How to Setup PIX501

Unanswered Question
Aug 6th, 2007

I'm very new to PIX but can't get something to work. We have a T1 line that connects to the PIX and then we have the PIX connected to the external network on a Small Business Server 2003. I am trying to put in a wireless access point so guests can have internet access outside of our network. I connected it to the PIX and gave it an IP address on the inside network (192.168.1.X) of the PIX and I can't get it to see the internet. Attached is my configuration from the PIX.

Can anyone help me out?

Mike

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Mon, 08/06/2007 - 11:09

You're missing something in this line. Do you have the word interface in there?

global (outside) 1 interface

patternnetwork Tue, 08/07/2007 - 03:15

I tried entering in the new line just as you have it and I got the message "global for this range already exists". Any idea why this didn't work? Would changing this get my get access to the internet through my wireless access point? Does the PIX have to be setup as a DHCP server or can I leave the access point static? Any other ideas. Thanks for your time!!

Mike

Jon Marshall Tue, 08/07/2007 - 03:30

Mike

try from config mode

no global (outside) 1

global (outside) 1 interface

HTH

Jon

patternnetwork Tue, 08/07/2007 - 05:32

Jon,

I entered the text you had and this time it worked. But, it still doesn't seem like I can get to the internet. I have attached the new configuration for you to review. To test this I actually connected a computer to the PIX501 and gave it a IP address of 192.168.1.35, subnet of 255.255.255.0, gateway of 192.168.1.1 and DNS of 192.168.1.1. It won't connect to the internet yet. I entered "clear xlate" in at the end and I think I will try re-starting the firewall, but do you have any other ideas? Does that all look ok, or not? I really appreciate your help and everyone else that has offered their suggestions.

Thanks,

Mike

Attachment: 
Jon Marshall Tue, 08/07/2007 - 05:45

Mike

Config looks okay. When you are logged onto the pix can you ping the next hop ie.

216.153.252.1

Does this work ?

Jon

patternnetwork Tue, 08/07/2007 - 05:54

Jon,

I can't ping 216.153.252.1, but I can ping 216.153.252.20 which is our IP from the ISP so that seems to work. Maybe this is a connection issue. Should the gateway and DNS point to the firewall?

Mike

acomiskey Tue, 08/07/2007 - 05:45

Your DNS should not be the pix. You should have been give dns servers from you isp.

patternnetwork Tue, 08/07/2007 - 05:59

It worked!! The DNS makes sense now that I think about it. So much to learn yet. Thank you both for all the help. I really appreciate your time.

Mike

acomiskey Tue, 08/07/2007 - 05:15

Would changing this get my get access to the internet through my wireless access point?

-It should.

Does the PIX have to be setup as a DHCP server or can I leave the access point static?

-No it doesn't have to be a dhcp server. The AP can be static. Just make sure the wireless clients have an address and a gateway of the pix.

mightymouse2045 Tue, 08/07/2007 - 06:21

* What are you static NAT's for?

* Also you really have a 254 address range for your external IP? Thought those were hard to come by now days :P

* Your static routes should look like this for all of them as they are for the outside interfaces IP:

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

* You have an inbound access list but no outbound access list, you should create one and also allow ICMP (ping) for that which will let you ping your gateway 216.153.252.1, and also put a deny on your outside to get stats etc on who's trying to hack what etc :P:

access-list 101 deny ip any any log

access-list 102 permit icmp any any

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq https

access-list 102 deny ip any any log

access-group 102 in interface inside

You should also start experimenting with object groups and names as these help you to simplify management and administration - they make your config longer but they are extremely useful so for example your access list could look like this:

access-list 101 permit tcp any host 216.153.252.20 object-group external_access

access-list 101 deny ip any any log

access-list 102 permit ICMP any any

access-list 102 permit tcp any any object-group internal-outbound

access-list 102 deny ip any any log

My 2 cents worth :)

patternnetwork Tue, 08/07/2007 - 07:03

Mightymouse,

Thanks for your comments even though some of them are way over my head at this point. I work for a small business and my main job is design engineer and I just happened to get "pushed" into the IT stuff. I'm not complaining, but right now I'm just trying to take care of the big problems so I can keep everyone happy.

