×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Configuring PIX for 4-Port Ethernet Card

Unanswered Question
Oct 30th, 2002
User Badges:

Hi,

We PIX 515E Firewall with a 4-Port Ethernet Module Installed. The DMZ machines are supposed to be connected the Ethernet Module.

Lets say our Public address space is x.x.x.1-62.

The outside interface of the PIX is configured with x.x.x.2.

I want to configure the Web, Mail etc DMZ servers directly with the address from our Public Address Space x.x.x.3, x.x.x.4 etc


How can i do that ?

Is it possible to use the Interfaces on the Card as Un-Numbered ?


How would the Pix know that a particualr address can be reached through a specific interface ? Do i need to define "static routes" ?


Is there a document that has sample config\ Scenario while using a 4-Port Ethernet card with PIX ?


Thanx \\ Naman



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
steve.barlow Wed, 10/30/2002 - 16:46
User Badges:
  • Silver, 250 points or more

1) Allow outside to access your dmz servers:


static (DMZ,outside) x.x.x.3 192.168.7.13 netmask 255.255.255.255 0 0

static (DMZ,outside) x.x.x.4 192.168.7.7 netmask 255.255.255.255 0 0

access-list 101 permit tcp any host x.x.x.3 eq www

access-list 101 permit tcp any host x.x.x.4 eq smtp

access-group 101 in interface outside


Where x.x.x.3 is your web server, x.x.x.4 is your mail server.


2) PIX can't use ip unnumbered, it's not a router.


3) If the destination isn't directly connected subnet, then yes you need a static route. eg:


route outside 0.0.0.0 0.0.0.0 x.x.x.1

route inside 172.16.50.0 255.255.255.0 10.99.0.1 1


4)Look here for PIX examples in different situations: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html


Hope it helps.

Steve


gfullage Wed, 10/30/2002 - 16:56
User Badges:
  • Cisco Employee,

This is just a basic PIX config with multiple DMZ interfaces. You need to first give the DMZ interface a subnet and an IP address specifically. This can be anything really, but usually you'd use a private IP subnet like 10.x.x.x or 172.16.x.x or something like that. So, you'll use the command:


> ip address dmz 10.1.1.1 255.255.255.0


Note that "dmz" is the name of the interface, which you can specifiy using the "nameif" command, you'll see these at the top of your PIX config, the interface names will default to pix/intfx unless you change them to something else more meaningful to you.


Then you can put your hosts on this segment and give them 10.1.1.x IP addresses, with a default gatewya of 10.1.1.1 (the PIX interface).


Then to allow traffic from the outside to a DMZ interface, you need a static and an access-list. Something like the following:


> static (dmz,outside) x.x.x.3 10.1.1.3 netmask 255.255.255.255 0 0

> static (dmz,outside) x.x.x.4 10.1.1.4 netmask 255.255.255.255 0 0

> access-list inbound permit tcp any host x.x.x.3 eq smtp

> access-list inbound permit tcp any host x.x.x.4 eq www

> .......

> access-group inbound in interface outside


The static commands map the 10.1.1.x address of your smtp/www hosts to the global addresses, and the access-list allows "any" Internet host to connect through to them.


This is the basic document you want to read to get a good understanding of traffic flow through the PIX in different directions (http://www.cisco.com/warp/public/707/28.html)


This document deals more specifically with allowing traffic through to a DMZ connected host (http://www.cisco.com/warp/public/110/mailserver_dmz.html)

Actions

This Discussion