topic PIX, AT&T U-Verse and static IP block problem in Network Security

PIX, AT&T U-Verse and static IP block problem

Chris Mickle — Tue, 12 Mar 2019 02:06:23 GMT

Hello,

I currently have a PIX 525 and have recently upgraded to AT&T U-Verse service. I have a static IP block and am having routing issues with the 2wire gateway that AT&T provides. After a lot of reading and calls to technical support, it seems that the problems that I am having are because the U-Verse gateway doesn't support bridged ethernet mode so I am unable to assign my static IP block to the PIX. Apparently, the 2wire gateway allows only 1 IP address per MAC address. A more detailed explanation of this problem can be found here...

http://forums.att.com/t5/Features-and-How-To/How-to-fake-bridged-mode-with-U-Verse/m-p/2859191

My question is, can I use multiple outside interfaces on the PIX, one for each IP in the block or is there another way to work around this issue?

PIX, AT&T U-Verse and static IP block problem

Chris Mickle — Wed, 03 Jul 2013 12:50:55 GMT

Ok, I did some testing on using multiple interfaces connected to the 2wire gateway. As it turns out, I can't just use one interface on the PIX for each IP address in my static block because each IP is in the same block and I get an IP address conflict message when trying to set the IP address of the other interfaces.

I could really use some assistance with this if anyone has an idea on how to work around this crappy 2wire gateway's limitations.

The bottom line is, I need to have one MAC address per IP address in the block.

Is there any way to use VLANs to accomplish this or am I going to have the same problem with conflicting addresses?

The forum post listed above mentions using HSRP to create multiple virtual MAC addresses to get around this problem. Does the PIX support this functionality, or do I need another router? If so, what router?

PIX, AT&T U-Verse and static IP block problem

Jouni Forss — Wed, 03 Jul 2013 13:44:32 GMT

Hi,

It would seem to me that there is no way to handle this with your PIX firewall. Atleast I cant think of anything.

The solution I can think of are related to ASA firewall is not very suggestable one anyway.

One solution with ASA would be to run it in multiple context mode which lets you share the same "outside" interface for each virtual firewall (Security Context) and therefore use public IP address from the same subnet on several virtual firewalls. This will also give you the freedom to manually set the mac address of the "outside" interface in each Security Context and therefore matching the ISP requirements.

But as I said there are several problems with the above setup. For one you probably are not looking into separating your LAN network to multiple different segments (which virtualizing the hardware to mutiple logical firewalls would do) so its not very good idea. Not to mention what the license cost might be just to get the supported Security Context amount (as its not supported by default) and then again you dont have an ASA at the moment ofcourse

There seems to be no way to configure the ASA so that it would actually reply to ARP requests with another MAC address other than the one configured on its interface.

I am too unfamiliar with Cisco IOS at the moment to tell you straight away if this was possible on a router. But the first place to look would probably be some Command Reference that Cisco has for all or most of its devices. I checked the ASA/PIX ones and the ARP configurations didnt seem to give options to do this.

With relation to the HSRP again, I am not that familiar with all the possibilities of Cisco IOS. I do seem to recal that the router generates the MAC address of the virtual IP address by using the HSRP group number that you use. Wether this could be used to accomplish what you want I am not sure.

I do have a few Cisco routers (1841 and 881) at home. Maybe I'll have a look at them later today and see if this could be done on them.

- Jouni

PIX, AT&T U-Verse and static IP block problem

Chris Mickle — Thu, 04 Jul 2013 14:25:09 GMT

Thanks for the response!

The PIX 525 has the capability to run 2 security contexts. Not enough to accomplish what I need of course, but it is theoretically possible I guess. Segmenting my LAN is not an issue because it is already segmented. I am (or rather was) NATing each IP in my static block to a different physical inside interface so if the PIX had more security contexts available, this would be a great solution.

In refferance to the link I posted and the section that gives an example of a workaround using HSRP, I have started to play around a little with that using GNS3. I have run into a little snafu though that maybe someone could help me with...

In the example config that was posted above, they use the router to do the NAT xlates. Is it possible for me to use the router to simply interface with AT&T's crappy RG and let the PIX handle the internal routing as before? I guess the way to do it would be to set up a static route for each one of the virtual IPs that was created using HSRP that would route all the traffic to another /29 address on the inside that the PIX could then be assigned on it's outside interface? Admittedly, this is a little over my head so forgive me if I sound like a doofus. I can post configs or any other information that would be necessary to help me with this.

Thanks.

PIX, AT&T U-Verse and static IP block problem

Jouni Forss — Thu, 04 Jul 2013 14:42:36 GMT

Hi,

I havent had time to check with my own routers yet.

I also managed to completely miss your link for some reason

It would seem to me if I understood correctly that you could actually use the Router in front of PIX to do NAT for the Internet connections.

PIX could then essentially be used so that it wouldnt have any NAT between interfaces either. So the only place where NAT would be performed is the Router.

I personally like to have the firewall at the edge of the network but in your situation it does seem a bit hard to achieve.

If you use the Router in front of the PIX, this is how I imagine the setup would be (wihtout knowing the actual setup at the moment)

Router has WAN interface which is configured with HSRP and all the virtual IP/MAC pairs which are needed for your NAT purposes
Router is configured with default Dynamic PAT rule (and any additional PAT rules) for the actual real LAN/DMZ networks behind the PIX
Router has the default route towards the ISP and static routes for all the LAN/DMZ networks towards the PIX "outside" interface which can be changed to a private subnet that only acts as a link network between the router and the PIX
PIX will be configured (probably depending on software level) without any NAT. I am abit rusty on the old PIX firewall (for example I had forgotten that PIX actually supported Multiple Context as I have never used PIX in that way). You either have to disable "nat-control" and have no NAT configurations on the PIX or configure NAT0 for all the traffic through the PIX.
PIX will have a default route towards the Router
PIX would still be able to control traffic entering through the WAN Router but naturally the destination IP address of the "outside" interface ACL would have changed to the real IP rather than the public IP address as the NAT is done in front of the PIX

I will try to test this today. Good thing I work for my own ISP so I will be able to confirm the multiple MAC addresses on my router WAN interface

I will let you know how it went.

Hope this helped

- Jouni

PIX, AT&T U-Verse and static IP block problem

Chris Mickle — Thu, 04 Jul 2013 15:14:46 GMT

This is what I had in mind actually. One of the posters on that thread suggests the following....

---

I must point out that the end setup is still not quite like it should be -- which would be to insert a static route into the RG and actually run the static IPs behind the Cisco. This method requires the 1-to-1 static NAT configuration on the Cisco, although in practice, that generally works perfectly for 99% of protocols, including esoteric setups like VPN.

---

If I understand this corectly, I could run the statics behind the router. Then I could still use the PIX for NAT as before.

Does that sound like a viable option and if so, how would one go about it? I am a lot more farmiliar with PIX IOS than router IOS so maybe between the two of us, we could get it figured out. 🙂

Re: PIX, AT&T U-Verse and static IP block problem

Jouni Forss — Thu, 04 Jul 2013 15:47:18 GMT

Hi,

Did some simple test with my Cisco 1841 router.

Basically my setup is

Bridged ASDL modem
Switch (because router only has 2 ports which arent enough for my test setups)
Cisco Router 1841

The WAN interface on the router is configure like this (changed IP/MAC configurations naturally)

interface FastEthernet0/1.300

description ROUTER WAN

encapsulation dot1Q 300

ip address 1.1.1.250 255.255.255.248

ip access-group ROUTER-WAN-IN in

ip nat outside

ip virtual-reassembly

standby version 2

standby 251 ip 1.1.1.251

standby 251 timers 254 255

standby 251 preempt

standby 251 mac-address 0000.0000.000c

standby 252 ip 1.1.1.252

standby 252 timers 254 255

standby 252 preempt

standby 252 mac-address 0000.0000.000d

standby 253 ip 1.1.1.253

standby 253 timers 254 255

standby 253 preempt

standby 253 mac-address 0000.0000.000e

ip nat inside source static 10.0.0.100 1.1.1.251

ip nat inside source static 10.0.0.200 1.1.1.252

View from the ISP Core

Internet 1.1.1.252 1 0000.0000.000d ARPA GigabitEthernetx/yy.1999

Internet 1.1.1.251 0 0000.0000.000c ARPA GigabitEthernetx/yy.1999

Internet 1.1.1.253 0 0000.0000.000e ARPA GigabitEthernetx/yy.1999

Also tested connectivity and it seems fine.

- Jouni

Re: PIX, AT&T U-Verse and static IP block problem

Jouni Forss — Thu, 04 Jul 2013 16:00:15 GMT

Hi,

I am not totally sure about the setup in the discussion you linked.

If I am totally mistaken the suggestiong was that the public subnet assigned to you would actually be routed towards the ISP device behind another device (Router) which in turn would have a direct link to the PIX which again would handle the NAT as usual towards the router.

So the setup would be

ISP Router with link network and default route towards ISP
ISP Router with link network to your Router and a static route for the public subnet towards the PIX
Your router with default route towards the ISP Router
Your router with a LAN interface configured with the public subnet that is directly connected to the PIX outside
Your PIX that is connected to the LAN interface of your Router
Your PIX with the NAT configured using the public subnet as usual

I guess the key idea in the above would be to have the ISP Router route the public subnet further so the multiple public IP vs. single MAC address wouldnt be an issue. Because that ISP Router would forward the traffic to another router and would not ARP for the MAC address of the public IP address.

Again, as i said, I am not sure if I understood the situation correctly but the above is what I got by quickly browsing the texts. I have no idea what kind of device the ISP Router is. Seems it has severe limitations that you would take for granted in any other router.

- Jouni

Re: PIX, AT&T U-Verse and static IP block problem

Chris Mickle — Thu, 04 Jul 2013 16:44:36 GMT

Yes. That sounds like what I am trying to accomplish. Where I get hung up is how exactly to configure the router to route the traffic to the PIX and then NAT from there.

Could a double NAT be done were the router would NAT the public addresses to another /29 on the inside that could then be configured on the PIX outside interface and segmented from there?

Re: PIX, AT&T U-Verse and static IP block problem

Jouni Forss — Thu, 04 Jul 2013 17:28:23 GMT

Hi,

Well, if I have understood correctly the ISP has provided you with ISP Router which has the limitation that each public IP address used behind its LAN interface must have a different MAC address. And to avoid hitting this restrictions there have been 2 possinble solutions suggested.

Option 1

One would be to use a Cisco router which WAN interface towards the ISP Router would be using the HSRP configured virtual IP address along with MAC address to enable using different MAC addresses for each public IP addresses. It would also have the Static NAT statements configured directly on your Cisco Router while PIX wouldnt be doing any kind of NAT.

Option 2

If the above isnt possible I understood that another possibility would be to configure the actual ISP Router so that you configure a link network between it and the Cisco Router which could be any private network you want. You would then route the public subnet towards your Cisco Router IP address on the link subnet. Your Cisco Router would in turn have the public subnet configured on its LAN interface which is connected to the PIX. The PIX would then be configured like usual with Static NAT and Dynamic PAT and so on.

Your Cisco Router would not have any NAT configurations nor would be ISP Router. I presume the ISP has provided the ISP Router so that they have static routing only. In other words ISP routes the public subnet towards the ISP Routers WAN IP address. The ISP Router then would usually have the public subnet directly on its LAN interface. And naturally also a default route towards the ISP core.

Option 3

It would might even be possible that the ISP Router would have a link network between it and the PIX directly. The ISP Router would then have a route for the public subnet 1.1.1.0/29 towards the PIX interface IP address. The idea here is basically that the ISP Router would not see the public subnet as directly connected so it wouldnt ARP for the MAC address either. Since it has a route it would simply route the traffic towards the PIX. Even though the PIX would have a private link network between it and the ISP Router it could still use NAT IP address which are not configured on any of its interfaces. This is quite normal especially when a user/customer has multiple public subnets on the edge of his/her Cisco firewall.

Here is a picture of what I presume the 3 setups would look like. Had to resort to an online site to draw this as I am not on my work computer. (Click to enlarge)

So essentially

Option 1

ISP Core has a route for public subnet 1.1.1.0/29 pointing towards ISP Router
ISP Router has the public subnet 1.1.1.0/29 directly connected to its LAN interface
Cisco Router is directly connected to the ISP Router with the 1.1.1.0/29 subnet
HSRP is used on the Cisco Router to overcome the limitation of ISP Router with regards to requiring unique MAC per IP address
Cisco Router does Static NAT between the 1.1.1.0/29 subnets public IP address and local IP address behind the PIX (whatever that local IP address might be)
Cisco Router and PIX will have a private link network between them and appropriate routes forwarding traffic correctly between them

Option 2

ISP Core has a route for public subnet 1.1.1.0/29 pointing towards ISP Router
ISP Router and Cisco Router will have a link network between them
ISP Router will route the public subnet 1.1.1.0/29 towards the Cisco Router
Cisco Router will have the public subnet 1.1.1.0/29 directly on its LAN interface
PIX will have the public subnet 1.1.1.0/29 directly on its WAN interface and NAT configured as usual

Option 3

ISP Core has a route for public subnet 1.1.1.0/29 pointing towards ISP Router
ISP Router and PIX will have a private subnet between them
ISP Router will have a route for the public subnet 1.1.1.0/29 pointing towards the PIX link network interface IP address
PIX will have Dynamic PAT and Static NAT statements using the public subnet 1.1.1.0/29 IP addresses directly.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers.

Naturally ask more if needed

- Jouni

PIX, AT&T U-Verse and static IP block problem

Chris Mickle — Mon, 08 Jul 2013 15:14:48 GMT

OK!

I played around with this a little this morning after taking some much needed time off this weekend.

I created the following environment in GNS3 and it seemed to work properly when I connected it to actual computers.

Here are the configs for both the router and the PIX...

---- R1 -----

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname R1

ip subnet-zero

no ip domain-lookup

ip domain-name lab.local

call rsvp-sync

interface FastEthernet0/0

ip address xxx.xxx.xxx.221 255.255.255.248

ip nat outside

duplex auto

speed auto

standby timers 254 255

standby preempt

standby 1 ip xxx.xxx.xxx.217

standby 1 mac-address 0000.0000.1217

standby 2 ip xxx.xxx.xxx.218

standby 2 mac-address 0000.0000.1218

standby 3 ip xxx.xxx.xxx.219

standby 3 mac-address 0000.0000.1219

standby 4 ip xxx.xxx.xxx.220

standby 4 mac-address 0000.0000.1220

lan-name wan

interface FastEthernet1/0

ip address 10.0.0.6 255.255.255.248

ip nat inside

duplex auto

speed auto

lan-name lan

ip default-gateway xxx.xxx.xxx.222

ip nat inside source list acl-inet interface FastEthernet0/0 overload

ip nat inside source static 10.0.0.1 xxx.xxx.xxx.217

ip nat inside source static 10.0.0.2 xxx.xxx.xxx.218

ip nat inside source static 10.0.0.3 xxx.xxx.xxx.219

ip nat inside source static 10.0.0.4 xxx.xxx.xxx.220

ip nat inside source static 10.0.0.5 xxx.xxx.xxx.221

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.222

no ip http server

ip access-list standard acl-inet

permit 0.0.0.0 255.255.255.248

dial-peer cor custom

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

end

----- PIX -----

pixfirewall# sh run

: Saved

PIX Version 8.0(2)

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Ethernet0

nameif outside

security-level 0

ip address 10.0.0.1 255.255.255.248

interface Ethernet1

nameif domain

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Ethernet2

nameif ftp

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu outside 1500

mtu domain 1500

mtu ftp 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 10.0.0.2

nat (domain) 1 192.168.0.0 255.255.255.0

nat (ftp) 2 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.0.0.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

prompt hostname context

Cryptochecksum:75144c5d561af8bde29c401317e76ba2

: end

pixfirewall#

The problem is that it was almost too easy LOL.

Can you look over the configs and give me your opinion?

Thanks

Re: PIX, AT&T U-Verse and static IP block problem

Jouni Forss — Mon, 08 Jul 2013 15:37:06 GMT

Hi,

If you are going to use the HSRP configuration to give each public IP address their own MAC address then I dont see much point in doing extra NAT configurations on the PIX firewall itself. It will only add complexity to the setup.

If you didnt configure any NAT configurations on the PIX then you could simply do NAT for the real IP addresses of the hosts directly on the router. Naturally you could still use ACLs on the PIX firewall to control which traffic can enter through the "outside" interface of the PIX. Naturally you would need such ACL on the routers interface facing Internet also.

I dont know if I can comment much on the setup. If you are going to setup this on some production environment then I would suggest configuring the router with the mentioned ACLs and restricting management connections etc.

I would imagine the same would apply to the firewall configurations. Naturally the firewall NAT configurations is something you can do either the way you mentioned above or you can remove the NAT configurations on the firewall and add the necesary routing on the Router and do all the LAN to WAN NATing on the router.

With regards to the routers Dynamic PAT configuration...

I think you have misstyped the Dynamic PAT ACL on the router

ip access-list standard acl-inet

permit 0.0.0.0 255.255.255.248

It should be

ip access-list standard acl-inet

permit 10.0.0.0 0.0.0.7

Because we are using wildcard mask on the Cisco IOS while on Cisco firewalls we use the normal network mask.

If you have found any of the information helpfull so far, please do remember to rate the answers or mark any replys as correct if you have felt that they have answered your question.

- Jouni

Re: PIX, AT&T U-Verse and static IP block problem

Chris Mickle — Sat, 13 Jul 2013 13:34:42 GMT

Ok. I felt confident enough with my brief testing to go ahead and acquire a 2811 and try this on real hardware. I got the router last night and configured it. Everything seems to be working great! I fumbled a bit with the configuration of the new router. My PIX knowledge didn't completely translate into router IOS, but I think I have a good configuration. Here are the final configs.

First, the AT&T RG...

(IP addresses have been erased for security)

This page allows you to configure your static block....

This page is where your supposed to configure your LAN devices to use your static IPs...

After configuring HSRP on FA0/0 on the 2811, I was able to configure each unique MAC address with an IP in the RG. Note that the last address (.221) is the actual interface FA0/0 on the 2811. The other 4 are the MACs setup with HSRP.

Now for the 2811 config...

---------------------------------------------------------------------------------

Building configuration...

Current configuration : 1617 bytes
!
! NVRAM config last updated at 00:11:24 EDT Sat Jul 13 2013
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
!
!
ip cef
!
!
ip domain name xxxxxxx
!
!
!
!
interface FastEthernet0/0
ip address xxx.xxx.xxx.221 255.255.255.248
ip nat outside
duplex auto
speed auto
standby timers 254 255
standby preempt
standby 1 ip xxx.xxx.xxx.217
standby 1 mac-address 0000.0000.0217
standby 2 ip xxx.xxx.xxx.218
standby 2 mac-address 0000.0000.0218
standby 3 ip xxx.xxx.xxx.219
standby 3 mac-address 0000.0000.0219
standby 4 ip xxx.xxx.xxx.220
standby 4 mac-address 0000.0000.0220
!
interface FastEthernet0/1
ip address 10.0.0.6 255.255.255.248
ip nat inside
duplex full
speed auto
no mop enabled
!
ip default-gateway xxx.xxx.xxx.222
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.222
!
no ip http server
ip nat inside source list acl-inet interface FastEthernet0/0 overload
ip nat inside source static 10.0.0.1 xxx.xxx.xxx.217
ip nat inside source static 10.0.0.2 xxx.xxx.xxx.218
ip nat inside source static 10.0.0.3 xxx.xxx.xxx.219
ip nat inside source static 10.0.0.4 xxx.xxx.xxx.220
ip nat inside source static 10.0.0.5 xxx.xxx.xxx.221
!
ip access-list standard acl-inet
permit 10.0.0.0 0.0.0.7
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxxxxxxxxxxxxx
login
!
scheduler allocate 20000 1000
!
end

-------------------------------------------------------------------------------------

As you can see, what I basically did was use NAT to translate my public IP block into another segmented /29 address. It should be more clear why I did this when you see the PIX config.

PIX 525 Config....

--------------------------------------------------------------------------------------

: Saved

PIX Version 8.0(2)

hostname pixfirewall

enable password xxxxxxxxxxxxxxxxx encrypted

names

interface Ethernet0

nameif outside

security-level 0

ip address 10.0.0.1 255.255.255.248

ospf cost 10

interface Ethernet1

nameif domain

security-level 100

ip address 192.168.0.1 255.255.255.0

ospf cost 10

interface Ethernet2

nameif ftp

security-level 60

ip address 192.168.1.1 255.255.255.0

ospf cost 10

interface Ethernet3

nameif vmhost

security-level 80

ip address 192.168.2.1 255.255.255.0

ospf cost 10

interface Ethernet4

nameif vm

security-level 50

ip address 192.168.3.1 255.255.255.0

ospf cost 10

interface Ethernet5

speed 10

nameif public

security-level 40

ip address 192.168.4.1 255.255.255.0

passwd xxxxxxxxxxxxxxxxxxx encrypted

time-range IPBlocked

absolute end 01:12 28 October 2010

periodic daily 0:00 to 23:59

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list 101 extended permit tcp any host 10.0.0.1 eq www

access-list 101 extended permit tcp any host 10.0.0.1 eq https

access-list 101 extended permit tcp any host 10.0.0.1 eq pop3

access-list 101 extended permit tcp any host 10.0.0.1 eq smtp

access-list 101 extended permit tcp any host 10.0.0.1 eq 587

access-list 101 extended permit tcp any host 10.0.0.1 eq 5000

access-list 101 extended permit tcp any host 10.0.0.2 eq www

access-list 101 extended permit tcp any host 10.0.0.2 eq ftp

access-list 301 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 301 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu domain 1500

mtu ftp 1500

mtu vmhost 1500

mtu vm 1500

mtu public 1500

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 10.0.0.2

global (outside) 3 10.0.0.3

global (outside) 4 10.0.0.4

global (outside) 5 10.0.0.5

nat (domain) 0 access-list 301

nat (domain) 1 192.168.0.0 255.255.255.0

nat (ftp) 2 192.168.1.0 255.255.255.0

nat (vmhost) 3 192.168.2.0 255.255.255.0

nat (vm) 4 192.168.3.0 255.255.255.0

nat (public) 5 192.168.4.0 255.255.255.0

static (domain,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255

static (domain,outside) tcp interface 5000 192.168.0.10 5000 netmask 255.255.255.255

static (domain,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255

static (domain,outside) tcp interface pop3 192.168.0.3 pop3 netmask 255.255.255.255

static (domain,outside) tcp interface 587 192.168.0.3 587 netmask 255.255.255.255

static (domain,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255

static (ftp,outside) tcp 10.0.0.2 www 192.168.1.2 www netmask 255.255.255.255

static (ftp,outside) tcp 10.0.0.2 ftp 192.168.1.2 ftp netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 domain

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 192.168.0.0 255.255.255.0 domain

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 domain

ssh timeout 30

console timeout 0

dhcpd dns 68.94.156.1

dhcpd address 192.168.4.10-192.168.4.50 public

dhcpd enable public

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.2.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.3.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 192.168.4.0 255.255.255.0

threat-detection statistics

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

service-policy global_policy global

ntp server 207.46.197.32 source outside prefer

prompt hostname context

Cryptochecksum:4f63a0448cae6f4efd994004e49b06f1

: end

--------------------------------------------------------------------------------------

My goal here was to keep my internal network unchanged with the end result being that each one of my public IPs is ultimately routed to a different physical network on the inside.

As I said before, everything is working beautifully right now and I could probably go on like this for ever. I still wonder though if there isn't a better way to configure the 2811 rather than using NAT. Could I create static routes in the 2811 to basically bridge the RG and the PIX. I read a bit about transparent bridge mode, but I didn't understand it enough to determine weather it would be applicable to what I am trying to accomplish.

Again, thanks a lot for all your help!

Re: PIX, AT&T U-Verse and static IP block problem

Chris Mickle — Sat, 13 Jul 2013 13:42:37 GMT

One more little thing. As I have indicated, I am new to router IOS and I wanted to make sure that my router config is secure. I would only like to allow consol access; no telnet or SSH, but it is unclear to me whether this is the case with my current config.

PIX, AT&T U-Verse and static IP block problem

Jouni Forss — Sat, 13 Jul 2013 13:53:47 GMT

Hi,

You might want to apply atleast ACLs on to the "vty 0 4"

Something like

ip acces-list standard ROUTER-MGMT

permit 10.0.0.0 0.0.0.7

deny any

line vty 0 4

access-class ROUTER-MGMT in

Which should enable you to take management connections from behind the Router from the PIX NAT IP addresses but nowhere else.

You might also want to add some ACL to the WAN interface of the router to limit traffic which can enter. Even though you are still doing Dynamic PAT on the PIX side, so even if the connections came through the Router they would still get blocked on the PIX side.

Please do remember to mark a reply as the correct answer if you have felt that it has answered your question and/or mark helpfull answers-

- Jouni