Please check my configured PIX 506e.

Unanswered Question
Jul 22nd, 2010

small_diagram.png

Above is an easy diagram for my network.
Background of my work is

1. Replace firewall from Watchguard III 700 to spare PIX 506e.

2. I have 8 public ip address from ISP. Just only one ip address that registered PTR. So I have to used that for PAT and my mail server.

3. I have to set up port forward from outside to inside server; Exchange 2007 server and Openvpn server.

4. I have to setup firewall to route ip-pbx server to some ip-pbx devices.

I am a firewall novice.I just read from Cisco website and another websites.

Here is my configuration command. Please take a look and give me some comment.

1. nameif etherne0 outside security0

2. nameif ethernet1 inside security100

3. interface ethernet0 100full

4. interface ethernet1 100full

5. ip address outside 1.1.1.1 255.255.255.0

6. ip address inside 10.8.4.2 255.255.255.0


NAT+PAT configure
7. nat (inside) 1 10.0.0.0 255.0.0.0

8 global (outside) 1 1.2.3.4

9.   access-list OUTBOUND permit tcp 10.0.0.0 255.0.0.0 any eq www

10. access-list OUTBOUND deny tcp any any eq www

11. access-list OUTBOUND permit ip any any

12 access-group OUTBOUND in interface inside

Port forwarding from outside to inside

13. static (inside,outside) tcp 1.2.3.4 smtp 10.8.1.4  smtp netmask 255.255.255.255
14. static (inside,outside) tcp 1.2.3.4 443 10.8.1.4 443 netmask  255.255.255.255

15. static (inside,outside) udp 1.2.3.5 1194 10.8.1.5 1194 netmask 255.255.255.255

16. access-list INBOUND permit tcp any host 10.8.1.4 netmask 255.255.255.255 eq smtp

17. access-list INBOUND permit tcp any host 10.8.1.4 netmask 255.255.255.255  eq 443

18. access-list INBOUND permit udp any host 10.8.1.5 netmask  255.255.255.255  eq 1194

19. access-group INBOUND in interface outside ----------------------Is it right?

Routes to Default gateway

20. route outside 0.0.0.0 0.0.0.0 1.2.3.6

Routes for some ip-pbx
21. route inside 10.9.0.0 255.255.0.0 10.8.4.254 255.255.255.255

22. route inside 192.168.21.0 255.255.255.0 10.8.4.254 255.255.255.255

23. route inside 192.168.20.0 255.255.0.0 10.8.4.253 255.255.255.255

24. route inside 192.168.21.0 255.255.255.0 10.9.5.254 255.255.255.255

25. route inside 192.168.20.0 255.255.0.0 10.9.5.254 255.255.255.255

That's all. I don't try it in the real environment yet.

My problem are 16 -19. I can not apply these access lits.

Another problem are 22. and 24, PIX can not route same ip address range to another.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 07/22/2010 - 02:42

A few suggestions to look into:

- Your point 8 and point 13 & 14 are using the same external ip address of 1.2.3.4 which is overlapping. I would suggest that for point 8, you either use another spare ip address, or alternatively use the outside interface ip address as follows:

global (outside) 1 interface

- For point 16, 17 and 18, you would need to configure ACL to point to the public ip address instead of the private ip address as follows:

access-list INBOUND permit tcp any host 1.2.3.4 eq smtp

access-list INBOUND permit tcp any host 1.2.3.4  eq 443

access-list INBOUND permit udp any host 1.2.3.5  eq 1194

- Point 24 adn 25 are incorrect. You won't be able to route traffic towards an ip address which is not in the same subnet as your inside interface. Not too sure what you are trying to achieve. Point 22 and 23 are already correct. If you would like to further route the 192.168.21.0/24 and 192.168.20.0/24 subnet further, that needs to be configured on the downstream router (10.8.4.254 and 10.8.4.253 routers).

- Lastly the ip address on the diagram doesn't really correspond to the configuration ip address (for inside network). Hope that is only typos.

The rest of the configuration looks good to me.

Hope that helps.

t.techasakul Thu, 07/22/2010 - 19:24

Thank you halijenn.

Actually, no.13 and 14 is okay. I can configure it use the same IP as PAT. And will use the ACL that you wrote.

For 24 and 25, I still don't understand why the ex-technician put it in Watchguard.

Thanks again.

Actions

This Discussion