Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

506 Config

I think I am on the right track but unsure. Again, I am running PIX 506 (only 2 interfaces-stuck with 5.1(2) software) on a small network.

Here is what I am trying to achieve:

1) Allow unrestricted internet access from the inside interface.

2) Allow incoming connections to my web server.

Here is what I have so far:

PIX Version 5.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

hostname itfw1

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_in permit tcp any host 10.0.0.5 eq www

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.1 255.0.0.0

ip address inside 192.168.254.1 255.255.255.0

arp timeout 14400

global (outside) 1 10.0.0.3 netmask 255.0.0.0

global (outside) 1 10.0.0.20-10.0.0.100 netmask 255.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.0.0.5 192.168.254.20 netmask 255.255.255.255 0 0

access-group acl_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

isakmp identity hostname

telnet timeout 5

terminal width 80

Cryptochecksum:xxx

You are all saints...my deepest gratitude for helping me learn!

21 REPLIES
Green

Re: 506 Config

Are you nat'ing again on an outside router or something? 10. is not routable and would explain why you can't get to the internet.

New Member

Re: 506 Config

Here is the design and flow:

1)Router IP: 10.0.0.2

2) PIX: Outside IP: 10.0.0.1 Inside IP: 192.168.254.1

3)Network: 192.168.254.0/24

Cisco Employee

Re: 506 Config

the fw outside interface doesnt seems to have a routable IP on internet, thereofore on firewall you do have appropriate xlate rules,however you need to nat on the router as well

whats the wan interface of the router ?

Green

Re: 506 Config

I bet it's 74.41.202.106...from his previous post.

You either have to nat twice or get a /30 network for your inside of outside router and outside of pix. Or get rid of the dsl router and get a dsl modem, put 74.41.202.106 on outside of pix.

Green

Re: 506 Config

From you first post.

#1. Internet access from inside users. You will have to nat them somewhere to a public routable ip address.

#2. You will have to have a static translation somewhere for your public services. (Where is your webserver translated to 10.0.0.5?)

New Member

Re: 506 Config

Maybe I need to go back and learn a bit more...

Just a minor recap:

(PIX model 506)

=================================

===============

====Internet===

===============

|

Leased external static IP: 74.41.201.106

(FQDN resolved to this IP from internet)

|

DSL Router's internal IP: 10.0.0.2

|

Pix Outside Interface IP: 10.0.0.1

|

Pix Inside Interface IP: 192.168.254.1

|

Network:

Web server: 192.168.254.20

I have set NAT to inside interface with:

nat (inside) 1 0 0

I have set global on outside interface:

global (outside) 10.0.0.3 netmask 255.0.0.0

global (outside) 1 10.0.0.20-10.0.0.100 netmask 255.0.0.0

I set the default route to router:

route outside 0 0 10.0.0.2 1

I add a static to allow traffic INTO my webserver and appropriate ACL list:

static (inside,outside) 10.0.0.5 192.168.254.20 netmask 255.255.255.255 0 0

access-list acl_in permit tcp any host 10.0.0.5 eq www

access-group acl_in in interface outside

Cisco Employee

Re: 506 Config

For outbound access you need to translate the private ip to a public routable ip on the router.

so the gateway of the firewall.i.e DSL ROuter is simply a modem or a configurable router ?

New Member

Re: 506 Config

Correct. The outside interface of my pix goes directly to my isp's provided dsl router.

Cisco Employee

Re: 506 Config

ok so is ISP doing natting on their router ?

if not then they have to...also from our side you need to make sure the request is passing through the firewall

add the line access-l acl_in permit icmp any any try pinging the gateway of the firewall from any inside machine, if you are able to ping that means the FW is passing the traffic and its your router not routing it further..

New Member

Re: 506 Config

Correct.

I havn't placed the firewall in the mix yet, I was just looking for a second pair of eyes to look at my config (original post) to see if it seemed OK...

Cisco Employee

Re: 506 Config

yes your firewall config looks good on FW..we can help you with router if you have an access of it as well

Green

Re: 506 Config

Like I said about 10 posts ago...

are my posts showing up?

Cisco Employee

Re: 506 Config

heyy acomiskey..chill..:-)..yes your posts are showing up..very bright n clear..:-)

Green

Re: 506 Config

I'm chill, just seems like a broken record that's all...

New Member

Re: 506 Config

Sorry, I didn't get into managed firewall appliances until about a week ago and I am in my 40's so things don't sink in quite as well as they did when I was in my 20's...

Green

Re: 506 Config

No, not you, it seemed like everything I said was just getting repeated.

Anyway, it's cool, we're all here just trying to help.

New Member

Re: 506 Config

Which, by the way, I do not take for granted and I appreciate more than I can say...

Green

Re: 506 Config

Ok, as abinjola and I were trying to say, there are a few things you need to figure out. The most major of which I would say is where do you want to NAT?

Cisco Employee

Re: 506 Config

do you have the router access,? so that we check if the router is configured for natting

I hope i am making sense that the router needs to further PAT or NAT the traffic (to a public ip )coming out of the firewall private outside IP

the fw config looks good..

Green

Re: 506 Config

This is 1 solution, like I was trying to say before...but requires 2 more public ip addresses.

DSL ROUTER

|

|

|

PAT/NAT here.

PIX

<10.0.0.0 network>

OR this which doesn't

DSL MODEM

|

|

|

|

NAT/PAT here

PIX

<10.0.0.0 network>

New Member

Re: 506 Config

Yes I do. Prior to purchasing this firewall, the ISP's router was configured to port forward requests to the appropriate server...

port 80: to 192.168.254.20 (web server)

port 25: to 192.168.254.50 (email server)

154
Views
0
Helpful
21
Replies