# access-list outside_in deny ip any any

pixfirewall(config)# access-group outside_in in interface outside

pixfirewall(config)# write mem

Remember to replace the x.x.x.x with your dedicated IP address from the ISP.

I made the assumption that you only need to allow web access to the SBS from the Internet; if you also need secure web access via SSL, you'll need to add another static NAT entry for port 443 as well as another access control entry under "outside_in".

You can use the "hostname" command (same as the IOS command) if you'd like to change the name of your PIX and there may be a few other commands that are interesting, but this should get you up and running.

Finally, use the trusty "show ver" command to determine what your existing license is (10, 50, or unlimited) and also what your Finesse OS version is. You may need either a 50 or unlimited user license as mhellman suggests and you probably want to get your hands on the appropriate version of the command reference.

Hope this helps!!

vrs

Actions

This Discussion