topic Pix 515 2 "inside" networks in Network Security

Pix 515 2 "inside" networks

david.kordyban — Mon, 11 Mar 2019 20:56:33 GMT

I have a pix 515 with 4 port nic installed. I have outside setup with public ip inside setup up with private ip of one of my inside subnets and eth2 on ex card setup with different private subnet on our network. I need to be able to access internet from both private subnets throught the same outside ip. Seems like it should be simple enough to just copy the nat rule for the first network which is working. Do I need to change security levels on nic?

Thanks for your time

Pix 515 2 "inside" networks

varrao — Fri, 08 Jul 2011 13:17:03 GMT

Hi David,

Yes you need not do much, just let me explain you by an example:

you have 3 interafce, lets say, inside, outside and dmz:

since inside is highere security zone for you, security level would be 100

outside is less secure, level should be 0

dmz is mid-security zone so level could be 50, although you can change it to 100 as well, thats your requirement.

for internet access:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

nat (dmz) 1 0.0.0.0 0.0.0.0

thats it, both the inside and dmz woudl take the public ip on outside interafce and should be able to access the internet.

Hope this helps

Thanks,

Varun

Pix 515 2 "inside" networks

p.mcgowan — Fri, 08 Jul 2011 13:17:41 GMT

as long as the security level on your second inside interface is higher than the outside interface you should be fine

Pix 515 2 "inside" networks

david.kordyban — Fri, 08 Jul 2011 17:42:57 GMT

Thank you Varun

after checking I am still having trouble. I have internet when plugging into "server" nic on the pix. I then clear xlate , and clear arp , change ip info on pc nic, plug into courthouse and sheriff and I get no where, cant even ping pix ip for that subnet can you see anything wrong with config:

PIX-GW# show run

: Saved

PIX Version 8.0(4)

hostname PIX-GW

domain-name garrettcounty.org

enable password 2Vnffa/98HkYTtlJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0

nameif outside

security-level 0

ip address 167.*.#.% 255.255.255.0

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.100.20 255.255.255.0

interface Ethernet2

nameif Sheriffs

security-level 99

ip address 192.168.104.3 255.255.255.0

interface Ethernet3

nameif Courthouse

security-level 98

ip address 192.168.102.50 255.255.255.0

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

ftp mode passive

dns server-group DefaultDNS

domain-name dn.local

pager lines 24

mtu inside 1500

mtu Sheriffs 1500

mtu Courthouse 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

nat (Sheriffs) 101 0.0.0.0 0.0.0.0

nat (Courthouse) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 167.*.*.*.*

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.100.0 255.255.255.0 inside

http 192.168.100.88 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

Cryptochecksum:1b03067e1a9f17d1ae0e08c72c1d9a80

: end

Pix 515 2 "inside" networks

varrao — Fri, 08 Jul 2011 18:53:59 GMT

Hi david,

Plz provide me the captures when you plug the internet to the sherrif and courthouse interface, here is how to take them:

access-list cap permit ip host any

access-list cap permit ip any host

capture caps access-list cap interface sherrif

capture capo access-list cap interface outside

Try connecting to internet after that, and collect the output of "show capture caps" and show capture capo"

Moreover kindly give me the output of the packet-tracer:

packet-tracer input sherrif tcp 2345 1.1.1.1 80 detailed

And plz collect the logs for the time of the issue as well, this shoudl be enough to troubleshoot on the ASA.

Hope this helps

Thanks,

Varun

Pix 515 2 "inside" networks

david.kordyban — Sat, 09 Jul 2011 12:35:31 GMT

Hi I put the capture commands in and plugged in to sheriff and it started working. Maybe I had be ether cables

Anyway I really appreciate the help consider it solved

Pix 515 2 "inside" networks

varrao — Sat, 09 Jul 2011 13:53:22 GMT

Hi David,

That is good, all the best

Varun