You are right about the address range for the external IP. Where does this get changed? Doesn't this line limit it to 1 IP address?

ip address outside 216.153.252.20 255.255.255.0

Or is it the mask that is wrong? Should it be

ip address outside 216.153.252.20 255.255.255.255

As for your other suggestions and comments I am just not familiar with these PIX firewalls to understand the difference between your static command and the one that I have. You have the word "interface" in place of my outside IP address. Why and how does that affect my firewall?

Are there any performance problems with using the firewall as I have it compared to making the changes you mentioned? I will definetly print this off and put it in my "need to learn" folder so I can come back to it as time allows, but for now are any of these changes important for me to change now? Thanks again for all you help.

Mike

mightymouse2045 Tue, 08/07/2007 - 07:35

1. ok your external mask should reflect whatever number of external IP addresses you 'actually' have. Considering your external IP is .20 and your next hop route is .1 i would assume you have at least /27 bit subnet mask 255.255.255.224 which gives you 30 usable addresses - however that may not be the case - so what I would do is call your ISP and ask them what subnet you should use there (let me know what they come back with too btw).

2. The static NAT should be replaced with interface as that is the correct way to define a NAT that translates to the IP Address for that interface instead of typing it out in full - not sure if it affects anything possibly processing time but doubt it would affect it that much - but best to keep to best practices

3. Yes to the changes mentioned - don't worry about the groups as yet but definitely add in the outbound access list and definitely put in the deny ip any any at the end of both access lists - that will also stop me being able to ping your PIX

patternnetwork Tue, 08/07/2007 - 07:44

1. I actually only have 2 IP addresses that they will allow me to use. At the moment we just picked one (the .20) and went with it. So am I ok with using 255.255.255.255 as my mask?

2. I'll make this change later when I have time.

3. I'll also make this change when I can.

I edited my configuration offline and attached it. Does this look better or am I still missing something? Thanks for the feedback!

mightymouse2045 Tue, 08/07/2007 - 06:40

I can still ping your PIX by the way - so I see you haven't either read the response or decided not to implement the suggestions :P

But leaving it wide open like that is very risky business

Cheers,

PH

patternnetwork Tue, 08/07/2007 - 07:06

Point taken and i agree. Which part of your previous post would solve this problem?

Mike

patternnetwork Tue, 08/07/2007 - 07:48

I do have one more question. Since I am trying to setup a WAP outside of my network for guests, I was thinking it might be best to have the PIX work as a DHCP server to guests laptops so I don't have to configure their IP settings manually. Can this be done and still keep my server static? Here are the commands that I think will make this work and since my server IP address is not in the range of DHCP addresses I'm thinking this will work. What do you think?

dhcpd address 192.168.1.50-192.168.1.75 inside

dhcpd dns 64.65.208.6 64.65.196.6

dhcpd lease 3600

dhcpd enable inside

mightymouse2045 Tue, 08/07/2007 - 09:32

When you say they would only allow you to use 2 IP's what was the other IP address?

checked your config - move the line 'access-group 102 in interface inside' to under the one for 101 and that will work fine

Also why do you want the PIX acting as the DHCP server? Why not have the WAP be the DHCP server?

Cheers,

MM

patternnetwork Tue, 08/07/2007 - 09:47

They told me that .19 and .20 are the ones we need to use for our T1 line. Am I ok to use 255.255.255.255 as my mask then?

I'll make the change to the config. Thanks for looking at it.

After my last post I was wondering the same thing. Again this is all new to me so I did some research and was able to setup the WAP as a DHCP server. So that should be good to go.

Thanks for you help.

Mike

mightymouse2045 Tue, 08/07/2007 - 09:59

I think you will find the PIX will give you an error if you try and enter 255.255.255.255 as the subnet mask. I have seen ISP starting to use this method of supplying IP addresses now days - so to get around it put the mask as 255.255.255.254 and then retest connectivity. If not then just leave it as 255.255.255.0 as it probably won't hurt it as the router your connecting to won't be forwarding broadcasts etc anyways

patternnetwork Wed, 08/08/2007 - 03:42

I made the changes we talked about and now I am having problems accessing our FTP site. Could this be related or not? Our FTP site is hosted by our ISP. From what I see in the new lines I would think that they would not affect our ability to connect to our FTP site but i thought I would ask the question and see what you thought.

I also lost our connection to the internet. By removing access-list 102 everything is working again. Now that employees are starting to get here for work I can't make any more changes, but do I need to put access-list 102 back in?

Mike

Actions

This Discussion