03-21-2007 11:02 PM - edited 03-11-2019 02:50 AM
I think I am on the right track but unsure. Again, I am running PIX 506 (only 2 interfaces-stuck with 5.1(2) software) on a small network.
Here is what I am trying to achieve:
1) Allow unrestricted internet access from the inside interface.
2) Allow incoming connections to my web server.
Here is what I have so far:
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname itfw1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_in permit tcp any host 10.0.0.5 eq www
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.1 255.0.0.0
ip address inside 192.168.254.1 255.255.255.0
arp timeout 14400
global (outside) 1 10.0.0.3 netmask 255.0.0.0
global (outside) 1 10.0.0.20-10.0.0.100 netmask 255.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.0.0.5 192.168.254.20 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp identity hostname
telnet timeout 5
terminal width 80
Cryptochecksum:xxx
You are all saints...my deepest gratitude for helping me learn!
03-22-2007 06:02 AM
Are you nat'ing again on an outside router or something? 10. is not routable and would explain why you can't get to the internet.
03-22-2007 09:22 AM
Here is the design and flow:
1)Router IP: 10.0.0.2
2) PIX: Outside IP: 10.0.0.1 Inside IP: 192.168.254.1
3)Network: 192.168.254.0/24
03-22-2007 10:20 AM
the fw outside interface doesnt seems to have a routable IP on internet, thereofore on firewall you do have appropriate xlate rules,however you need to nat on the router as well
whats the wan interface of the router ?
03-22-2007 10:26 AM
I bet it's 74.41.202.106...from his previous post.
You either have to nat twice or get a /30 network for your inside of outside router and outside of pix. Or get rid of the dsl router and get a dsl modem, put 74.41.202.106 on outside of pix.
03-22-2007 10:17 AM
From you first post.
#1. Internet access from inside users. You will have to nat them somewhere to a public routable ip address.
#2. You will have to have a static translation somewhere for your public services. (Where is your webserver translated to 10.0.0.5?)
03-22-2007 10:45 AM
Maybe I need to go back and learn a bit more...
Just a minor recap:
(PIX model 506)
=================================
===============
====Internet===
===============
|
Leased external static IP: 74.41.201.106
(FQDN resolved to this IP from internet)
|
DSL Router's internal IP: 10.0.0.2
|
Pix Outside Interface IP: 10.0.0.1
|
Pix Inside Interface IP: 192.168.254.1
|
Network:
Web server: 192.168.254.20
I have set NAT to inside interface with:
nat (inside) 1 0 0
I have set global on outside interface:
global (outside) 10.0.0.3 netmask 255.0.0.0
global (outside) 1 10.0.0.20-10.0.0.100 netmask 255.0.0.0
I set the default route to router:
route outside 0 0 10.0.0.2 1
I add a static to allow traffic INTO my webserver and appropriate ACL list:
static (inside,outside) 10.0.0.5 192.168.254.20 netmask 255.255.255.255 0 0
access-list acl_in permit tcp any host 10.0.0.5 eq www
access-group acl_in in interface outside
03-22-2007 11:02 AM
For outbound access you need to translate the private ip to a public routable ip on the router.
so the gateway of the firewall.i.e DSL ROuter is simply a modem or a configurable router ?
03-22-2007 12:58 PM
Correct. The outside interface of my pix goes directly to my isp's provided dsl router.
03-22-2007 01:07 PM
ok so is ISP doing natting on their router ?
if not then they have to...also from our side you need to make sure the request is passing through the firewall
add the line access-l acl_in permit icmp any any try pinging the gateway of the firewall from any inside machine, if you are able to ping that means the FW is passing the traffic and its your router not routing it further..
03-22-2007 01:13 PM
Correct.
I havn't placed the firewall in the mix yet, I was just looking for a second pair of eyes to look at my config (original post) to see if it seemed OK...
03-22-2007 01:17 PM
yes your firewall config looks good on FW..we can help you with router if you have an access of it as well
03-22-2007 01:14 PM
Like I said about 10 posts ago...
are my posts showing up?
03-22-2007 01:16 PM
heyy acomiskey..chill..:-)..yes your posts are showing up..very bright n clear..:-)
03-22-2007 01:19 PM
I'm chill, just seems like a broken record that's all...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: