11-24-2006 07:09 AM - edited 03-11-2019 02:00 AM
Hi,
i'm in the midst of configuring a 515e. We have the four port expsanion card which enbales a total of 6 ethernet ports. I'm fine with the main inside and outside interfaces connecting to our internal LAN and outside to the internet.
We also have two sdsl 800 routers, essentailly wan links to remote networks. The inside interfaces on these 800's have addresses from our internal LAN and are connected directly to our switch.
We would like these 800's to connect to our 515e instead of going straight into the switch. At moment our inside interface acts as the default gateway for the internet (192.168.1.254/24), The two 800's are 192.168.1.16/24 & 192.168.1.17/24, i presume i could address two interfaces on the PIX as say 192.168.1.18/24 & 192.168.1.19/24?
Is there any problem with setting it up like this?
Also can anyone advise me on how i'd add an access list to this. I'd use "access-list outside" to apply an access list to the outside interface. Do I need to name the interface in order to add access lists or are the created and added with say " ip access-group" as you would on a router.
Many Thanks
J Mac
11-24-2006 08:59 AM
Hi Mac.
I think this is what you want to do
800 routers---PIX515e---Local LAN..
For connecting the 800 routers to the PIX, you can create a vlan on the switch and put the cables from the inside interfaces of the routers and the cable from the PIX firewall outside interface to ports which belong to this VLAN.
800 routers---SWITCH---PIX515e---Local LAN..
Regarding access-lists , the pix by default names two interfaces as 'inside' and 'outside'. ethernet0 is always outside and ethernet1 is always inside. you can check the same by the command "show nameif".
Once you create an access-list say for eg.
access-list ToOutside permit ip any any , you will then have to attach the ACL to the interface by the command
access-group ToOutside in interface outside
General syntax of adding an ACL to interface is
access-group
For rest all interfaces, you can give any name by the following example.
nameif ethernet4 Whatevername Security50
--Pls rate if it helps---
11-24-2006 09:03 AM
You can connect each of the 800 to the PIX, i.e E2 & E3, or any available ports (e0 & e1 by default belongs to outside & inside interface).
On the quad card, ethernet3 to ethernet6 is identified as 1st port on the left to the 4th one on the right.
Assign name to the the interface, security level, i.e dmz2 & dmz3 (or any name), security level and ip addresses. Use new subnet for dmz2 and dmz3, example:
dmz2: 192.168.100.0/24, interface ip: 192.168.100.254
dmz3: 192.168.101.0/24, interface ip: 192.168.101.254
800#1 for dmz2: 192.168.100.253
800#1 for dmz3: 192.168.101.253
ip address outside 192.168.1.254 255.255.255.0
ip address dmz2 192.168.100.254 255.255.255.0
ip address dmz3 192.168.101.254 255.255.255.0
Configure routing as:
route dmz2 0.0.0.0 0.0.0.0 192.168.100.253
route dmz3 0.0.0.0 0.0.0.0 192.168.101.253
Since you have 3 lines to internet, will all of them active simultaneously?
To add access-list (ACL), you can add it directly to the existing acl. Make sure if you have deny statement, delete and paste it back to ensure it sits on the last entry. This is to ensure it to always deny unwanted IP to come into the network.
Example: need to add acl to allow new server (xx.xx.xx.50) running www services. It's mapped using static map "static (inside,outside) xx.xx.xx.50 192.168.1.50
*xx.xx.xx.50 is a public IP.
access-list outside permit tcp any host xx.xx.xx.10 eq 21
access-list outside permit tcp any host xx.xx.xx.15 eq 23
access-list outside deny ip any any
access-group outside in interface outside.
Add new entry:
firewall(config)#access-list outside permit tcp any host xx.xx.xx.50 eq 50 ---> new rule to add
Your ACL will become:
access-list outside permit tcp any host xx.xx.xx.10 eq 21
access-list outside permit tcp any host xx.xx.xx.15 eq 23
access-list outside deny ip any any --------------> wrong, will deny everything including xx.xx.xx.50!!
access-list outside permit tcp any host xx.xx.xx.50 eq www
access-group outside in interface outside.
Delete and re-add deny statement:
firewall(config)#no access-list outside deny ip any any ---> remove
firewall(config)#access-list outside deny ip any any ---> add
Now will become:
access-list outside permit tcp any host xx.xx.xx.10 eq 21
access-list outside permit tcp any host xx.xx.xx.15 eq 23
access-list outside permit tcp any host xx.xx.xx.50 eq www
access-list outside deny ip any any
HTH
AK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: