cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
801
Views
8
Helpful
8
Replies

perimeter router with atm one public ip and pix 515e design

s.townsend
Level 1
Level 1

Would appreciate feedback,

I have configured a couple of pix configs before with little difficulty. Im running into problems. First of all, I've read conflicting articles......Can you have one public ip on the outside then nat on perimeter then have pix then lan.

Goal:

Filter server on DMZ

http access for inside hosts in general to DMZ and URL server permitting to outside interface.

ISP

|

|

ROUTER(with ATM and NAT OVERLOAD on FA Interface)

|

|

PIX 515E 3 interfaces

| |

| |

DMZ lan Inside Lan

- All interfaces on the pix would have private addresses and nat overload is performed on the perimeter router with Dialer interface?

here is the pix config and router config any help would be appreciated?

Router

version 12.2

service timestamps debug uptime

service timestamps log datetime localtime

service password-encryption

service linenumber

!

hostname DSL-GATE

!

no logging buffered

logging rate-limit console all 5

logging monitor warnings

!

memory-size iomem 20

clock timezone CST -6 26

ip subnet-zero

!

!

ip name-server 207.203.159.252!

ip ssh time-out 120

ip ssh authentication-retries 3

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

!

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

!

!

interface ATM0

no ip address

atm vc-per-vp 256

no atm ilmi-keepalive

dsl operating-mode auto

no fair-queue

!

interface ATM0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

description 1720 uplink on perimeter router

ip address 172.18.12.1 255.255.255.248

ip nat inside

speed auto

half-duplex

pppoe enable

!

interface Serial0

no ip address

shutdown

!

interface Serial1

no ip address

shutdown

!

interface Dialer1

description dsl dialier link

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

pulse-time 0

ppp authentication chap callin

ppp chap hostname

ppp chap password 7

ppp pap sent-username

!

ip nat inside source list 1 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

ip pim bidir-enable

!

logging trap debugging

access-list 1 permit 172.18.12.0 0.0.0.255 log

!

banner motd ^CCC

WARNING RESTRICTED AREA * AUTHORIZATION REQUIRED ^C

!

line con 0

password 7

logging synchronous

login

line aux 0

terminal-type mon

speed 115200

line vty 0 3

password 7

login

terminal-type mon

transport input pad udptn telnet rlogin

line vty 4

password 7

login

transport input pad udptn telnet rlogin

line vty 5 9

password 7

login

terminal-type mon

line vty 10 15

password 7

login

pix

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

enable password

passwd

hostname pix515e

domain-name cisco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 172.18.12.1 255.255.255.240

ip address inside 172.18.12.65 255.255.255.224

ip address DMZ 172.18.12.17 255.255.255.240

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

conduit permit icmp any any

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:

: end

Much thanks in advance,

8 Replies 8

dro
Level 1
Level 1

Hi,

I'm not entirely sure what exactly your trying to accomplish here. I assume your using the external/dmz/internal interfaces on the PIX for internal (internal from your dsl line) purposes only and don't want to NAT anything from your PIX interfaces.

It should be fine to do this, so long as no one from the Internet needs to ever come in via your Router to initiate a connection to anything that is behind it.

If you want to be able to access the lower security levels from your (PIX) Inside and DMZ networks, you should create a "static" entry as well as setting default routes if you want to be able to access the Internet connection.

Configuration entries like this may be helpful for you:

static(inside,dmz) 172.18.12.64 172.18.12.64 netmask 255.255.255.224

static(inside,outside) 172.18.12.64 172.18.12.64 netmask 255.255.255.224

static(dmz,outside) 172.18.12.16 172.18.12.16 netmask 255.255.255.240

Don't forget that if you want to be able to access the higher interfaces from the lower (ie: outside to dmz or outside to inside or dmz to inside), then you will have to apply access lists to the outside/dmz interface to specifically allow the traffic.

If you want to be able to access the Internet from any of your three networks, you'll need this command:

route outside 0.0.0.0 0.0.0.0 172.18.12.1 1

Hope that helps..

-Joshua

thanks for your input Joshua...still could use some suggestions about connectivity and design

tvanginneken
Level 4
Level 4

Hi,

sorry, I would like to help you but I don't understand your question. Could you explain the situation again?

Thanks!!

Kind Regards,

Tom

bdube
Level 2
Level 2

Hi,

First, the outside PIX interface & the inside router interface seems to have the same IP address.

Second, there is a long time since i have configured a router but i can't see an Ethernet virtual interface to complete your ATM setup.

Finally, i'm not sure about your ATM/PPPoE/PPP/Ethernet/DSL connection. There is a lot of layer 2 connection. Did you test the ATM connection?

Regards

Ben

Sorry for the unclear intro....and yes that is just it. The layer 2 with the atm connection. Would there be a way to establish a bridge connection?? And what about a remote connection?

Here are the clarified configs

PIX

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

enable password

passwd

hostname pix515e

domain-name cisco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 172.18.12.1 255.255.255.240

ip address inside 172.18.12.65 255.255.255.224

ip address DMZ 172.18.12.17 255.255.255.240

ip audit info action alarm

ip audit attack action alarm

pdm location 172.18.12.75 255.255.255.255 inside

pdm history enable

arp timeout 14400

static (inside,DMZ) 172.18.12.64 172.18.12.64 netmask 255.255.255.224 0 0

static (inside,outside) 172.18.12.64 172.18.12.64 netmask 255.255.255.224 0 0

static (DMZ,outside) 172.18.12.16 172.18.12.16 netmask 255.255.255.240 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 172.18.12.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 172.181.12.20 255.255.255.240 timeout 10

url-server (inside) vendor n2h2 host 172.18.12.19 port 4005 timeout 10 protocol

TCP

filter url http 172.18.12.64 255.255.255.224 0.0.0.0 0.0.0.0 proxy-block

http server enable

http 172.18.12.65 255.255.255.255 inside

http 172.18.12.64 255.255.255.224 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:f5d6237efec83606e18b51879fa47a0f

Perimeter Router - could use a 2600 with 2 interfaces if advantages could be seen?

1720 Router

version 12.2

service timestamps debug uptime

service timestamps log datetime localtime

service password-encryption

service linenumber

!

hostname DSL-GATE

!

no logging buffered

logging rate-limit console all 5

logging monitor warnings

!

memory-size iomem 20

clock timezone CST -6 26

ip subnet-zero

!

!

ip name-server 207.203.159.252!

ip ssh time-out 120

ip ssh authentication-retries 3

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

!

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

!

!

interface ATM0

no ip address

atm vc-per-vp 256

no atm ilmi-keepalive

dsl operating-mode auto

no fair-queue

!

interface ATM0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

description 1720 uplink on perimeter router

ip address 172.18.12.2 255.255.255.240

ip nat inside

speed auto

half-duplex

pppoe enable

!

interface Serial0

no ip address

shutdown

!

interface Serial1

no ip address

shutdown

!

interface Dialer1

description dsl dialier link

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

pulse-time 0

ppp authentication chap callin

ppp chap hostname

ppp chap password 7

ppp pap sent-username

!

ip nat inside source list 1 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

ip pim bidir-enable

!

logging trap debugging

access-list 1 permit 172.18.12.0 0.0.0.255 log

!

banner motd ^CCC

WARNING RESTRICTED AREA * AUTHORIZATION REQUIRED ^C

!

line con 0

password 7

logging synchronous

login

line aux 0

terminal-type mon

speed 115200

line vty 0 3

password 7

login

terminal-type mon

transport input pad udptn telnet rlogin

line vty 4

password 7

login

transport input pad udptn telnet rlogin

line vty 5 9

password 7

login

terminal-type mon

line vty 10 15

password 7

login

Goal--- To place filter server, tacacs server for authen for inside usesers, web server- for internet users, on DMZ segment.

Inside- All users must authenticate the pix to reach the outside world or internet

.

Currently from pix I can ping the internet and I can ping to each node on each segment; however, the inside users can not reach anywhere beyond their specified gateway 172.181.12.65. I realize this is a complex config. I'm asking for help with the access-list to establish connectivity first and then begin to lock down the ports. I'm familiar with the ios ; I must say this pix OS is a touch more involved. Any help is appreciated.

Again,

Thanks in advance

Hi. A few comments about your configuration. I'll start with the PIX.

Your syntax for the url-server is incorrect. The (ifname) portion should identify where the url filter server is located. From your listed goals, it should be:

"url-server (dmz) vendor n2h2 host 172.18.12.19 port 4005 timeout 10 protocol TCP"

The same applies for your AAA server statement, but also you have '255.255.255.240' defined as the TACACS shared key. It should be like this: "aaa-server TACACS (dmz) host 172.181.12.20 TACACS_KEY timeout 10"

To authenticate all of your users outbound traffic (only applies to HTTP/FTP and Telnet), use commands something like this:

authenticate all traffic

"aaa authentication include any outbound 0 0 0 0 TACACS"

except if it terminates on our outside network

"aaa authentication exclude any outbount 0 0 172.18.12.0 255.255.255.240 TACACS"

except if it terminates on our DMZ network

"aaa authentication exclude any outbount 0 0 172.18.12.16 255.255.255.240 TACACS"

To fix the problem with your Internal users not being able to see anything beyond the PIX, try applying the commands:

"nat (inside) 1 172.18.12.64 255.255.255.224 0 0"

"nat (dmz) 1 172.18.12.16 255.255.255.240 0 0"

Even though we're not actually doing any noticeable NAT, it has to be enabled on the PIX for it to function how it wants to. In your case, the NAT is being done to replace the networks listed in the static maps, with their same IP's so that the DMZ/outside interfaces see the networks as their real IP Addresses.

For a complete list of PIX configations, don't forget to take a look at http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_book09186a0080104234.html

And now for the Router:

Your webserver may give you the most trouble, since you'll have to punch a hole into your Router to allow the traffic to reach your DMZ. I'm not entirely sure how to get this going if you only have one IP Address on your Internet connection. In all cases where I've done NAT on an external router, I've always gone with a static NAT translation, then an access list to filter off what can come through the Router. But in your case, I think you only have one external IP Address, right?

The other alternative would be to attempt to use the router as a bridge, but if your not receiving a static IP Address on the router's ATM port, this might not be possible, because you would have to do the port translation for the webserver on the PIX. I'm not sure if you can do a wildcard translation, since we wouldn't know the external IP Address if it's dynamically assigned. If you do get this going as a bridge, I'd assume that you would also have to kill off the NAT on the Router and have the PIX do the NAT for outgoing data by setting the 'global' command. Ie, to do a PAT translation:

"global (outside) 1 static.external.ip.address"

or if you want to do a NAT translation:

"global (outside) 1 xx.xx.xx.yy-xx.xx.xx.yz"

Above and beyond whats listed above, I can't offer other suggestions as it's a bit beyond my realm of configuration that I've run into. Let me know if your PIX problems get cleared up or if you find a way to get your webserver working through both the Router and the PIX.

Regards,

-Joshua

Yes...this is the issue then...By only having one public ip address on this router the translation issue seems. Can I create a pool of addresses from the outside (even though they are actually private) and nat and global from that or is there no way?

Do you have any thoughts on using the router as a bridge and translating on the pix. My Ip is static. 68.x.x.x 255.255.255.255. Using chap auth with Dialer interface with bellsouth. Who knows how to bridge this coonection over to my pix outside interface. This is what you are describing correct?

Yes..I can ping the internet from the pix. Thanks for your response

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: