07-15-2002 07:24 PM - edited 03-08-2019 11:33 PM
few questions regarding PIX 501. PIX config attached at bottom.
My network is:
DSLmodem (got 5 extern IP's) --------- pix ----------- host 192.168.1.100
QUESTION 1: I can't I browse the Internet from host 192.168.1.100 -
I have it now so that any traffic coming from the Internet to the PIX external interface for FTP, HTTP is forwarded to that internal host 192.168.1.100 (that host is a web server).
Also traffic from host should be NAT'ed outside dynamically.
why can't I browse the Internet from host 192.168.1.100 ?
QUESTION 2: Can I add a second (external) IP address to the external interface?
why I need that: I want to add a second web server 192.168.1.101, I want to add a second external IP address to the PIX external interface so the traffic to that new external interface for FTP, HTTP will be forwarded to the 192.168.1.101 host.
07-15-2002 07:28 PM
config is:
----------------
Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DvgG2ZzvLdD3UYnW encrypted
passwd DvgG2ZzvLdD3UYnW encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host 168.103.127.229 eq ftp
access-list outside_access_in permit tcp any host 168.103.127.229 eq 1999
access-list outside_access_in permit udp any host 168.103.127.229 eq 1234
access-list outside_access_in permit tcp any host 168.103.127.229 eq www
access-list outside_access_in permit tcp any host 168.103.127.229 eq 5800
access-list outside_access_in permit tcp any host 168.103.127.229 eq 5900
access-list inside_access_in permit icmp any any
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 168.103.127.229 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 168.103.127.224 255.255.255.248 outside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 168.103.127.229 255.255.255.255 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.100 255.255.255.255 0 0
static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 168.103.127.230 1
route outside 168.103.127.229 255.255.255.255 168.103.127.230 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.100 /cisco/pix/pix501_001
floodguard enable
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd dns 169.132.8.81 198.4.75.69
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:d1f565fe6aceafec353abba60b0fe645
: end
[OK]
07-16-2002 12:10 AM
for some reason my first response didn't make it here, so I'll try again:
Answer 1:
extend the access-list inside_access_in in interface to allow for browsing traffic:
access-list inside_access_in permit udp any any eq 53
access-list inside_access_in permit tcp any any eq 80
Answer 2:
Adding another static will setup the mapping from a 2nd external interface to your 2nd internal host. Make sure to extend the outside_access_in access-list as well:
outside_access_in permit tcp any host 168.103.127.230 eq ftp
outside_access_in permit tcp any host 168.103.127.230 eq www
static (inside,outside) 168.103.127.230 192.168.1.101 netmask 255.255.255.255 0 0
This example assumes the 2nd external address that you're using is 168.103.127.230.
Good luck.
Frans
07-16-2002 08:47 AM
Frans,
Thanks.
Answer # 1 solved Internet access problem for host 192.168.1.100
But I added a host 192.168.1.101 (I can ping it from 100 and vice versa) and added dynamic NAT for 101, but now host 101 can't access the Internet.
Why is that? I thought that solution 1 solved the problem.
I didn't get to trying answer # 2 yet
CURRENT CONFIG
Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DvgG2ZzvLdD3UYnW encrypted
passwd DvgG2ZzvLdD3UYnW encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host 168.103.127.229 eq ftp
access-list outside_access_in permit tcp any host 168.103.127.229 eq 1999
access-list outside_access_in permit udp any host 168.103.127.229 eq 1234
access-list outside_access_in permit tcp any host 168.103.127.229 eq www
access-list outside_access_in permit tcp any host 168.103.127.229 eq 5800
access-list outside_access_in permit tcp any host 168.103.127.229 eq 5900
access-list inside_access_in permit icmp any any
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in permit tcp any any eq ftp
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 168.103.127.229 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 168.103.127.224 255.255.255.248 outside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 168.103.127.229 255.255.255.255 outside
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 192.168.1.101 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.100 255.255.255.255 0 0
nat (inside) 1 192.168.1.101 255.255.255.255 0 0
static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 168.103.127.230 1
route outside 168.103.127.229 255.255.255.255 168.103.127.230 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.100 /cisco/pix/pix501_001
floodguard enable
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd dns 169.132.8.81 198.4.75.69
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:e2b0549ba0dd81e3430ed1238973db52
: end
[OK]
07-16-2002 10:03 AM
Also - in answer 2 you basically say:
permit http and ftp access from outside to [new second external IP address]
add static NAT between internal host 101 and [new second external IP]
BUT how do I add a second external IP to the outside interface, in the first place?
the IP I need to add is 168.103.127.227
( 168.103.127.230 is my DSL modem internal interface)
07-16-2002 10:45 AM
also - why can't I ping from 192.168.1.100 to the outside ? see -
(I tried yahoo and also set up a box 168.103.127.227 for testing if I can reach it)
C:\>ping 168.103.127.227
Pinging 168.103.127.227 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 168.103.127.227:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>ping www.yahoo.com
Pinging www.yahoo.akadns.net [64.58.76.179] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 64.58.76.179:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
07-16-2002 01:13 PM
You don't need to setup a secondary IP address on the PIX. The 'static' command will tell the pix to listen on that external address.
Your router and/or cablemodemsetup must be configured to route those packets to the external IP address of your firewall though (or to that subnet anyway)
If you want to make 168.103.127.227 relate to 192.168.1.101 setup the following static.
static (inside,outside) 168.103.127.227 192.168.1.101 netmask 255.255.255.255 0 0
make sure to REMOVE the following route;
route outside 168.103.127.229 255.255.255.255 168.103.127.230 1
it doesn't make sense (to me at least)...
Also don't forget to extend the outside_access_in list to allow for certain types of traffic to be let through to 168.103.127.227.
If you want pings to work, one of the lines of the outside_access_in list should be:
access-list outside_access_in permit icmp any any
Once more - good luck.
Frans
07-17-2002 01:23 PM
thanks. all working now!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: