cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
545
Views
0
Helpful
6
Replies

PIX506E basic config

mark-bear
Level 1
Level 1

Hi,

I am new to Firewalls and I have to configure a 506E between the production (Enterpise) network and a new test lab.

This is to ensure that any activities within the test area do not interfere with any operations on the production network.

Both the test lab and the production network are using private address ranges.

I assume I do not need to use NAT as neither address range needs to be 'hidden' from the other?

I have put the inside (secure) network towards the lab and insecure towards production network (just in case we need to VPN to outside interface across production network in the future).

We only want to allow HTTP and telnet through (in both directions, ie inside to outside and vice versa).

Would you have an example configuration I could use to get started?

Thanks in anticipation to somebody helping me out.

regards

Mark

1 Accepted Solution

Accepted Solutions

Hi Mark

To cover off the static / NAT issues first.

To allow connections from a lower to higher security interface you need to have static

translations.

static (inside,outside) 192.168.5.0 192.168.5.0 255.255.255.0

means present the 192.168.5.x network addresses to the outside (in our case production)

as 192.168.5.x addresses.

It is a peculiarity of the pix that even if you don't want to NAT from one IP address to

another you still need to tell the pix that you don't want to NAT and this is what the

static statement does.

(Note with Pix v7.x code this has changed quite significantly but your pix will be running

6.3 code as it is a pix 506e which can't run v7.x)

When i mentioned the bit about is natting them back on the firewall i was talking about

what we do in our environment but as i say if it's not a problem mixing your addressing

then don't worry about this. As long as none of your prod/test addressing overlaps you

should be fine.

HTH

Jon

View solution in original post

6 Replies 6

rajinikanth
Level 3
Level 3

Hi Mark,

You need to configure access-lists to allow only telnet and http

sample:

access-list 101 tcp permit any any eq 80

access-list 101 tcp permit any any eq 23

access-group 101 out interface

access-group 101 in interface

Hope this helps

Raj

Hi Raj,

Thanks for responding.

My main issue is configuring any translations or do I not need to?

Both the inside network and the outside network are using different 10 private address ranges.

What do you think?

regards

Mark

Jon Marshall
Hall of Fame
Hall of Fame

Hi Mark

Assume test network is 192.168.5.0/24

Assume production network is 172.16.5.0/24

I appreciate you may have bigger network ranges so you can adjust access-list accordingly

access-list inside_out permit tcp 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0 eq http

access-list inside_out permit tcp 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0 eq telnet

access-group inside_out in interface outside

access-list outside_in permit tcp 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0 eq http

access-list outside_in permit tcp 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0 eq telnet

access-group outside_in in interface outside

static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Couple of things

1) if you are happy to have the addressing mix then no you do not need to do NAT (although you still need the static statement above ). What we do is present lab addresses as prodcution address to the production users and then we NAT them back to the real address on the firewall.

2) I appreciate your point about VPN but your firewall is really the wrong way round in my opinion. You should have the inside interface facing the network you want to secure and i'm assuming your production environment is more important than your test lab ?

You can do what you have done but just be aware that by default traffic can flow from higher to lower level security interface so you need to be very precise with the access-list on your inside interface which effectively says what traffic is allowed from the test lab to production.

HTH

Jon

Hi Jon,

Thanks for comprehensive response.

Should the static statement you mentioned read:

static (inside,outside) 172.16.5.0 192.168.5.0 netmask 255.255.255.0 ???

Just two more questions if I may, both sides of the firewall are using 10 network address ranges for example:

IP range for lab is:

10.10.240.0/20

IP range for production network is:

all other 10 addresses ranges

Will this be a problem as far as the Firewall is concerned?

Final question, you mentioned in your point 1 dont need to NAT etc, then you go on to say "then we NAT them back to the real address on the firewall". So I'm a little confused now on this point.

Thanks for responding again

regards

mark

Hi Mark

To cover off the static / NAT issues first.

To allow connections from a lower to higher security interface you need to have static

translations.

static (inside,outside) 192.168.5.0 192.168.5.0 255.255.255.0

means present the 192.168.5.x network addresses to the outside (in our case production)

as 192.168.5.x addresses.

It is a peculiarity of the pix that even if you don't want to NAT from one IP address to

another you still need to tell the pix that you don't want to NAT and this is what the

static statement does.

(Note with Pix v7.x code this has changed quite significantly but your pix will be running

6.3 code as it is a pix 506e which can't run v7.x)

When i mentioned the bit about is natting them back on the firewall i was talking about

what we do in our environment but as i say if it's not a problem mixing your addressing

then don't worry about this. As long as none of your prod/test addressing overlaps you

should be fine.

HTH

Jon

Hi Jon,

I understand now.

You have been really helpful.

Thanks again.

Mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: