07-02-2003 07:20 AM - edited 03-02-2019 08:34 AM
I have a 801 router configured to internet, so lAN pc can connect to the internet. Detail IOS is below
This setup is temporary, because now i have to connect a firewall pix 506E behind the router with users accessing the net through firewall.
I think the Eo IP of the router will now change to 213.x.x.b & external IP will now change to 213.x.x.c with BRI0 remaining unchanged i.e. 213.x.x.a. Also now the gateway for the LAN PC will be same i.e. 192.168.1.100 which will now be PIX internal IP.
Though its my first interaction with PIX, I am pasting he final IOS. Related to this if anybody can send the basic configuration to setup the PIX up & running. so that users can connect to the internet behind the firewall
Thanks a Lot
Best regards
shoeb
====================IOS==========================
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname dxb2000
!
enable secret xxxxxx
!
ip subnet-zero
!
no ip domain-lookup
isdn switch-type basic-net3
!
!
!
interface Ethernet0
ip address 192.168.1.100 255.255.255.0
ip nat inside
no cdp enable
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
no cdp enable
ppp authentication pap callin
!
interface Dialer1
description CONNECTION TO INTERNET
ip address 213.x.x.a 255.255.255.248
ip nat outside
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string 4004444
dialer persistent
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxx password xxxxx
!
ip nat pool nat-pool-0 213.x.x.a 213.x.x.a netmask 255.255.255.248
ip nat inside source list 1 pool nat-pool-0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
banner login ^C RESTRICTED ACCESS ^C
!
line con 0
password xxxxx
login
stopbits 1
line vty 0 4
password xxxxx
login
!
no rcapi server
!
!
end
07-02-2003 11:56 PM
You have two options, either to let the router do the NAT, or the PIX (I recommend this) do the NAT, well which one do you prefer?
07-03-2003 01:14 AM
I hope I'm right, this is what you want:
1)You want the users to be translated to 213.x.x.c.
2)You want the PIX to have an ip address of 213.x.x.b
3)The connection to the internet have an address of 213.x.x.a
Try these commands on the PIX :
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password "This is the secret password"
passwd "This is the Telnet password"
hostname pix
interface ethernet0 auto
interface ethernet1 auto
ip address outside 213.x.x.b 255.255.255.248
ip address inside 192.168.1.100 255.255.255.0
global (outside) 1 213.x.x.c netmask 255.255.255.248
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 213..x.x.a 1
The users will be translated to 213.x.x.c using the PIX
On the router, disable NAT, and change the ip address of the ethernet interface (e0 on the router) that is connected to the pix to 213.x.x.a . Now on the dialer interface, remove the ip address and type "ip unnumbered e0"
Note that e0 of the PIX is connected to the router, and e0 of the router is connected to the PIX. Also, only the network 192.168.1.0 is allowed to initiate a connections to the internet.
This configuration will not allow any connections to start from outside (i.e the internet), if you host some servers, you need to add several commands.
Good Luck
Regards,
Jawad
07-03-2003 05:23 AM
Thanks jawad, for your config.
Let me be more precise, at present the user is connected to internet thru IP 213.x.x.a and i have a pool of ip 213.x.x.a-213.x.x.f. i have set brio to 213.x.x.a which ISP has asked us to do so. once the user can access the internet from inside the LAN, i want to make a vpn to a remote checkpoint firewall whose IP is 193.x.x.6 /24. So i think we need to open atleast 1 connection from outside, i.e. to permit 1 IP to come in, if at all they need to change some configuration, since they are the head-office and might require to get in to change some security poilcies. Also the mail server is at remote site at checkpoint end(lotus notes) the user here will have a client to access the mail from mail server. Also i think no need to use the IP 213.x.x.c
secondly do i need to remove all these NAT commands from router
ip nat inside
ip nat outside
ip nat pool nat-pool-0 213.x.x.a 213.x.x.a netmask 255.255.255.248
ip nat inside source list 1 pool nat-pool-0 overload
I think you have now a clear idea of what i want.
thanks
regards
shoeb
07-04-2003 10:52 PM
Shoeb,
You have several options for the Head Office, either to allow a VPN connection between the firewalls so that your entire LAN can be accessed from the Head Office, in addition, you can also limit access besed on ip addresses of the Head office, the other option is to allow access to limited resources such as the terminal services on a server.
Well, if it is required to use a VPN connection, then you can use IPSEC to encrypt the tunnel, here you have also two options, either to keep the router config and just configure a VPN connection, in this case the firewall will not do any NAT, the other option will use the firewall for NAT.
The VPN connection be initiated from the router or the firewall. Sounds complicated, right.
Here what I suggest, keep the router doing the NAT, configure the VPDN on the router, the firewall will not do any NAT. Now since the firewall will not limit any connections from outside, you must open some static connections from outside (for example the subnet of the Head office).
Is this suitable?
regards,
Jawad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: