PIX515 IOS Version6.1(4) Configuration

Unanswered Question
Feb 26th, 2007

I have a Cisco PIX515 firewall that I'd like to configure and install on my LAN. I have managed a Cisco 3640 router installed on my LAN and prefer to put the firewall behind the router to protect my LAN.

The LAN Gateway is 172.18.1.1 netmask 255.255.255.0 which is the routers fastethernet0/0. Fasethernet0/1 of the router 3640 is 210.5.254.194 netmask 255.255.255.248. My LAN subnet is 172.18.1.0.

I prefer to give my inside IP address to the PIX as 172.18.1.235 netmask 255.255.255.0.

Would you be able to help me with this configuration please ASAP??.

I also have two hosts coming into two servers here which have their internal IP addresses as 172.18.1.152 and 172.18.1.151. These two server external IP addresses are 210.*.*.195 and 210.5.254.196 and both have a netmask of 255.255.255.248.

Summary Details of the above:

LAN Subnet: 172.18.1.0

Cisco 3640 Router IP Address:

E0/0 - 172.18.1.1 255.255.255.0

E0/1 - 210.*.*.194 255.255.255.248

PIX Inside IP: 172.18.1.235 255.255.255.0

Client Host IP:

(Client 1) Inside IP: 172.18.1.151

Outside IP: 210.5.254.195

(Client 2) Inside IP: 172.18.1.152

Outside IP: 210.5.254.196

Hear from you soon.

Regards,

Samuel Pakoa

Port Vila

Vanuatu

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 02/27/2007 - 01:06

Hi

There are a lot of things to cover here - let me know if you need further clarification.

1) if you want to put the pix behind the router then you will need another subnet to connect the pix external interface to the router internal interface.

So you don't have to setup up new default gayeways for your clients i suggest you move the 172.18.1.1 address to the pix inside interface.

The use another subnet for the pix outside/router inside interface.

For examples sake lets say you allocate 172.19.1.0/28 for this.

Pix outside interface 172.19.1.1

router internal interface 172.19.1.2

2) On the router you will need to add a route for the internal network

ip route 172.18.1.0 255.255.255.0 172.19.1.1

3) On the pix you need a default route pointing to the router

route outside 0.0.0.0 0.0.0.0 172.19.1.2

4) You don't say where you want to do the NAT for your clients and these two machines you are giving access to. Lets assume you are going to leave it on the router

On the pix

nat (inside) 0 0.0.0.0 0.0.0.0

This tells the pix not to NAT any clients as they go out. The NAT will still be done on your router.

5) You still need to do something about the 2 machines. On the pix

static (inside,outside) 172.18.1.151 172.18.1.151 netmask 255.255.255.255

static (inside,outside) 172.18.1.152 172.18.1.152 netmask 255.255.255.255

The NAT to public addressing will still happen on your router.

5) You will need to have an access-list on the outside interface of your pix for access to these 2 machines.

You don't say which hosts and what ports so you will need to modify this access-list.

access-list acl_inbound permit host "x.x.x.1" 172.18.1.151 eq 23

access-list acl_inbound permit host "x.x.x.1" 172.18.1.152 eq 23

access-list acl_inbound permit host "x.x.x.2" 172.18.1.151 eq 23

access-list acl_inbound permit host "x.x.x.2" 172.18.1.152 eq 23

Note if you are familiar with object groups you could simplify this a bit.

Hope this makes sense.

Jon

vanuatupakoa123 Tue, 02/27/2007 - 15:29

Thank you Jon,

The configuration you submitted has worked and I can ping the required ip addresses from my LAN.

With regards to the two hosts, 172.18.1.152 aslo has a global ip address of 210.x.x.195 and 172.18.1.151 has a global ip address of 210.5.254.196. The two hosts will be accessing the internal addresses from the 210.x.254.x addresses. These two hosts need to access 172.18.1.151 and 172.18.1.152 for port 1433 (SQL).

Please could you update the access-list, otherwise all the rest of the configuration seems fine for now and will inform you on how I go with it this evening.

Reagrds,

Samuel

Jon Marshall Tue, 02/27/2007 - 23:15

Hi Samuel

Glad things are working.

Could i just clarify something ?

172.18.1.151 & 172.18.1.152 are on your internal network. You present these through the firewall as 210.5.254.195 and 210.5.254.196.

What are the IP addresses of the hosts that will be accessing these servers ? It's a little unclear from your post.

Jon

Actions

This Discussion