I was wondering if there is anything I need to do to a router which is infront of my PIX515E.
The setup I have is a PIX515E with a 3660 Router infront of this before the internet. On this router is the public IP addresses which are then nat'ed to ip on the PIX. So for instance my PIX has 10.10.10.1 as i IP on the outside interface card and on the 3660 it will have a static entry to map this to its public ip.
Is there anything special or extra I need to do on the router to get the traffic through as my client is not connecting. Is there any test i can do to see how far its getting ??
The router has a very vanillia setup - traffic of all types flows through it without problem ? Unless the router blocks certain ports by default ??
It seems to be becuase I'm trying to NAT to a logical interface on the PIX. I was trying to seperate traffic from each other using virtual interfaces and VLANs. I'm not sure how secure it is giving a PIX a internet IP ??? Can't people hack these boxes easily when they are configured like that ?
First thing that you asked is how to trace traffic ?
-> Check your PIX syslog messages and see if client traffic is passing through your router and hitting PIX interface ?
->You can check the netflow traffic on the router by enabling "ip route-cache flow " and you can check the current traffic by "show ip cache flow". If you want to get the netflow data collected offline, you need to have some netflow analyser tool.
and you can troubleshoot where the traffic is getting bloacked and why ? could be any access-list that you have applied on router etc
Second thing that you have asked is :- is it safe to give public ip on pix outside interface ?
Yes, you can do this setup without any problem but you need to be clear about what trafic you are going to permit through PIX.
As fernando said if its client to site vpn setup you may need to enable NAT Traversal, as VPN and NAT by their basic nature donnt gel just like water and oil :)
best bet will be, give your pix a public ip and define your secuirty policies clearly and filter most of traffic on router only like private ips from internet etc.
I managed to get it working. I in the end gave the public IP to the physical interface. I was wondering if its slightly safer giving it to the logical interface ? But I wasn't able to get this to work.
My access lists are pretty clear now. I'm pretty anal on these things - but the access list on the router are very vanilla. You say filter private ip from the internet on the router? What do you mean by this ??
Also on the PIX how do I limit traffic to each group ?? I use the crypto isakmp match address command but then traffic drops completely and I get a group does not match SA errors?
I was talking about various security controls which you can apply on internet facing router itself like private ips are not supposed to be present on internet cloud so filter them out on the router itslef i.e. block all the traffic hitting your internet router with private ips as source ...
similarly you donnt expect public ips allocated to your organisation to come as source, any internet incoming to your router , these public ips will always remain as destination only so block them as source ips at router (anti- spoofing technique)..
you can dig more about these controls , search for keywords "security best practises" at cisco.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...