Hi Patrick,

I am also attempting to connect a Test Lab (security0) to an Internal Network (security100) for Internet connectivity. I have tried just using access-lists and access-groups as well as the static command with no success.

Question : If I only want to connect from lower to higher do I need NAT and Global commands ?

Here is my config.

SydDPixFW01(config)# sh run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

interface ethernet2 auto

interface ethernet3 auto

nameif ethernet0 152 security0

nameif ethernet1 inside security100

nameif ethernet2 153 security70

nameif ethernet3 154 security80

enable password xxx

passwd xxx

hostname SydDPixFW01

domain-name citrite.net

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

<--- More --->

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl_inside permit icmp any any

access-list acl_152 permit icmp any any

access-list acl_152 permit tcp any any eq www

access-list acl_153 permit icmp any any

access-list acl_153 permit tcp any any eq www

access-list acl_154 permit icmp any any

pager lines 24

logging on

logging timestamp

logging console informational

logging monitor alerts

logging buffered debugging

mtu 152 1500

mtu inside 1500

mtu 153 1500

mtu 154 1500

ip address 152 10.x.x.x.255.255.0

ip address inside 10.41.33.11 255.255.240.0

ip address 153 10.x.x.x.255.255.0

ip address 154 10.x.x.x.255.255.0

<--- More --->

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address 152

no failover ip address inside

no failover ip address 153

no failover ip address 154

pdm history enable

arp timeout 14400

static (inside,153) tcp 10.42.153.2 www 10.41.81.27 www netmask 255.255.255.255 0 0

static (inside,152) 10.42.152.2 10.41.33.10 netmask 255.255.255.255 0 0

access-group acl_152 in interface 152

access-group acl_inside in interface inside

access-group acl_153 in interface 153

access-group acl_154 in interface 154

route inside 0.0.0.0 0.0.0.0 10.41.33.11 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.41.81.27 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.41.81.27 255.255.255.255 inside

telnet timeout 60

ssh timeout 5

console timeout 60

terminal width 80

Cryptochecksum:xxxx

: end

SydDPixFW01(config)#

I then added the following to try and get it working with no success:

global (inside) 1 10.41.33.12 netmask 255.255.255.255

global (inside) 1 interface

nat (153) 1 0.0.0.0 0.0.0.0 0 0

Please advise :)

1.) First remove this access-lists because they block all access from their interface, to all hosts on that network, to the the lower security level interfaces.

To access from a lower level to higher level you need to configure and access-list, but from a higher to a lower level

there is no need for an access-list unless you want to restrict the protocols or IPs.

no access-list acl_153 permit icmp any any

no access-list acl_153 permit tcp any any eq www

no access-group acl_153 in interface 153

no access-list acl_154 permit icmp any any

no access-group acl_154 in interface 154

2.) What excatly you want to do, talk from the inside network to the DMZ network.

Then you should just diable NAT betwwen the inside and the interface 153.

Remove this static

no static (inside,153) tcp 10.42.153.2 www 10.41.81.27 www netmask 255.255.255.255 0 0

example to disable NAT between this two interfaces, to access the web server use the private IP and not the public one !

static (inside,153) 10.41.33.11 10.41.33.11 netmask 255.255.240.0

3. Setup of the Access from the Internet (outside) to the DMZ for WWW:

nameif ethernet0 152 security0

ip address 152 10.42.152.1 255.255.255.0

access-list acl_152 permit icmp any any

access-list acl_152 permit tcp any host 10.42.152.2 eq www

access-group acl_152 in interface 152

static (inside,152) 10.42.152.2 10.41.33.10 netmask 255.255.255.255 0 0

4. Set the route to the outside:

The internet, less secure zone, is on the interface with the lowest security level.

You have configured the default gateway to the inside interface !

no route inside 0.0.0.0 0.0.0.0 10.41.33.11 1

route 0.0.0.0 0.0.0.0 10.42.152.XXX 1

5. To get all inside users connect to the internet (interface 152)

global (152) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

6. Allow traffic to connect to the outside world:

nameif ethernet1 inside security100

ip address inside 10.41.33.11 255.255.240.0

access-list acl_inside permit icmp any any

access-list acl_inside permit ip any any

access-group acl_inside in interface inside

7. After all that reset the translation table to get NAT working.

clear xlate

Reference guide:

Establishing Connectivity

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

sincerely

Patrick

Hi Patrick,

Thank you for your comprehensive reply. I am keen to make the changes but just a few questions before I do.

The aim of the firewall is to protect the internal (inside) corporate LAN from these new Test Lab (152,152,154) networks. The Test Lab networks just need to traverse the corporate network to access the Internet and RO access to certain servers (is that possible using a PIX?). Is this the simpliest way to configure the PIX ? I would like a working basic config and built from there perhaps.

I can make the Internal LAN (inside) the outside interface (security 0) and try it that way perhaps ?

Just doesnt make sense to make the Test Lab (non routable) the trusted network and the corporate LAN (routable across the entire corp) the outside network?

Many thanks in advance.

Hi Patrick,

I have applied the config and receive the following for www access from 152 to inside.

SydDPixFW01(config)# 106011: Deny inbound (No xlate) tcp src 152:10.42.152.2/183

5 dst 152:10.41.81.27/80

106011: Deny inbound (No xlate) tcp src 152:10.42.152.2/1835 dst 152:10.41.81.27

/80

106011: Deny inbound (No xlate) tcp src 152:10.42.152.2/1835 dst 152:10.41.81.27

/80

and for icmp access

SydDPixFW01(config)# 305005: No translation group found for icmp src 152:10.42.1

52.2 dst inside:10.41.33.11 (type 8, code 0)

305005: No translation group found for icmp src 152:10.42.152.2 dst inside:10.41

.33.11 (type 8, code 0)

302010: 0 in use, 0 most used

No this is ok but a more uncommon scenario/use of a PIX. Usually alltraffic flows from the higher to the lower interfaces and not the other way arround. But the anyway the most trusted network has the highest security level.

Short description of the config:

1.) Let your inside network on the same interface as it is.

2.) Keep the route as it was on the inside network.

3.) Disable NAT from all interfaces to the inside network and follow my example.

4.) Add on each interface 152, 153 and 154 an access-list that permits that hosts to access some internal hosts on the corporate network.

But do not forget that when you add one access-list line with a permit statemet then automaticly, even if it not shown in the config, follows a DENY ANY ANY statement and blocks all other communication.

sincerely

Patrick