cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1025
Views
0
Helpful
21
Replies

506 Config

srberg5219
Level 1
Level 1

I think I am on the right track but unsure. Again, I am running PIX 506 (only 2 interfaces-stuck with 5.1(2) software) on a small network.

Here is what I am trying to achieve:

1) Allow unrestricted internet access from the inside interface.

2) Allow incoming connections to my web server.

Here is what I have so far:

PIX Version 5.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

hostname itfw1

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_in permit tcp any host 10.0.0.5 eq www

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.1 255.0.0.0

ip address inside 192.168.254.1 255.255.255.0

arp timeout 14400

global (outside) 1 10.0.0.3 netmask 255.0.0.0

global (outside) 1 10.0.0.20-10.0.0.100 netmask 255.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.0.0.5 192.168.254.20 netmask 255.255.255.255 0 0

access-group acl_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

isakmp identity hostname

telnet timeout 5

terminal width 80

Cryptochecksum:xxx

You are all saints...my deepest gratitude for helping me learn!

21 Replies 21

acomiskey
Level 10
Level 10

Are you nat'ing again on an outside router or something? 10. is not routable and would explain why you can't get to the internet.

Here is the design and flow:

1)Router IP: 10.0.0.2

2) PIX: Outside IP: 10.0.0.1 Inside IP: 192.168.254.1

3)Network: 192.168.254.0/24

the fw outside interface doesnt seems to have a routable IP on internet, thereofore on firewall you do have appropriate xlate rules,however you need to nat on the router as well

whats the wan interface of the router ?

I bet it's 74.41.202.106...from his previous post.

You either have to nat twice or get a /30 network for your inside of outside router and outside of pix. Or get rid of the dsl router and get a dsl modem, put 74.41.202.106 on outside of pix.

acomiskey
Level 10
Level 10

From you first post.

#1. Internet access from inside users. You will have to nat them somewhere to a public routable ip address.

#2. You will have to have a static translation somewhere for your public services. (Where is your webserver translated to 10.0.0.5?)

Maybe I need to go back and learn a bit more...

Just a minor recap:

(PIX model 506)

=================================

===============

====Internet===

===============

|

Leased external static IP: 74.41.201.106

(FQDN resolved to this IP from internet)

|

DSL Router's internal IP: 10.0.0.2

|

Pix Outside Interface IP: 10.0.0.1

|

Pix Inside Interface IP: 192.168.254.1

|

Network:

Web server: 192.168.254.20

I have set NAT to inside interface with:

nat (inside) 1 0 0

I have set global on outside interface:

global (outside) 10.0.0.3 netmask 255.0.0.0

global (outside) 1 10.0.0.20-10.0.0.100 netmask 255.0.0.0

I set the default route to router:

route outside 0 0 10.0.0.2 1

I add a static to allow traffic INTO my webserver and appropriate ACL list:

static (inside,outside) 10.0.0.5 192.168.254.20 netmask 255.255.255.255 0 0

access-list acl_in permit tcp any host 10.0.0.5 eq www

access-group acl_in in interface outside

For outbound access you need to translate the private ip to a public routable ip on the router.

so the gateway of the firewall.i.e DSL ROuter is simply a modem or a configurable router ?

Correct. The outside interface of my pix goes directly to my isp's provided dsl router.

ok so is ISP doing natting on their router ?

if not then they have to...also from our side you need to make sure the request is passing through the firewall

add the line access-l acl_in permit icmp any any try pinging the gateway of the firewall from any inside machine, if you are able to ping that means the FW is passing the traffic and its your router not routing it further..

Correct.

I havn't placed the firewall in the mix yet, I was just looking for a second pair of eyes to look at my config (original post) to see if it seemed OK...

yes your firewall config looks good on FW..we can help you with router if you have an access of it as well

Like I said about 10 posts ago...

are my posts showing up?

heyy acomiskey..chill..:-)..yes your posts are showing up..very bright n clear..:-)

I'm chill, just seems like a broken record that's all...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: