12-06-2002 08:17 AM - edited 02-20-2020 10:25 PM
Would appreciate feedback,
I have configured a couple of pix configs before with little difficulty. Im running into problems. First of all, I've read conflicting articles......Can you have one public ip on the outside then nat on perimeter then have pix then lan.
Goal:
Filter server on DMZ
http access for inside hosts in general to DMZ and URL server permitting to outside interface.
ISP
|
|
ROUTER(with ATM and NAT OVERLOAD on FA Interface)
|
|
PIX 515E 3 interfaces
| |
| |
DMZ lan Inside Lan
- All interfaces on the pix would have private addresses and nat overload is performed on the perimeter router with Dialer interface?
here is the pix config and router config any help would be appreciated?
Router
version 12.2
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
service linenumber
!
hostname DSL-GATE
!
no logging buffered
logging rate-limit console all 5
logging monitor warnings
!
memory-size iomem 20
clock timezone CST -6 26
ip subnet-zero
!
!
ip name-server 207.203.159.252!
ip ssh time-out 120
ip ssh authentication-retries 3
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
interface ATM0
no ip address
atm vc-per-vp 256
no atm ilmi-keepalive
dsl operating-mode auto
no fair-queue
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description 1720 uplink on perimeter router
ip address 172.18.12.1 255.255.255.248
ip nat inside
speed auto
half-duplex
pppoe enable
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Dialer1
description dsl dialier link
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
pulse-time 0
ppp authentication chap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip pim bidir-enable
!
logging trap debugging
access-list 1 permit 172.18.12.0 0.0.0.255 log
!
banner motd ^CCC
WARNING RESTRICTED AREA * AUTHORIZATION REQUIRED ^C
!
line con 0
password 7
logging synchronous
login
line aux 0
terminal-type mon
speed 115200
line vty 0 3
password 7
login
terminal-type mon
transport input pad udptn telnet rlogin
line vty 4
password 7
login
transport input pad udptn telnet rlogin
line vty 5 9
password 7
login
terminal-type mon
line vty 10 15
password 7
login
pix
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password
passwd
hostname pix515e
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 172.18.12.1 255.255.255.240
ip address inside 172.18.12.65 255.255.255.224
ip address DMZ 172.18.12.17 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
conduit permit icmp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:
: end
Much thanks in advance,
12-06-2002 08:59 AM
Hi,
I'm not entirely sure what exactly your trying to accomplish here. I assume your using the external/dmz/internal interfaces on the PIX for internal (internal from your dsl line) purposes only and don't want to NAT anything from your PIX interfaces.
It should be fine to do this, so long as no one from the Internet needs to ever come in via your Router to initiate a connection to anything that is behind it.
If you want to be able to access the lower security levels from your (PIX) Inside and DMZ networks, you should create a "static" entry as well as setting default routes if you want to be able to access the Internet connection.
Configuration entries like this may be helpful for you:
static(inside,dmz) 172.18.12.64 172.18.12.64 netmask 255.255.255.224
static(inside,outside) 172.18.12.64 172.18.12.64 netmask 255.255.255.224
static(dmz,outside) 172.18.12.16 172.18.12.16 netmask 255.255.255.240
Don't forget that if you want to be able to access the higher interfaces from the lower (ie: outside to dmz or outside to inside or dmz to inside), then you will have to apply access lists to the outside/dmz interface to specifically allow the traffic.
If you want to be able to access the Internet from any of your three networks, you'll need this command:
route outside 0.0.0.0 0.0.0.0 172.18.12.1 1
Hope that helps..
-Joshua
12-07-2002 10:46 AM
thanks for your input Joshua...still could use some suggestions about connectivity and design
12-07-2002 04:48 AM
Hi,
sorry, I would like to help you but I don't understand your question. Could you explain the situation again?
Thanks!!
Kind Regards,
Tom
12-07-2002 07:39 AM
Hi,
First, the outside PIX interface & the inside router interface seems to have the same IP address.
Second, there is a long time since i have configured a router but i can't see an Ethernet virtual interface to complete your ATM setup.
Finally, i'm not sure about your ATM/PPPoE/PPP/Ethernet/DSL connection. There is a lot of layer 2 connection. Did you test the ATM connection?
Regards
Ben
12-07-2002 10:42 AM
Sorry for the unclear intro....and yes that is just it. The layer 2 with the atm connection. Would there be a way to establish a bridge connection?? And what about a remote connection?
Here are the clarified configs
PIX
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password
passwd
hostname pix515e
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 172.18.12.1 255.255.255.240
ip address inside 172.18.12.65 255.255.255.224
ip address DMZ 172.18.12.17 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm location 172.18.12.75 255.255.255.255 inside
pdm history enable
arp timeout 14400
static (inside,DMZ) 172.18.12.64 172.18.12.64 netmask 255.255.255.224 0 0
static (inside,outside) 172.18.12.64 172.18.12.64 netmask 255.255.255.224 0 0
static (DMZ,outside) 172.18.12.16 172.18.12.16 netmask 255.255.255.240 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 172.18.12.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside) host 172.181.12.20 255.255.255.240 timeout 10
url-server (inside) vendor n2h2 host 172.18.12.19 port 4005 timeout 10 protocol
TCP
filter url http 172.18.12.64 255.255.255.224 0.0.0.0 0.0.0.0 proxy-block
http server enable
http 172.18.12.65 255.255.255.255 inside
http 172.18.12.64 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f5d6237efec83606e18b51879fa47a0f
Perimeter Router - could use a 2600 with 2 interfaces if advantages could be seen?
1720 Router
version 12.2
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
service linenumber
!
hostname DSL-GATE
!
no logging buffered
logging rate-limit console all 5
logging monitor warnings
!
memory-size iomem 20
clock timezone CST -6 26
ip subnet-zero
!
!
ip name-server 207.203.159.252!
ip ssh time-out 120
ip ssh authentication-retries 3
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
!
!
interface ATM0
no ip address
atm vc-per-vp 256
no atm ilmi-keepalive
dsl operating-mode auto
no fair-queue
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description 1720 uplink on perimeter router
ip address 172.18.12.2 255.255.255.240
ip nat inside
speed auto
half-duplex
pppoe enable
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
interface Dialer1
description dsl dialier link
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
pulse-time 0
ppp authentication chap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip pim bidir-enable
!
logging trap debugging
access-list 1 permit 172.18.12.0 0.0.0.255 log
!
banner motd ^CCC
WARNING RESTRICTED AREA * AUTHORIZATION REQUIRED ^C
!
line con 0
password 7
logging synchronous
login
line aux 0
terminal-type mon
speed 115200
line vty 0 3
password 7
login
terminal-type mon
transport input pad udptn telnet rlogin
line vty 4
password 7
login
transport input pad udptn telnet rlogin
line vty 5 9
password 7
login
terminal-type mon
line vty 10 15
password 7
login
Goal--- To place filter server, tacacs server for authen for inside usesers, web server- for internet users, on DMZ segment.
Inside- All users must authenticate the pix to reach the outside world or internet
.
Currently from pix I can ping the internet and I can ping to each node on each segment; however, the inside users can not reach anywhere beyond their specified gateway 172.181.12.65. I realize this is a complex config. I'm asking for help with the access-list to establish connectivity first and then begin to lock down the ports. I'm familiar with the ios ; I must say this pix OS is a touch more involved. Any help is appreciated.
Again,
Thanks in advance
12-09-2002 08:03 AM
Hi. A few comments about your configuration. I'll start with the PIX.
Your syntax for the url-server is incorrect. The (ifname) portion should identify where the url filter server is located. From your listed goals, it should be:
"url-server (dmz) vendor n2h2 host 172.18.12.19 port 4005 timeout 10 protocol TCP"
The same applies for your AAA server statement, but also you have '255.255.255.240' defined as the TACACS shared key. It should be like this: "aaa-server TACACS (dmz) host 172.181.12.20 TACACS_KEY timeout 10"
To authenticate all of your users outbound traffic (only applies to HTTP/FTP and Telnet), use commands something like this:
authenticate all traffic
"aaa authentication include any outbound 0 0 0 0 TACACS"
except if it terminates on our outside network
"aaa authentication exclude any outbount 0 0 172.18.12.0 255.255.255.240 TACACS"
except if it terminates on our DMZ network
"aaa authentication exclude any outbount 0 0 172.18.12.16 255.255.255.240 TACACS"
To fix the problem with your Internal users not being able to see anything beyond the PIX, try applying the commands:
"nat (inside) 1 172.18.12.64 255.255.255.224 0 0"
"nat (dmz) 1 172.18.12.16 255.255.255.240 0 0"
Even though we're not actually doing any noticeable NAT, it has to be enabled on the PIX for it to function how it wants to. In your case, the NAT is being done to replace the networks listed in the static maps, with their same IP's so that the DMZ/outside interfaces see the networks as their real IP Addresses.
For a complete list of PIX configations, don't forget to take a look at http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_book09186a0080104234.html
And now for the Router:
Your webserver may give you the most trouble, since you'll have to punch a hole into your Router to allow the traffic to reach your DMZ. I'm not entirely sure how to get this going if you only have one IP Address on your Internet connection. In all cases where I've done NAT on an external router, I've always gone with a static NAT translation, then an access list to filter off what can come through the Router. But in your case, I think you only have one external IP Address, right?
The other alternative would be to attempt to use the router as a bridge, but if your not receiving a static IP Address on the router's ATM port, this might not be possible, because you would have to do the port translation for the webserver on the PIX. I'm not sure if you can do a wildcard translation, since we wouldn't know the external IP Address if it's dynamically assigned. If you do get this going as a bridge, I'd assume that you would also have to kill off the NAT on the Router and have the PIX do the NAT for outgoing data by setting the 'global' command. Ie, to do a PAT translation:
"global (outside) 1 static.external.ip.address"
or if you want to do a NAT translation:
"global (outside) 1 xx.xx.xx.yy-xx.xx.xx.yz"
Above and beyond whats listed above, I can't offer other suggestions as it's a bit beyond my realm of configuration that I've run into. Let me know if your PIX problems get cleared up or if you find a way to get your webserver working through both the Router and the PIX.
Regards,
-Joshua
12-17-2002 03:03 PM
Yes...this is the issue then...By only having one public ip address on this router the translation issue seems. Can I create a pool of addresses from the outside (even though they are actually private) and nat and global from that or is there no way?
Do you have any thoughts on using the router as a bridge and translating on the pix. My Ip is static. 68.x.x.x 255.255.255.255. Using chap auth with Dialer interface with bellsouth. Who knows how to bridge this coonection over to my pix outside interface. This is what you are describing correct?
12-07-2002 10:47 AM
Yes..I can ping the internet from the pix. Thanks for your response
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: