506 Config

Unanswered Question
Mar 21st, 2007

I think I am on the right track but unsure. Again, I am running PIX 506 (only 2 interfaces-stuck with 5.1(2) software) on a small network.

Here is what I am trying to achieve:

1) Allow unrestricted internet access from the inside interface.

2) Allow incoming connections to my web server.

Here is what I have so far:

PIX Version 5.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

hostname itfw1

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_in permit tcp any host 10.0.0.5 eq www

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.1 255.0.0.0

ip address inside 192.168.254.1 255.255.255.0

arp timeout 14400

global (outside) 1 10.0.0.3 netmask 255.0.0.0

global (outside) 1 10.0.0.20-10.0.0.100 netmask 255.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.0.0.5 192.168.254.20 netmask 255.255.255.255 0 0

access-group acl_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

isakmp identity hostname

telnet timeout 5

terminal width 80

Cryptochecksum:xxx

You are all saints...my deepest gratitude for helping me learn!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 03/22/2007 - 06:02

Are you nat'ing again on an outside router or something? 10. is not routable and would explain why you can't get to the internet.

srberg5219 Thu, 03/22/2007 - 09:22

Here is the design and flow:

1)Router IP: 10.0.0.2

2) PIX: Outside IP: 10.0.0.1 Inside IP: 192.168.254.1

3)Network: 192.168.254.0/24

abinjola Thu, 03/22/2007 - 10:20

the fw outside interface doesnt seems to have a routable IP on internet, thereofore on firewall you do have appropriate xlate rules,however you need to nat on the router as well

whats the wan interface of the router ?

acomiskey Thu, 03/22/2007 - 10:26

I bet it's 74.41.202.106...from his previous post.

You either have to nat twice or get a /30 network for your inside of outside router and outside of pix. Or get rid of the dsl router and get a dsl modem, put 74.41.202.106 on outside of pix.

acomiskey Thu, 03/22/2007 - 10:17

From you first post.

#1. Internet access from inside users. You will have to nat them somewhere to a public routable ip address.

#2. You will have to have a static translation somewhere for your public services. (Where is your webserver translated to 10.0.0.5?)

srberg5219 Thu, 03/22/2007 - 10:45

Maybe I need to go back and learn a bit more...

Just a minor recap:

(PIX model 506)

=================================

===============

====Internet===

===============

|

Leased external static IP: 74.41.201.106

(FQDN resolved to this IP from internet)

|

DSL Router's internal IP: 10.0.0.2

|

Pix Outside Interface IP: 10.0.0.1

|

Pix Inside Interface IP: 192.168.254.1

|

Network:

Web server: 192.168.254.20

I have set NAT to inside interface with:

nat (inside) 1 0 0

I have set global on outside interface:

global (outside) 10.0.0.3 netmask 255.0.0.0

global (outside) 1 10.0.0.20-10.0.0.100 netmask 255.0.0.0

I set the default route to router:

route outside 0 0 10.0.0.2 1

I add a static to allow traffic INTO my webserver and appropriate ACL list:

static (inside,outside) 10.0.0.5 192.168.254.20 netmask 255.255.255.255 0 0

access-list acl_in permit tcp any host 10.0.0.5 eq www

access-group acl_in in interface outside

abinjola Thu, 03/22/2007 - 11:02

For outbound access you need to translate the private ip to a public routable ip on the router.

so the gateway of the firewall.i.e DSL ROuter is simply a modem or a configurable router ?

srberg5219 Thu, 03/22/2007 - 12:58

Correct. The outside interface of my pix goes directly to my isp's provided dsl router.

abinjola Thu, 03/22/2007 - 13:07

ok so is ISP doing natting on their router ?

if not then they have to...also from our side you need to make sure the request is passing through the firewall

add the line access-l acl_in permit icmp any any try pinging the gateway of the firewall from any inside machine, if you are able to ping that means the FW is passing the traffic and its your router not routing it further..

srberg5219 Thu, 03/22/2007 - 13:13

Correct.

I havn't placed the firewall in the mix yet, I was just looking for a second pair of eyes to look at my config (original post) to see if it seemed OK...

abinjola Thu, 03/22/2007 - 13:17

yes your firewall config looks good on FW..we can help you with router if you have an access of it as well

abinjola Thu, 03/22/2007 - 13:16

heyy acomiskey..chill..:-)..yes your posts are showing up..very bright n clear..:-)

srberg5219 Thu, 03/22/2007 - 13:21

Sorry, I didn't get into managed firewall appliances until about a week ago and I am in my 40's so things don't sink in quite as well as they did when I was in my 20's...

acomiskey Thu, 03/22/2007 - 13:23

No, not you, it seemed like everything I said was just getting repeated.

Anyway, it's cool, we're all here just trying to help.

srberg5219 Thu, 03/22/2007 - 13:27

Which, by the way, I do not take for granted and I appreciate more than I can say...

acomiskey Thu, 03/22/2007 - 13:32

Ok, as abinjola and I were trying to say, there are a few things you need to figure out. The most major of which I would say is where do you want to NAT?

abinjola Thu, 03/22/2007 - 13:33

do you have the router access,? so that we check if the router is configured for natting

I hope i am making sense that the router needs to further PAT or NAT the traffic (to a public ip )coming out of the firewall private outside IP

the fw config looks good..

acomiskey Thu, 03/22/2007 - 13:37

This is 1 solution, like I was trying to say before...but requires 2 more public ip addresses.

DSL ROUTER

|

|

|

PAT/NAT here.

PIX

<10.0.0.0 network>

OR this which doesn't

DSL MODEM

|

|

|

|

NAT/PAT here

PIX

<10.0.0.0 network>

srberg5219 Thu, 03/22/2007 - 13:44

Yes I do. Prior to purchasing this firewall, the ISP's router was configured to port forward requests to the appropriate server...

port 80: to 192.168.254.20 (web server)

port 25: to 192.168.254.50 (email server)

Actions

This Discussion