Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

please help.....PIX515 / 7.1 with 4 networks setup

Hi all,

now I've tried to get this config working for nearly 2 weeks and it is really starting to get to me. I would very much appreciate someone pointing me in the right direction.

I have 4 networks on my 515;

Outside - Security Level 0 (88.96.164.72)

Inside - Security Level 100 (10.0.1.0/24)

VM - Security Level 99 (10.0.2.0/24)

DMZ - Security Level 50 (172.16.1.0/24)

With regards to ACL's I need to be able to;

Allow all traffic from Inside to VM

Allow all traffic from VM to Inside

Allow DNS from Outside to VM

Allow SMTP from Outside to VM

Allow DNS from Outside to DMZ

Allow SMTP from Outside to DMZ

Allow SMTP from DMZ to Inside

I need to NAT all Inside and VM to the IP of the Outside I/F outbound.

I need to NAT mailhost in DMZ to 88.96.164.72 so outside can access via Public IP

I need to NAT dnshost in DMZ to 88.96.164.73 so outside can access via Public IP

Inside & VM hosts appear on DMZ with their own addresses

DMZ hosts appear on Inside & VM with their own addresses

16 REPLIES
Silver

Re: please help.....PIX515 / 7.1 with 4 networks setup

can you post a "sanitized" copy of your current config?

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Chicco,

For you acls, doesnt you DNS server need to make the requests outbound and not the reverse.

On your acl that is applied to the outside interface, create the acls for the following.

Allow DNS from Outside to VM

Allow SMTP from Outside to VM

Allow DNS from Outside to DMZ

Allow SMTP from Outside to DMZ

On the acl that is applied to the DMZ interface, create the acls for:

Allow SMTP from DMZ to Inside

On the acl that is applied to the VM interface, create the acls for:

Allow all traffic from VM to Inside

The nats for the inside and VM use the nat and global commands.

Use static translations for the mail and dns hosts.

Use nat 0 for the inside and vm to the dmz.

Nothing needed for dmz to inside and VM.

HTH

Silver

Re: please help.....PIX515 / 7.1 with 4 networks setup

Try using this sample config...

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 88.96.164.72 255.255.255.0

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.1.0 255.255.255.0

interface GigabitEthernet0/2

nameif VM

security-level 99

ip address 10.2.0.0 255.255.255.0

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 172.16.1.0 255.255.255.0

nat (inside) 1 10.0.1.0 255.255.255.0

nat (vm) 1 10.0.2.0 255.255.255.0

global (outside) 1 interface

static (DMZ,Outside) 88.96.164.72 172.16.1.X

static (DMZ,Outside) 88.96.164.73 172.16.1.X

static (inside,DMZ) 10.0.1.0 10.0.1.0 netmask 255.255.255.0

static (VM,DMZ) 10.0.2.0 10.0.2.0 netmask 255.255.255.0

static (DMZ,Inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 (not necessarily needed)

static (VM,Inside) 10.0.2.0 10.0.2.0 netmask 255.255.255.0 (not necessarily needed)

access-list inside_in extended permit ip any 10.0.2.0 255.255.255.0

access-list vm_in extended permit ip any 10.0.1.0 255.255.255.0 (this is not advisable.....)

access-group inside_in in interface inside

access-group vm_in in interface vm

The following cannot be done as said...

Allow DNS from Outside to VM

Allow SMTP from Outside to VM

Allow DNS from Outside to DMZ

Allow SMTP from Outside to DMZ

Allow SMTP from DMZ to Inside

Would you like the traffic to just go to specific DNS or Mail Servers (for instance the two static translations setup)?

I can help with the rest if you clarify which IPs need connections to them on the vm,dmz and inside. Hope this helps. If it is helpful, please rate me.

Cheers.

Jay Walker

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Firstly I just want to thank you all for your input.

Just to clarify things. The inside network as you have guessed is a LAN range that my end users are sitting on. The VM network is a LAN range that my ESX Virtual Machines sit on. As I have DC's, Exchange, Sharepoint sitting in this rather than configuring individual acl's it's easier just to allow all traffic from inside to VM and vice versa.

On looking into the config a bit further I've realised as the pix is stateful I do not need the acl's for SMTP from Outside to VM or DNS from Outside to VM. These will come from the internal DNS and SMTP servers and go outside.

Jay, I would like traffic to go to specific DNS and Mail Servers as I will be hosting 1 of my own DNS servers and 1 front-end sendmail box, these should go to the static translations.

At some point however I will be hosting a front-end Exchange cluster in the DMZ that needs to talk to the back-end cluster in the VM. This will be segregated further by an ISA firewall for RPC inspection.

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

I'm afraid the above config has not worked. After applying it I cannot browse the Internet or DNS lookup from inside, cannot connect to anything in the VM network.

Even without any rules and just the implicits I cannot browse the Internet or do DNS lookups from the VM network either. Surely that is wrong as I can from the inside network.

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Chicco,

Can you please post a sanatized copy of your config?

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Hi mgaysek.

Below is copy of my config. The weird thing is that I am able to ping hosts on the vm from inside and vice versa yet I can't do anything else. For example I have a test IIS server running on 10.0.2.15 and yet when I try to browse it times out. The syslog says;

Aug 21 2006 22:19:25 106015: Deny TCP (no connection) from 10.0.1.51/3952 to 10.0.2.15/80 flags RST on interface inside

----------------------------------------------

PIX Version 7.1(1)

!

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 8X.XXX.XXX.72 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.1.251 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

security-level 99

no ip address

!

<--- More --->

shutdown

no nameif

security-level 90

no ip address

!

interface Ethernet4

nameif dmz

security-level 50

no ip address

!

interface Ethernet5

nameif vm

security-level 90

ip address 10.0.2.251 255.255.255.0

!

access-list inside_in extended permit ip any 10.0.2.0 255.255.255.0

access-list vm_in extended permit ip any 10.0.1.0 255.255.255.0

pager lines 24

logging enable

mtu inside 1500

mtu outside 1500

mtu vm 1500

mtu dmz 1500

no failover

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (vm) 1 0.0.0.0 0.0.0.0

static (inside,vm) 10.0.1.0 10.0.1.0 netmask 255.255.255.0

static (vm,inside) 10.0.2.0 10.0.2.0 netmask 255.255.255.0

access-group inside_in in interface inside

access-group vm_in in interface vm

route outside 0.0.0.0 0.0.0.0 8X.XXX.XXX.73 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

: end

pixfirewall(config)#

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Chicco,

Get rid of both your static statements.

Put in

global(vm) 1 interface

just as a test.

You will need to do a clear xlate before testing.

In addition you do not need the access list applied to you inside interface, unless you want to restrict traffic leaving the inside interface.

Try this and let me know how you make out.

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Thanks mgaysek, I will give this a try tonight.

Silver

Re: please help.....PIX515 / 7.1 with 4 networks setup

Can you make a modified list of what you would like the firewall to do? I will redo the config from last week to reflect the changes... Thanks.

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Hey.

I've not had time to do the above change yet.

jwalker.

Inside and VM are both trused networks, they are my two internal networks so I would like all traffic to flow between them without restrictions. DMZ will host a DNS and a mail server.

Essentially what I need to do is;

Allow all traffic from inside to vm

Allow all traffic from vm to inside

Allow all traffic from inside to outside

Allow all traffic from vm to outside

Allow DNS traffic into DMZ (specific host)

Allow SMTP traffic into DMZ (specific host)

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Hey all.

Sorry I've been away on vacation. Any chance of someone doing a config for me pls, still have issues! :)

Thanks,

Chicco

Silver

Re: please help.....PIX515 / 7.1 with 4 networks setup

Post your current config and I will revise based on your requirements...

Jay

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Hi.

I currently have the PIX in a very basic config and yet I am still having issues. For the time being I have only configured inside, VM, and outside.

Yet from the VM network I cannot browse to the Internet. I only have the default acl on there (any, any, interface (vm - outbound), IP).

I get the error "10001: No route to 10.0.2.21 from 193.0.14.129"

This should surely work as 10.0.2.0/24 is directly connnected???

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Here is my config and my show route;

PIX Version 7.1(1)

!

hostname corp-fw-01

domain-name xxxxxxxxxxxxxxxxx.com

enable password xxxxxxxxxxxxx encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 83.xxx.xxx.93 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.1.251 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

security-level 99

no ip address

!

nameif dmz

security-level 50

no ip address

!

interface Ethernet5

nameif vm

security-level 90

ip address 10.0.2.251 255.255.255.0

!

passwd xxxxxxxxxxxx encrypted

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name XxxxxxxxxxxxxX.com

pager lines 24

logging enable

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (vm) 1 0.0.0.0 0.0.0.0

static (inside,vm) 10.0.1.0 10.0.1.0 netmask 255.255.255.0

static (vm,inside) 10.0.2.0 10.0.2.0 netmask 255.255.255.0

route outside 0.0.0.0 0.0.0.0 83.xxx.xxx.94 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect dns maximum-length 1000

!

service-policy global_policy global

Cryptochecksum:4208af3b5c14fd24f0df5f8ccabd8e72

: end

corp-fw-01(config)#

And a show route.

S 0.0.0.0 0.0.0.0 [1/0] via 83.xxx.xxx.93, outside

C 10.0.1.0 255.255.255.0 is directly connected, inside

C 10.0.2.0 255.255.255.0 is directly connected, vm

C 83.xxx.xxx.80 255.255.255.240 is directly connected, outside

New Member

Re: please help.....PIX515 / 7.1 with 4 networks setup

Hey Chicco,

I do not see anything majorly wrong. You do not need this static translation: static (vm,inside) 10.0.2.0 10.0.2.0 netmask 255.255.255.0

Think of it as you are translation a site on the internet. You generally do not do that or need to.

Also, I do not see any acl's for your vm dmz. It has been a while since I have looked at this so I may have forgoton something.

What things are currently not working?

132
Views
9
Helpful
16
Replies
CreatePlease to create content