Cisco Pix 525 learning experience

emaildgp1 — Mon, 11 Mar 2019 22:32:19 GMT

I decided to take the plunge and start learning a little about Cisco, the IOS, and firewall configurations.

I purchased a Cisco Pix 525 used, defaulted with Cisco Pix Security Appliance Software Version 8.0(4), unlimited license.

My plan was to work through a config and get it working as a learning platform.

I planned out a configuration as the following:

1) Comcast business class Internet through an SMC router/firewall provided by Comcast.

2) 5 Static IPs from Comcast

3) A Comcast SMC router/firewall

4) The Cisco Pix 525 (Ethernet0 connected to LAN1 on the SMC)

5) A private 192.168.1.0, 255.255.255.0 internal network

6) A PC static IP'ed with 192.168.1.19, 255.255.255.0, DNS 75.75.75.75 connected to Ethernet1 (inside)

All WAN IPs below are "representative".

The Comcast SMC firewall/router came out of the box with 1 static IP of 1.2.3.9. When Comcast upgraded me to 5 static IPs and set the SMC in "bridge" mode, they told me my IP range was 1.2.3.4-1.2.3.9/29 with a subnet of 255.255.255.248, a gateway address of 1.2.3.9, and DNS of 75.75.75.75. After the change to "bridge mode" the SMC picked up a new WAN DHCP IP of 45.45.45.45. They told me the SMC would simply pass all traffic for my static IPs to my range of 1.2.3.4 - 1.2.3.9 on the LAN ports.

I tested this by setting the PC to IP 1.2.3.4, Subnet 255.255.255.248, GW 1.2.3.9, DNS 75.75.75.75 connected directly to the Comcast SMC. Sure enough I could browse the Internet.

I have read the SANS reading room Pix 3 interface config, watched a number of youtube pix config videos, and made much progress but I have found it impossible to get the pix to pass inside network traffic to the Internet. my private network PCs cannot reach the Internet connected to Ethernet1 with the PC setup as IP 192.168.1.19, subnet 255.255.255.0, GW 192.168.1.1, DNS 75.75.75.75.

I am simply trying to setup the following:

Ethernet0 (outside) 1.2.3.4, 255.255.255.248 (eventually planning for all 5 static IPs to be managed on this interface)

Ethernet1 (inside) 192.168.1.1, 255.255.255.0

global (outside) 1 1.2.3.9 netmask 255.255.255.248

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

I have managed to connect to the PIX, run through the setup wizard, configure additional management accounts, connect with ASDM, and even get the above NAT/Route rule in place. The ASDM log shows constant "Failed to locate egress interface for UDP from INSIDE: 192.168.1.19/XXXXX to 75.75.75.75/53

So, my #1 question is what am I doing wrong on my initial setup?

Thank You

Cisco Pix 525 learning experience

cadet alain — Mon, 20 Feb 2012 09:15:30 GMT

Hi,

can you do this:

no global (outside) 1 1.2.3.9 netmask 255.255.255.248

global (outside) 1 interface

Regards.

Alain

Cisco Pix 525 learning experience

Amit Rai — Mon, 20 Feb 2012 12:41:54 GMT

also add a default route point to the outside interface as below.

route (outside) 0.0.0.0 0.0.0.0 1.2.3.9

Cisco Pix 525 learning experience

emaildgp1 — Mon, 20 Feb 2012 17:54:09 GMT

Thank You for the responses. After an hour on the phone with Comcast, it turns out the SMC router was not actually passing traffic and was still NATing. they had to reload the config twice to get it to pass the traffic.

i have the PIX working with 1.2.3.4, 255.255.255.248 on ethernet0 (WAN)

My next question is how do I configure the PIX to respond to/port forward multiple static WAN IPs to equipment inside the private network?

For example:

1) I would like 1.2.3.4 to PAT to 192.168.1.10, port 80 (web server, yes I know it is inside and not in DMZ ) )

2) I would like 1.2.3.5 to PAT to 192.168.1.15, port 25 (email server)

3) I would like 1.2.3.6 to be the VPN endpoint

Basically, how to you get the PIX to manage multiple IPs or assign an IP range on ethernet0?

thanks

topic Cisco Pix 525 learning experience in Network Security

Cisco Pix 525 learning experience

Cisco Pix 525 learning experience

Cisco Pix 525 learning experience

Cisco Pix 525 learning experience