09-06-2007 03:15 PM - edited 03-11-2019 04:07 AM
Hi,
I am new to Firewalls and I have to configure a 506E between the production (Enterpise) network and a new test lab.
This is to ensure that any activities within the test area do not interfere with any operations on the production network.
Both the test lab and the production network are using private address ranges.
I assume I do not need to use NAT as neither address range needs to be 'hidden' from the other?
I have put the inside (secure) network towards the lab and insecure towards production network (just in case we need to VPN to outside interface across production network in the future).
We only want to allow HTTP and telnet through (in both directions, ie inside to outside and vice versa).
Would you have an example configuration I could use to get started?
Thanks in anticipation to somebody helping me out.
regards
Mark
Solved! Go to Solution.
09-07-2007 03:01 AM
Hi Mark
To cover off the static / NAT issues first.
To allow connections from a lower to higher security interface you need to have static
translations.
static (inside,outside) 192.168.5.0 192.168.5.0 255.255.255.0
means present the 192.168.5.x network addresses to the outside (in our case production)
as 192.168.5.x addresses.
It is a peculiarity of the pix that even if you don't want to NAT from one IP address to
another you still need to tell the pix that you don't want to NAT and this is what the
static statement does.
(Note with Pix v7.x code this has changed quite significantly but your pix will be running
6.3 code as it is a pix 506e which can't run v7.x)
When i mentioned the bit about is natting them back on the firewall i was talking about
what we do in our environment but as i say if it's not a problem mixing your addressing
then don't worry about this. As long as none of your prod/test addressing overlaps you
should be fine.
HTH
Jon
09-06-2007 10:41 PM
Hi Mark,
You need to configure access-lists to allow only telnet and http
sample:
access-list 101 tcp permit any any eq 80
access-list 101 tcp permit any any eq 23
access-group 101 out interface
access-group 101 in interface
Hope this helps
Raj
09-06-2007 10:52 PM
Hi Raj,
Thanks for responding.
My main issue is configuring any translations or do I not need to?
Both the inside network and the outside network are using different 10 private address ranges.
What do you think?
regards
Mark
09-06-2007 10:50 PM
Hi Mark
Assume test network is 192.168.5.0/24
Assume production network is 172.16.5.0/24
I appreciate you may have bigger network ranges so you can adjust access-list accordingly
access-list inside_out permit tcp 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0 eq http
access-list inside_out permit tcp 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0 eq telnet
access-group inside_out in interface outside
access-list outside_in permit tcp 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0 eq http
access-list outside_in permit tcp 172.16.5.0 255.255.255.0 192.168.5.0 255.255.255.0 eq telnet
access-group outside_in in interface outside
static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
Couple of things
1) if you are happy to have the addressing mix then no you do not need to do NAT (although you still need the static statement above ). What we do is present lab addresses as prodcution address to the production users and then we NAT them back to the real address on the firewall.
2) I appreciate your point about VPN but your firewall is really the wrong way round in my opinion. You should have the inside interface facing the network you want to secure and i'm assuming your production environment is more important than your test lab ?
You can do what you have done but just be aware that by default traffic can flow from higher to lower level security interface so you need to be very precise with the access-list on your inside interface which effectively says what traffic is allowed from the test lab to production.
HTH
Jon
09-07-2007 02:09 AM
Hi Jon,
Thanks for comprehensive response.
Should the static statement you mentioned read:
static (inside,outside) 172.16.5.0 192.168.5.0 netmask 255.255.255.0 ???
Just two more questions if I may, both sides of the firewall are using 10 network address ranges for example:
IP range for lab is:
10.10.240.0/20
IP range for production network is:
all other 10 addresses ranges
Will this be a problem as far as the Firewall is concerned?
Final question, you mentioned in your point 1 dont need to NAT etc, then you go on to say "then we NAT them back to the real address on the firewall". So I'm a little confused now on this point.
Thanks for responding again
regards
mark
09-07-2007 03:01 AM
Hi Mark
To cover off the static / NAT issues first.
To allow connections from a lower to higher security interface you need to have static
translations.
static (inside,outside) 192.168.5.0 192.168.5.0 255.255.255.0
means present the 192.168.5.x network addresses to the outside (in our case production)
as 192.168.5.x addresses.
It is a peculiarity of the pix that even if you don't want to NAT from one IP address to
another you still need to tell the pix that you don't want to NAT and this is what the
static statement does.
(Note with Pix v7.x code this has changed quite significantly but your pix will be running
6.3 code as it is a pix 506e which can't run v7.x)
When i mentioned the bit about is natting them back on the firewall i was talking about
what we do in our environment but as i say if it's not a problem mixing your addressing
then don't worry about this. As long as none of your prod/test addressing overlaps you
should be fine.
HTH
Jon
09-07-2007 04:27 AM
Hi Jon,
I understand now.
You have been really helpful.
Thanks again.
Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: