Re: Newbie Needs help configuring 506e

prounds · ‎07-01-2006

I'm tring to configure a 506e for a relatively simple scenario, and just can't seem to get it. I have an existing IP block , 67.43.167.32, 255.255.255.240. I would like to give the 506e the last 4 IPs, permit egress, map one or two of the IPs to static internal IP address, and let only a few TCP ports in.

To do this, I did the following:

interface ethernet0 10full

interface ethernet1 10full

nameif ethernet1 outside sec0

nameif ethernet1 inside sec100

ip address outside 67.43.x.x.255.255.240

ip address inside 192.68.1.1 255.255.255.0

static (inside,outside) 67.43.x.x.168.1.11 netmask 255.255.255.255 0 0

access-list acl_outsidein permit tcp any host 192.168.1.11 eq 80

access-group acl_outsidein in interface outside

My reading of all the manuals is that this will map the (outside) ip 67.x.167.44 to the (inside) ip 192.168.1.11, and that it will permit (only) http access from the outside to 192.168.1.11.

It doesn't do this, i.e. from my little test subnet ( 67.43.167.1, 255.255.255.0) to which the 506e is connected, when I try to access 67.43.167.44 from a web browser, I get no response. ( From within my 192.168.1.1, 255.255.255.0 subnet, when I go to 192.168.1.11 I get the site )

I tried adding

access-list acl_insideout ip any any

access-group acl_insideout in interface inside

but this made no change.

What am I missing?

jmia · ‎07-01-2006

Phillip,

Do this...

access-list acl_outsidein permit tcp any host 67.43.167.44 eq www

access-group acl_outsidein in interface outside

static (inside,outside) tcp 67.43.167.44 www 192.168.1.11 www netmask 255.255.255.255 0 0

Issue: clear xlate and save with: write mem

Now when you try to access your web server on 67.43.167.44 port 80, you'll be mapped to your internal web server on 192.168.1.11

You don't need any ACL's on your inside interface unless you are filtering your inside host's!!

Hope this helps and please rate post if it does!

Jay

jzsides · ‎07-02-2006

You should change this line:

access-list acl_outsidein permit tcp any host 192.168.1.11 eq 80

to:

access-list acl_outsidein permit tcp any host 67.43.167.44 eq 80

Also, you may have trouble testing from 67.43.167.1. Try an unused address within the same subnet assigned to your outside interface.

prounds · ‎07-03-2006

Sorry for the typo in the post, but your suggestion was what I really did. The following is the current configuration, which differs somewhat from my original post. Basically, I just have the one IP configured for the PIX, and I let all IP traffic in

The current status is:

CGIPix1(config)# show ip

System IP Addresses:

ip address outside 67.43.167.44 255.255.255.255

ip address inside 192.168.1.1 255.255.255.0

Current IP Addresses:

ip address outside 67.43.167.44 255.255.255.255

ip address inside 192.168.1.1 255.255.255.0

CGIPix1(config)# show static

static (inside,outside) 67.43.167.44 192.168.1.11 netmask 255.255.255.255 0 0

CGIPix1(config)# show access-list acl_insideout

access-list acl_insideout; 1 elements

access-list acl_insideout line 1 permit ip any any (hitcnt=0)

CGIPix1(config)# show access-list acl_outsidein

access-list acl_outsidein; 2 elements

access-list acl_outsidein line 1 permit tcp any host 67.43.167.44 eq www (hitcnt

=0)

access-list acl_outsidein line 2 permit ip any host 67.43.167.44 (hitcnt=0)

CGIPix1(config)#

jzsides · ‎07-03-2006

Are you really using a subnet mask of 255.255.255.255 on the outside interface?

prounds · ‎07-04-2006

I thought I started a new thread addressing this question but it seems to have been lost.

I think that's my real problem, that I'm not configuring the outside interface correctly. I had used 255.255.255.255 to restrict the firewall to listening to only that 1 IP, which is not what I really want. My real-life situation is that I have an existing 16 IP subnet to which I want to add the 506, with a new server sitting behind the firewall, and leave the exsitng server exposed, listening to some of the IPs in my existing block. I want to eventually migrate the exposed server to be behind the firewall. An additional factor is that all of this will be done in a CoLo situation, so I'm trying to create a test subnet here to configure everything before I ship it out.

Say my existing ip block is 192.168.0.241, 255.255.255.240. When I configure my 506, how do I assign the outside IP address if I just want to use, e.g., 192.168.0.250 - 192.168.0.255 as the IPs the firewall will listen on, while 192.168.0.241 - 192.168.0.249 are used by an existing server which will not be behind the firewall

If I assign the entire 16 IP subnet to the outside, but only have static assignments for the 5 IPs I want to use on the firewall, which device listens on the first 10 IPs, my existing server or the 506? Do I need a complete, and new, subnet for the firewall?

I thought I had a correct ( test ) configuration with some modifications ( I was using an entire class C subnet ( 192.168.0.1, 255.255.255.0 as my test scenario, and was assigning the firewall the subnet of 192.168.0,241, 255.255.255.240) this worked well, but some local computers, but not all, couldn't get out).

Any insight would be greatly appreciated.

jzsides · ‎07-04-2006

I agree, your outside interface configuration is the problem. You should not need a new subnet, because the pix will proxy-arp for the hosts configured in your static nat translations.

Here's what I would do:

ip address inside 192.168.1.1 255.255.255.0

ip address outside 192.168.0.241 255.255.255.240

static (inside,outside) 192.168.0.254 192.168.1.254 netmask 255.255.255.255

access-list inFromOutside permit tcp any host 192.168.0.254 eq 80

access-group inFromOutside in interface outside

At this point the servers(192.168.0.242 - 192.168.0.249 with a subnet mask of 255.255.255.240) plugged into the outside interface should be able to connect to 192.168.0.254 on port 80.

If you want all hosts on the inside to get out, I would add this:

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface