connecting firewall behind 801, Urgent help required

shoebwk · ‎07-02-2003

I have a 801 router configured to internet, so lAN pc can connect to the internet. Detail IOS is below

This setup is temporary, because now i have to connect a firewall pix 506E behind the router with users accessing the net through firewall.

I think the Eo IP of the router will now change to 213.x.x.b & external IP will now change to 213.x.x.c with BRI0 remaining unchanged i.e. 213.x.x.a. Also now the gateway for the LAN PC will be same i.e. 192.168.1.100 which will now be PIX internal IP.

Though its my first interaction with PIX, I am pasting he final IOS. Related to this if anybody can send the basic configuration to setup the PIX up & running. so that users can connect to the internet behind the firewall

Thanks a Lot

Best regards

shoeb

====================IOS==========================

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname dxb2000

!

enable secret xxxxxx

!

ip subnet-zero

!

no ip domain-lookup

isdn switch-type basic-net3

!

interface Ethernet0

ip address 192.168.1.100 255.255.255.0

ip nat inside

no cdp enable

!

interface BRI0

no ip address

encapsulation ppp

dialer pool-member 1

isdn switch-type basic-net3

no cdp enable

ppp authentication pap callin

!

interface Dialer1

description CONNECTION TO INTERNET

ip address 213.x.x.a 255.255.255.248

ip nat outside

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer string 4004444

dialer persistent

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxxxxx password xxxxx

!

ip nat pool nat-pool-0 213.x.x.a 213.x.x.a netmask 255.255.255.248

ip nat inside source list 1 pool nat-pool-0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

!

access-list 1 permit 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

banner login ^C RESTRICTED ACCESS ^C

!

line con 0

password xxxxx

login

stopbits 1

line vty 0 4

password xxxxx

login

!

no rcapi server

!

end

jawad1979 · ‎07-02-2003

You have two options, either to let the router do the NAT, or the PIX (I recommend this) do the NAT, well which one do you prefer?

jawad1979 · ‎07-03-2003

I hope I'm right, this is what you want:

1)You want the users to be translated to 213.x.x.c.

2)You want the PIX to have an ip address of 213.x.x.b

3)The connection to the internet have an address of 213.x.x.a

Try these commands on the PIX :

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password "This is the secret password"

passwd "This is the Telnet password"

hostname pix

interface ethernet0 auto

interface ethernet1 auto

ip address outside 213.x.x.b 255.255.255.248

ip address inside 192.168.1.100 255.255.255.0

global (outside) 1 213.x.x.c netmask 255.255.255.248

nat (inside) 1 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 213..x.x.a 1

The users will be translated to 213.x.x.c using the PIX

On the router, disable NAT, and change the ip address of the ethernet interface (e0 on the router) that is connected to the pix to 213.x.x.a . Now on the dialer interface, remove the ip address and type "ip unnumbered e0"

Note that e0 of the PIX is connected to the router, and e0 of the router is connected to the PIX. Also, only the network 192.168.1.0 is allowed to initiate a connections to the internet.

This configuration will not allow any connections to start from outside (i.e the internet), if you host some servers, you need to add several commands.

Good Luck

Regards,

Jawad

shoebwk · ‎07-03-2003

Thanks jawad, for your config.

Let me be more precise, at present the user is connected to internet thru IP 213.x.x.a and i have a pool of ip 213.x.x.a-213.x.x.f. i have set brio to 213.x.x.a which ISP has asked us to do so. once the user can access the internet from inside the LAN, i want to make a vpn to a remote checkpoint firewall whose IP is 193.x.x.6 /24. So i think we need to open atleast 1 connection from outside, i.e. to permit 1 IP to come in, if at all they need to change some configuration, since they are the head-office and might require to get in to change some security poilcies. Also the mail server is at remote site at checkpoint end(lotus notes) the user here will have a client to access the mail from mail server. Also i think no need to use the IP 213.x.x.c

secondly do i need to remove all these NAT commands from router

ip nat inside

ip nat outside

ip nat pool nat-pool-0 213.x.x.a 213.x.x.a netmask 255.255.255.248

ip nat inside source list 1 pool nat-pool-0 overload

I think you have now a clear idea of what i want.

thanks

regards

shoeb

jawad1979 · ‎07-04-2003

Shoeb,

You have several options for the Head Office, either to allow a VPN connection between the firewalls so that your entire LAN can be accessed from the Head Office, in addition, you can also limit access besed on ip addresses of the Head office, the other option is to allow access to limited resources such as the terminal services on a server.

Well, if it is required to use a VPN connection, then you can use IPSEC to encrypt the tunnel, here you have also two options, either to keep the router config and just configure a VPN connection, in this case the firewall will not do any NAT, the other option will use the firewall for NAT.

The VPN connection be initiated from the router or the firewall. Sounds complicated, right.

Here what I suggest, keep the router doing the NAT, configure the VPDN on the router, the firewall will not do any NAT. Now since the firewall will not limit any connections from outside, you must open some static connections from outside (for example the subnet of the Head office).

Is this suitable?

regards,

Jawad