10-31-2009 05:18 PM - edited 03-11-2019 09:35 AM
Hello.
I bought PIX 501 a week ago - since that time I am trying to configure it - looks like I need some help.
The question is:
I have an ISP RJ45 wire with single Global IP on it.
I have a LAN 192.168.1.0/24
I do not have a cisco (or any else) routers.
So is it possible to let LAN users access internet with all written above?
Thank you in advance.
Mr. Brooks.
10-31-2009 06:37 PM
Hi Mr. Brooks,
The below should do it for you. I run 7.2 and your 501 can't run a higher version train than 6.x so you may need to remove the 'extended' from the commands below. Don't worry about the 'deny ip any any' statement in the outside-in access list because traffic going outside will have access on the return via in the inspection rule set.
access-list WWW extended remark Regulate access to the Internet
access-list WWW extended permit ip object-group LAN any
access-list outside-in extended deny ip any any
object-group network LAN
description Allow these inside networks access to the internet
network-object 192.168.1.0 255.255.255.0
access-group outside-in in interface outside
global (outside) 10 interface
nat (inside) 10 access-list WWW
Default, the PIX 501 has dhpc enabled and will acquire form your ISP the public IP and gateway information.
Your internal hosts will also receive DHCP 192.168.1.0/24 addresses, etc from the PIX.
You don't need a router
http://www.cisco.com/en/US/docs/security/pix/pix63/quick/guide/63_501qk.html
11-01-2009 02:19 AM
Thanks for quick reply.
It still does not work.
But I guess it is not because your config
- I think it is smthng with routing
tables...
pixfw(config)# sh route
outside "the network name IP" 255.255.252.0 "My Global IP" 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
I will go ask about it in ROUTING part of forum.
Anyway thank you.
BR, Mr Brooks
11-01-2009 08:40 AM
hi, you need configure NAT also,
11-01-2009 12:04 PM
Hi!
global (outside) 10 interface
nat (inside) 10 access-list WWW
like in previous message?
11-01-2009 03:37 PM
It is possible, I have such configuration setup in my office.
I believe this is a blank config so you start from :
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
global 1 interface
nat 1 192.168.1.0 255.255.255.0
If your Public ISP is assigned dynamically you have to specify :
ip address outside dhcp setroute
Then you must either enable DHCP on the inside interface with DNS server or specify it manually and you're done.
ICMP (Ping) is blocked by default, it can actually leave the interface but reply is blocked that is coming back through outsite interface.
Hope it helps.
I have a different problem now though .. :|
11-02-2009 12:34 AM
Yeah I saw.
Thanks for help.
Could you show the result of "sh route" on your PIX501?
11-02-2009 10:28 AM
PIX501# show route
outside 0.0.0.0 0.0.0.0 79.97.15.1 1 DHCP static
outside 79.97.15.0 255.255.255.0 79.97.15.170 1 CONNECT static
inside 172.30.10.0 255.255.255.0 172.30.10.1 1 CONNECT static
11-02-2009 11:47 AM
Thx.
Stuck anyway. :(
11-03-2009 01:32 AM
I did get to work so will you :)
Let's go step by step.
Could you paste your config ?
11-03-2009 07:54 AM
Thanx Mariusz :)
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfw
domain-name mydomain
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network LAN
description Allow this inside networks acess to theinternet
network-object 192.168.1.0 255.255.255.0
access-list WWW remark Regulate access to Internet
access-list WWW permit ip object-group LAN any
access-list outside-in permit icmp any any
access-list outside-in permit ip any any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.208.149.44 255.255.252.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 10.208.148.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.248.21
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain mydomain
dhcpd enable inside
terminal width 80
11-03-2009 02:11 PM
I applied your config to my PIX with two changes.
1. I do not specify outside ip address manually, I type "ip address outside dhcp setroute" you can try with manual IP but type SETROUTE word at the end.
2. The internet did not work untill I took off all access-lists and added a different NAT command.
Try:
"nat 1 0.0.0.0 0.0.0.0"
so, I took your access-lists away completely, changed NAT command, and SETROUTE to outsite interface.
Try this and let me know
11-03-2009 02:31 PM
I just checked again and there is no command to add manual IP address and setroute.
WHat I had to do is
0.0.0.0 0.0.0.0 and IP address of my default gateway of ISP.
My IP address from ISP is 79.97.15.170 but default gateway is 79.97.15.1
So you have to find out the ip address of your ISP gatway and set the default route.
11-04-2009 10:55 AM
ok,
1. I have nat (inside) 1 0.0.0.0 0.0.0.0 0 0
2. I cleared ALL access lists
3. And I had a default route -
route outside 0.0.0.0 0.0.0.0 gate of my isp 10.208.148.1
nothing changed.
I have ICMP permit inside and outside, but i still cannot even ping my outside interface... Iam starting to panic... :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide