10-17-2005 10:27 AM - edited 02-21-2020 12:28 AM
Dear All,
I want to give the whole lower security network 10.10.10.0/25 access to the internal higher security network 192.168.100.0/24.without using NAT
What is the pix cmds in ver.6.3 to be used?
In one-to-one Translation we can use static (inside, dmz1) 192.168.100.x 192.168.100.x netmask y.y.y.y.
(Higher) (Higher)
But when the whole network wants to connect to the higher inside what is the cmd syntex to be used.
Please I am waiting for your answer. It is very basic question for you.
Thnaks
swamy
10-17-2005 10:48 AM
You need to create an Access-list on the DMZ interface that allows the DMZ hosts to connect to the inside host.
example:
access-list dmz permit tcp host DMZ-Host host Inside-Host eq www
access-group dmz in interface dmz
sincerely
Patrick
10-17-2005 03:59 PM
Hi Patrick,
I am also attempting to connect a Test Lab (security0) to an Internal Network (security100) for Internet connectivity. I have tried just using access-lists and access-groups as well as the static command with no success.
Question : If I only want to connect from lower to higher do I need NAT and Global commands ?
Here is my config.
SydDPixFW01(config)# sh run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto
interface ethernet3 auto
nameif ethernet0 152 security0
nameif ethernet1 inside security100
nameif ethernet2 153 security70
nameif ethernet3 154 security80
enable password xxx
passwd xxx
hostname SydDPixFW01
domain-name citrite.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
<--- More --->
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_inside permit icmp any any
access-list acl_152 permit icmp any any
access-list acl_152 permit tcp any any eq www
access-list acl_153 permit icmp any any
access-list acl_153 permit tcp any any eq www
access-list acl_154 permit icmp any any
pager lines 24
logging on
logging timestamp
logging console informational
logging monitor alerts
logging buffered debugging
mtu 152 1500
mtu inside 1500
mtu 153 1500
mtu 154 1500
ip address 152 10.x.x.x.255.255.0
ip address inside 10.41.33.11 255.255.240.0
ip address 153 10.x.x.x.255.255.0
ip address 154 10.x.x.x.255.255.0
<--- More --->
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address 152
no failover ip address inside
no failover ip address 153
no failover ip address 154
pdm history enable
arp timeout 14400
static (inside,153) tcp 10.42.153.2 www 10.41.81.27 www netmask 255.255.255.255 0 0
static (inside,152) 10.42.152.2 10.41.33.10 netmask 255.255.255.255 0 0
access-group acl_152 in interface 152
access-group acl_inside in interface inside
access-group acl_153 in interface 153
access-group acl_154 in interface 154
route inside 0.0.0.0 0.0.0.0 10.41.33.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.41.81.27 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.41.81.27 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
console timeout 60
terminal width 80
Cryptochecksum:xxxx
: end
SydDPixFW01(config)#
I then added the following to try and get it working with no success:
global (inside) 1 10.41.33.12 netmask 255.255.255.255
global (inside) 1 interface
nat (153) 1 0.0.0.0 0.0.0.0 0 0
Please advise :)
10-17-2005 05:10 PM
1.) First remove this access-lists because they block all access from their interface, to all hosts on that network, to the the lower security level interfaces.
To access from a lower level to higher level you need to configure and access-list, but from a higher to a lower level
there is no need for an access-list unless you want to restrict the protocols or IPs.
no access-list acl_153 permit icmp any any
no access-list acl_153 permit tcp any any eq www
no access-group acl_153 in interface 153
no access-list acl_154 permit icmp any any
no access-group acl_154 in interface 154
2.) What excatly you want to do, talk from the inside network to the DMZ network.
Then you should just diable NAT betwwen the inside and the interface 153.
Remove this static
no static (inside,153) tcp 10.42.153.2 www 10.41.81.27 www netmask 255.255.255.255 0 0
example to disable NAT between this two interfaces, to access the web server use the private IP and not the public one !
static (inside,153) 10.41.33.11 10.41.33.11 netmask 255.255.240.0
3. Setup of the Access from the Internet (outside) to the DMZ for WWW:
nameif ethernet0 152 security0
ip address 152 10.42.152.1 255.255.255.0
access-list acl_152 permit icmp any any
access-list acl_152 permit tcp any host 10.42.152.2 eq www
access-group acl_152 in interface 152
static (inside,152) 10.42.152.2 10.41.33.10 netmask 255.255.255.255 0 0
4. Set the route to the outside:
The internet, less secure zone, is on the interface with the lowest security level.
You have configured the default gateway to the inside interface !
no route inside 0.0.0.0 0.0.0.0 10.41.33.11 1
route 0.0.0.0 0.0.0.0 10.42.152.XXX 1
5. To get all inside users connect to the internet (interface 152)
global (152) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
6. Allow traffic to connect to the outside world:
nameif ethernet1 inside security100
ip address inside 10.41.33.11 255.255.240.0
access-list acl_inside permit icmp any any
access-list acl_inside permit ip any any
access-group acl_inside in interface inside
7. After all that reset the translation table to get NAT working.
clear xlate
Reference guide:
Establishing Connectivity
sincerely
Patrick
10-17-2005 06:43 PM
Hi Patrick,
Thank you for your comprehensive reply. I am keen to make the changes but just a few questions before I do.
The aim of the firewall is to protect the internal (inside) corporate LAN from these new Test Lab (152,152,154) networks. The Test Lab networks just need to traverse the corporate network to access the Internet and RO access to certain servers (is that possible using a PIX?). Is this the simpliest way to configure the PIX ? I would like a working basic config and built from there perhaps.
I can make the Internal LAN (inside) the outside interface (security 0) and try it that way perhaps ?
Just doesnt make sense to make the Test Lab (non routable) the trusted network and the corporate LAN (routable across the entire corp) the outside network?
Many thanks in advance.
10-17-2005 07:40 PM
Hi Patrick,
I have applied the config and receive the following for www access from 152 to inside.
SydDPixFW01(config)# 106011: Deny inbound (No xlate) tcp src 152:10.42.152.2/183
5 dst 152:10.41.81.27/80
106011: Deny inbound (No xlate) tcp src 152:10.42.152.2/1835 dst 152:10.41.81.27
/80
106011: Deny inbound (No xlate) tcp src 152:10.42.152.2/1835 dst 152:10.41.81.27
/80
and for icmp access
SydDPixFW01(config)# 305005: No translation group found for icmp src 152:10.42.1
52.2 dst inside:10.41.33.11 (type 8, code 0)
305005: No translation group found for icmp src 152:10.42.152.2 dst inside:10.41
.33.11 (type 8, code 0)
302010: 0 in use, 0 most used
10-17-2005 04:56 PM
arumugasamy, with the static you can actually apply the entire subnet instead of a single host.
static (inside,dmz)
static (dmz,inside)
e.g.
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 0 0
with the static above, all traffic from dmz-inside or inside-dmz will not be natted. acl is still required.
e.g. access-list 100 permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.100 eq 25
access-group 100 in interface dmz
10-17-2005 07:08 PM
No this is ok but a more uncommon scenario/use of a PIX. Usually alltraffic flows from the higher to the lower interfaces and not the other way arround. But the anyway the most trusted network has the highest security level.
Short description of the config:
1.) Let your inside network on the same interface as it is.
2.) Keep the route as it was on the inside network.
3.) Disable NAT from all interfaces to the inside network and follow my example.
4.) Add on each interface 152, 153 and 154 an access-list that permits that hosts to access some internal hosts on the corporate network.
But do not forget that when you add one access-list line with a permit statemet then automaticly, even if it not shown in the config, follows a DENY ANY ANY statement and blocks all other communication.
sincerely
Patrick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: