Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

515e ethernet ports

Hi,

i'm in the midst of configuring a 515e. We have the four port expsanion card which enbales a total of 6 ethernet ports. I'm fine with the main inside and outside interfaces connecting to our internal LAN and outside to the internet.

We also have two sdsl 800 routers, essentailly wan links to remote networks. The inside interfaces on these 800's have addresses from our internal LAN and are connected directly to our switch.

We would like these 800's to connect to our 515e instead of going straight into the switch. At moment our inside interface acts as the default gateway for the internet (192.168.1.254/24), The two 800's are 192.168.1.16/24 & 192.168.1.17/24, i presume i could address two interfaces on the PIX as say 192.168.1.18/24 & 192.168.1.19/24?

Is there any problem with setting it up like this?

Also can anyone advise me on how i'd add an access list to this. I'd use "access-list outside" to apply an access list to the outside interface. Do I need to name the interface in order to add access lists or are the created and added with say " ip access-group" as you would on a router.

Many Thanks

J Mac

2 REPLIES
Bronze

Re: 515e ethernet ports

Hi Mac.

I think this is what you want to do

800 routers---PIX515e---Local LAN..

For connecting the 800 routers to the PIX, you can create a vlan on the switch and put the cables from the inside interfaces of the routers and the cable from the PIX firewall outside interface to ports which belong to this VLAN.

800 routers---SWITCH---PIX515e---Local LAN..

Regarding access-lists , the pix by default names two interfaces as 'inside' and 'outside'. ethernet0 is always outside and ethernet1 is always inside. you can check the same by the command "show nameif".

Once you create an access-list say for eg.

access-list ToOutside permit ip any any , you will then have to attach the ACL to the interface by the command

access-group ToOutside in interface outside

General syntax of adding an ACL to interface is

access-group in interface

For rest all interfaces, you can give any name by the following example.

nameif ethernet4 Whatevername Security50

--Pls rate if it helps---

Re: 515e ethernet ports

You can connect each of the 800 to the PIX, i.e E2 & E3, or any available ports (e0 & e1 by default belongs to outside & inside interface).

On the quad card, ethernet3 to ethernet6 is identified as 1st port on the left to the 4th one on the right.

Assign name to the the interface, security level, i.e dmz2 & dmz3 (or any name), security level and ip addresses. Use new subnet for dmz2 and dmz3, example:

dmz2: 192.168.100.0/24, interface ip: 192.168.100.254

dmz3: 192.168.101.0/24, interface ip: 192.168.101.254

800#1 for dmz2: 192.168.100.253

800#1 for dmz3: 192.168.101.253

ip address outside 192.168.1.254 255.255.255.0

ip address dmz2 192.168.100.254 255.255.255.0

ip address dmz3 192.168.101.254 255.255.255.0

Configure routing as:

route dmz2 0.0.0.0 0.0.0.0 192.168.100.253

route dmz3 0.0.0.0 0.0.0.0 192.168.101.253

Since you have 3 lines to internet, will all of them active simultaneously?

To add access-list (ACL), you can add it directly to the existing acl. Make sure if you have deny statement, delete and paste it back to ensure it sits on the last entry. This is to ensure it to always deny unwanted IP to come into the network.

Example: need to add acl to allow new server (xx.xx.xx.50) running www services. It's mapped using static map "static (inside,outside) xx.xx.xx.50 192.168.1.50

*xx.xx.xx.50 is a public IP.

access-list outside permit tcp any host xx.xx.xx.10 eq 21

access-list outside permit tcp any host xx.xx.xx.15 eq 23

access-list outside deny ip any any

access-group outside in interface outside.

Add new entry:

firewall(config)#access-list outside permit tcp any host xx.xx.xx.50 eq 50 ---> new rule to add

Your ACL will become:

access-list outside permit tcp any host xx.xx.xx.10 eq 21

access-list outside permit tcp any host xx.xx.xx.15 eq 23

access-list outside deny ip any any --------------> wrong, will deny everything including xx.xx.xx.50!!

access-list outside permit tcp any host xx.xx.xx.50 eq www

access-group outside in interface outside.

Delete and re-add deny statement:

firewall(config)#no access-list outside deny ip any any ---> remove

firewall(config)#access-list outside deny ip any any ---> add

Now will become:

access-list outside permit tcp any host xx.xx.xx.10 eq 21

access-list outside permit tcp any host xx.xx.xx.15 eq 23

access-list outside permit tcp any host xx.xx.xx.50 eq www

access-list outside deny ip any any

HTH

AK

204
Views
8
Helpful
2
Replies
CreatePlease to create content