I am a new member on the forum and new to routing and Cisco products. I am a Windows network administrator. One of my clients recently went out of business and in lew of some money that they owed me; they gave me some equipment including a PIX 525.
I am interested in learning more about routing and cisco equipment so I am trying to use the PIX in my own network. I have downloaded the configuration guide (version 6.3) from cisco and read topics from this and other forums and have managed to put together a config that seems to be doing what I want it to do for the most part. I have run into a few problems that I would like you folks to help me with if possible. The problem I have is that the cisco documentation assumes that you are intimately familiar with routing and also IOS which I am not.
Here is my network setup…
I have a range of static IPs from my cable ISP xxx.xxx.xxx.153-157
I have a windows SBS server running exchange and PPTP vpn.
I have another windows server running an FTP site.
I have a windows server that I use to test new configurations that will potentially run any number of hosted services (mail, web, ftp, vpn etc.).
I use one of my IPs for internet access only for guests.
Previously, I had only one static IP and was using Linksys routers with port forwarding so that I could host my services. The problem was that I couldn’t host more than one mail server or have remote desktop access to more than one server without changing the listening ports. To solve this, I upgraded to a block of 5 static IPs.
My goal now is to use the PIX 525 to direct traffic to each server which resides on a different physical interface with a different subnet. I am currently using NAT and access lists to route traffic coming in on each public IP to a specific internal interface. So far everything seems to be working for the most part.
The interface labeled dmz is the interface my test server resides on. The goal here was to direct any incoming ip traffic to this interface and allow a Linksys router to do the port forwarding. I thought this would be simpler to configure since this machine will host different services depending on what I am working with at the time.
Interface inside1 is my own SBS server with exchange.
Interface inside2 is where my FTP server is.
Interface internet is the guest access internet only subnet
Below is the software version info from the PIX…
Cisco PIX Security Appliance Software Version 8.0(2) Device Manager Version 6.0(2)
Compiled on Fri 15-Jun-07 18:25 by builders System image file is "flash:/pix802.bin" Config file at boot was "startup-config"
No problems on the dmz interface so far. The only poorblems I have still are the following...
No access to other public IPs from inside interfaces. For instance, I can't access ftp://xxx.xxx.xxx.154 from machines on interface1 even though the ADSM interface has inharent rules that were apparently automatically created to allow from higher security to lower security.
I used to have PPTP vpn that I could access from a client computer in the inside1 interface and I can't get PPTP trafic to pass through anymore even if I forward port 1723 and dissable the PPTP fixup protocol. The connections just hang at verrifying username and password. If I reconnect everything the way it was befrore the PIX it works again.
I know the PIX no longer supports PPTP VPN itself after software version 7.x I think, but I dont understand why I can't still allow the traffic to pass through to another server.
Also I just wanted to see if the entire config was in good shape and avoid any problems if any were evident or see if the current config is the best way to accomplish my goals.
Sorry I forgot to include the above in my original post.
Now this traffic is going from higher to lower security level so it should work by default. Now if you want to allow inside2 users to access xxx.xxx.xxx.153 which is the outisde IP address, you will need the below commands:
In addition to this, you will need access-lists permitting respective traffic to the xxx.xxx.xxx.153 IP address on the inside2 interface as well as this is from a lower to higher security lever interface.
Coming to PPTP VPN pass through, i guess you are trying to connect to the PPTP VPN server behind your pix. Is it the xxx.xxx.xxx.155 IP address server that is hosting the PPTP VPN? Or is it some other server?
PPTP in general does not work with a Static PAT because it involves GRE and since GRE does not have port numbers, PAT does not work with PPTP. You will need a 1:1 NAT for the PPTP server's IP address as in the case of xxx.xxx.xxx.155.
Second, after reviewing your response I realized i had meant to say that I cant access inside interfaces with lower security levels. For instance, a computer on inside1 with ip 192.168.0.100 where the security-level is 100 can not get to the ftp site hosted on inside2 192.168.1.2 security-level 90. I was under the impression that the pix allowed this by default. As it is though I can not access the ftp site with the url ftp://192.168.1.2. So do I have to create a static command or an access list or what? I don't see any need to access higher security interfaces from lower secureity interfaces on this setup.
Third. That explains why the VPN won't work. Unfortunately, the VPN server was my SBS server on inside1 xxx.xxx.xxx153. I dont think 1:1 nat would work because then I would have to use another router on inside1 right? This is possible but it really defeats my goal of trying to use the pix for as many things as possible in order to learn it. 1:1 NAT would be good for the DMZ though because I want another router to control the port forwarding to that network anyway because it is the test network.
What then would be a good alternative to PPTP on SBS server? The goal is to have access to resources on inside1 from the outside that I could configure easily on client computers.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :