Cisco PIX 501

MUXAHMUXAH2 · ‎10-31-2009

Hello.

I bought PIX 501 a week ago - since that time I am trying to configure it - looks like I need some help.

The question is:

I have an ISP RJ45 wire with single Global IP on it.

I have a LAN 192.168.1.0/24

I do not have a cisco (or any else) routers.

So is it possible to let LAN users access internet with all written above?

Thank you in advance.

Mr. Brooks.

jkrawczyk · ‎10-31-2009

Hi Mr. Brooks,

The below should do it for you. I run 7.2 and your 501 can't run a higher version train than 6.x so you may need to remove the 'extended' from the commands below. Don't worry about the 'deny ip any any' statement in the outside-in access list because traffic going outside will have access on the return via in the inspection rule set.

access-list WWW extended remark Regulate access to the Internet

access-list WWW extended permit ip object-group LAN any

access-list outside-in extended deny ip any any

object-group network LAN

description Allow these inside networks access to the internet

network-object 192.168.1.0 255.255.255.0

access-group outside-in in interface outside

global (outside) 10 interface

nat (inside) 10 access-list WWW

Default, the PIX 501 has dhpc enabled and will acquire form your ISP the public IP and gateway information.

Your internal hosts will also receive DHCP 192.168.1.0/24 addresses, etc from the PIX.

You don't need a router

http://www.cisco.com/en/US/docs/security/pix/pix63/quick/guide/63_501qk.html

MUXAHMUXAH2 · ‎11-01-2009

Thanks for quick reply.

It still does not work.

But I guess it is not because your config

- I think it is smthng with routing

tables...

pixfw(config)# sh route

outside "the network name IP" 255.255.252.0 "My Global IP" 1 CONNECT static

inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static

I will go ask about it in ROUTING part of forum.

Anyway thank you.

BR, Mr Brooks

YANGCCIE4 · ‎11-01-2009

hi, you need configure NAT also,

MUXAHMUXAH2 · ‎11-01-2009

Hi!

global (outside) 10 interface

nat (inside) 10 access-list WWW

like in previous message?

mariusz.pianka · ‎11-01-2009

It is possible, I have such configuration setup in my office.

I believe this is a blank config so you start from :

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

global 1 interface

nat 1 192.168.1.0 255.255.255.0

If your Public ISP is assigned dynamically you have to specify :

ip address outside dhcp setroute

Then you must either enable DHCP on the inside interface with DNS server or specify it manually and you're done.

ICMP (Ping) is blocked by default, it can actually leave the interface but reply is blocked that is coming back through outsite interface.

Hope it helps.

I have a different problem now though .. :|

MUXAHMUXAH2 · ‎11-02-2009

Yeah I saw.

Thanks for help.

Could you show the result of "sh route" on your PIX501?

mariusz.pianka · ‎11-02-2009

PIX501# show route

outside 0.0.0.0 0.0.0.0 79.97.15.1 1 DHCP static

outside 79.97.15.0 255.255.255.0 79.97.15.170 1 CONNECT static

inside 172.30.10.0 255.255.255.0 172.30.10.1 1 CONNECT static

MUXAHMUXAH2 · ‎11-02-2009

Thx.

Stuck anyway. :(

mariusz.pianka · ‎11-03-2009

I did get to work so will you :)

Let's go step by step.

Could you paste your config ?

MUXAHMUXAH2 · ‎11-03-2009

Thanx Mariusz :)

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfw

domain-name mydomain

clock timezone MSK/MSD 3

clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group network LAN

description Allow this inside networks acess to theinternet

network-object 192.168.1.0 255.255.255.0

access-list WWW remark Regulate access to Internet

access-list WWW permit ip object-group LAN any

access-list outside-in permit icmp any any

access-list outside-in permit ip any any

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.208.149.44 255.255.252.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 10.208.148.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd dns 192.168.248.21

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain mydomain

dhcpd enable inside

terminal width 80

mariusz.pianka · ‎11-03-2009

I applied your config to my PIX with two changes.

1. I do not specify outside ip address manually, I type "ip address outside dhcp setroute" you can try with manual IP but type SETROUTE word at the end.

2. The internet did not work untill I took off all access-lists and added a different NAT command.

Try:

"nat 1 0.0.0.0 0.0.0.0"

so, I took your access-lists away completely, changed NAT command, and SETROUTE to outsite interface.

Try this and let me know

mariusz.pianka · ‎11-03-2009

I just checked again and there is no command to add manual IP address and setroute.

WHat I had to do is

0.0.0.0 0.0.0.0 and IP address of my default gateway of ISP.

My IP address from ISP is 79.97.15.170 but default gateway is 79.97.15.1

So you have to find out the ip address of your ISP gatway and set the default route.

MUXAHMUXAH2 · ‎11-04-2009

ok,

1. I have nat (inside) 1 0.0.0.0 0.0.0.0 0 0

2. I cleared ALL access lists

3. And I had a default route -

route outside 0.0.0.0 0.0.0.0 gate of my isp 10.208.148.1

nothing changed.

I have ICMP permit inside and outside, but i still cannot even ping my outside interface... Iam starting to panic... :)