cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1035
Views
0
Helpful
21
Replies

How to Setup PIX501

patternnetwork
Level 1
Level 1

I'm very new to PIX but can't get something to work. We have a T1 line that connects to the PIX and then we have the PIX connected to the external network on a Small Business Server 2003. I am trying to put in a wireless access point so guests can have internet access outside of our network. I connected it to the PIX and gave it an IP address on the inside network (192.168.1.X) of the PIX and I can't get it to see the internet. Attached is my configuration from the PIX.

Can anyone help me out?

Mike

21 Replies 21

acomiskey
Level 10
Level 10

You're missing something in this line. Do you have the word interface in there?

global (outside) 1 interface

I tried entering in the new line just as you have it and I got the message "global for this range already exists". Any idea why this didn't work? Would changing this get my get access to the internet through my wireless access point? Does the PIX have to be setup as a DHCP server or can I leave the access point static? Any other ideas. Thanks for your time!!

Mike

Mike

try from config mode

no global (outside) 1

global (outside) 1 interface

HTH

Jon

Jon,

I entered the text you had and this time it worked. But, it still doesn't seem like I can get to the internet. I have attached the new configuration for you to review. To test this I actually connected a computer to the PIX501 and gave it a IP address of 192.168.1.35, subnet of 255.255.255.0, gateway of 192.168.1.1 and DNS of 192.168.1.1. It won't connect to the internet yet. I entered "clear xlate" in at the end and I think I will try re-starting the firewall, but do you have any other ideas? Does that all look ok, or not? I really appreciate your help and everyone else that has offered their suggestions.

Thanks,

Mike

Mike

Config looks okay. When you are logged onto the pix can you ping the next hop ie.

216.153.252.1

Does this work ?

Jon

Jon,

I can't ping 216.153.252.1, but I can ping 216.153.252.20 which is our IP from the ISP so that seems to work. Maybe this is a connection issue. Should the gateway and DNS point to the firewall?

Mike

Your DNS should not be the pix. You should have been give dns servers from you isp.

It worked!! The DNS makes sense now that I think about it. So much to learn yet. Thank you both for all the help. I really appreciate your time.

Mike

Would changing this get my get access to the internet through my wireless access point?

-It should.

Does the PIX have to be setup as a DHCP server or can I leave the access point static?

-No it doesn't have to be a dhcp server. The AP can be static. Just make sure the wireless clients have an address and a gateway of the pix.

mightymouse2045
Level 1
Level 1

* What are you static NAT's for?

* Also you really have a 254 address range for your external IP? Thought those were hard to come by now days :P

* Your static routes should look like this for all of them as they are for the outside interfaces IP:

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

* You have an inbound access list but no outbound access list, you should create one and also allow ICMP (ping) for that which will let you ping your gateway 216.153.252.1, and also put a deny on your outside to get stats etc on who's trying to hack what etc :P:

access-list 101 deny ip any any log

access-list 102 permit icmp any any

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq https

access-list 102 deny ip any any log

access-group 102 in interface inside

You should also start experimenting with object groups and names as these help you to simplify management and administration - they make your config longer but they are extremely useful so for example your access list could look like this:

access-list 101 permit tcp any host 216.153.252.20 object-group external_access

access-list 101 deny ip any any log

access-list 102 permit ICMP any any

access-list 102 permit tcp any any object-group internal-outbound

access-list 102 deny ip any any log

My 2 cents worth :)

Mightymouse,

Thanks for your comments even though some of them are way over my head at this point. I work for a small business and my main job is design engineer and I just happened to get "pushed" into the IT stuff. I'm not complaining, but right now I'm just trying to take care of the big problems so I can keep everyone happy.

You are right about the address range for the external IP. Where does this get changed? Doesn't this line limit it to 1 IP address?

ip address outside 216.153.252.20 255.255.255.0

Or is it the mask that is wrong? Should it be

ip address outside 216.153.252.20 255.255.255.255

As for your other suggestions and comments I am just not familiar with these PIX firewalls to understand the difference between your static command and the one that I have. You have the word "interface" in place of my outside IP address. Why and how does that affect my firewall?

Are there any performance problems with using the firewall as I have it compared to making the changes you mentioned? I will definetly print this off and put it in my "need to learn" folder so I can come back to it as time allows, but for now are any of these changes important for me to change now? Thanks again for all you help.

Mike

1. ok your external mask should reflect whatever number of external IP addresses you 'actually' have. Considering your external IP is .20 and your next hop route is .1 i would assume you have at least /27 bit subnet mask 255.255.255.224 which gives you 30 usable addresses - however that may not be the case - so what I would do is call your ISP and ask them what subnet you should use there (let me know what they come back with too btw).

2. The static NAT should be replaced with interface as that is the correct way to define a NAT that translates to the IP Address for that interface instead of typing it out in full - not sure if it affects anything possibly processing time but doubt it would affect it that much - but best to keep to best practices

3. Yes to the changes mentioned - don't worry about the groups as yet but definitely add in the outbound access list and definitely put in the deny ip any any at the end of both access lists - that will also stop me being able to ping your PIX

1. I actually only have 2 IP addresses that they will allow me to use. At the moment we just picked one (the .20) and went with it. So am I ok with using 255.255.255.255 as my mask?

2. I'll make this change later when I have time.

3. I'll also make this change when I can.

I edited my configuration offline and attached it. Does this look better or am I still missing something? Thanks for the feedback!

mightymouse2045
Level 1
Level 1

I can still ping your PIX by the way - so I see you haven't either read the response or decided not to implement the suggestions :P

But leaving it wide open like that is very risky business

Cheers,

PH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: