Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX Configuration/Routing Problem

I work for a local ISP and am putting in a PIX firewall for the first time. It is going to go between the router on our backbone and a PC setup as a router. We got a small hub and my plan is to have the Ethernet address on the backbone router changed to 10.10.10.1 and then the outside interface on the PIX to 10.10.10.2 and plug those into the hub. The inside interface will go to our LAN in the office. The router in the office has an IP address of 192.168.1.5, but actually has a real IP but kept out for security reasons. (as well as the inside interface on the PIX) I am having a hard time understanding exactly how the PIX routes, we tried it with the configuration that is shown and it didnt work. I am sure i have several issues wrong with the config. Any help would be great! Thanks.

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password Vc5SuIC5HTy5.dBK encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIXFIREWALL

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 10.10.10.2 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip address intf3 127.0.0.1 255.255.255.255

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address intf2 0.0.0.0

failover ip address intf3 0.0.0.0

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

pdm history enable

arp timeout 14400

route inside 0.0.0.0 0.0.0.0 206.187.74.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:3c8e47f3297492db91ef88d9bff73d41

: end

5 REPLIES
Silver

Re: PIX Configuration/Routing Problem

I don't see any "static" or "nat" statements on the configurations above.

For traffic to pass thru the pix you need to either:

a) enable NAT.; or

b) use static ip address mapping.

Note that with NAT enabled, you can still preserve the ip address by NAT'ing an ip address to itself (it sounds crazy, but it works).

I'd suggest that you enable NAT as follows:

global (outside) 1 10.10.10.x

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

this way traffic will pass thru the pix and all inside hosts will share a single "ouside" ip address of 10.10.10.x

Also you might want to point the default route to the ouside interface:

instead of

route inside 0.0.0.0 0.0.0.0 206.187.74.5 1

do:

route outside 0.0.0.0 0.0.0.0 x.x.x.x

where x.x.x.x is the your internet gateway ip address assuming that private-to-public ip address translation is done along the path.

HTH,

Mustafa

New Member

Re: PIX Configuration/Routing Problem

that inside route is supposed to say 192.168.1.5. I really dont want to have to use NAT seeing as the inside network is already done with real IP's, that would be a lot of changing.

Silver

Re: PIX Configuration/Routing Problem

You can still do that (preserve the real ip's - no translation) by using "nat 0" statement:

nat (inside) 0 192.168.1.0 255.255.255.0

static (inside, outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

These two statements will allow 192.168.1.x hosts to establish connections to the outside thru pix (outside hosts can not establish connections to inside without proper access-lists).

Remember to use the "clear xlat" everytime you issue or modify an "static" statement (carefull: the command is disruptive to established connections).

New Member

Re: PIX Configuration/Routing Problem

There are several servers behind the PIX and people who dial-in will need to get through the pix for authentication. Would i just set up a simple access-list that i would do on a normal router?

Silver

Re: PIX Configuration/Routing Problem

The access-lists are similar to IOS routers'.

e.g: an access for inbound connections

--------------------------------------------------------------------------

access-list inbound_stuff permit tcp any host 192.168.1.5 eq ftp

access-list inbound_stuff permit tcp any host 192.168.1.6 eq www

access-list inbound_stuff permit tcp any host 192.168.1.8 eq 100

access-list inbound_stuff permit icmp any any eq echo

access-list inbound_stuff permit icmp any any eq echo-reply

access-list inbound_stuff permit ip any host 192.168.1.8

access-group inbound_stuff in interface outside

----------------------------------------------------------------------------------

The first 3 statements allow access to specific services and ports on some inside servers. Statements 4&5 allow outside hosts to ping any inside host. Statement 6 allows full access to 192.168.1.8 (no firewalling - fixup rules apply)

The last statement applies the access list to inbound connections arriving at the outside interface.

I'd recommend going thru the pix command reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_61/index.htm

Also, PIX version 6.2 introduced object grouping

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/mngacl.htm#1024374

which - along with PDM software - greatly enhance access control configurations.

90
Views
0
Helpful
5
Replies
CreatePlease to create content