topic Re: PIX 515E configuration help require in Network Security

PIX 515E configuration help require

hiruannaofit — Fri, 21 Feb 2020 07:41:16 GMT

Dear All,

Hi.Actually I need some help for PIX 515E.Pls. refer the scenario,design & suggest?

Pls. find the following details and attached VLAN Router configuration.

# I want to set like

"My LAN on CISCO 2900 switch (IP range 172.16.29.X... 25 PCs) -- VLAN Router - CISCO PIX ----ISP Public IP"

# Right now it's

"My LAN on CISCO 2900 - VLAN Router (Outside) - ISP"

Router & PIX details:

#Router inside ip - 172.16.29.1 (Inside IP as it is very critical which can't be changed)

#Router outside ip - Which ip should I use? (I tried with 1.1.1.1 255.255.255.0)

#PIX outside ip - Which ip should I use? (My ISP IP? - I tried with 208.144.230.197 which is right now my router's outside)

#PIX inside ip - Which ip should I use? (I tried with 1.1.1.2 255.255.255.0)

#My ISP connection is direct from ISP GW to one ethernet cat 5 on my VLAN router

#I would like to permit www,FTP,web based mail like Yahoomail..etc.. & messenger services

VLAN Router Config:

Current configuration : 1028 bytes

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname VLANRouter

boot-start-marker

boot-end-marker

enable password gcsroot

no aaa new-model

ip subnet-zero

no ip dhcp conflict logging

ip dhcp excluded-address 172.16.29.1 172.16.29.240

ip dhcp excluded-address 172.16.29.250 172.16.29.254

ip dhcp pool dhcppool

network 172.16.29.0 255.255.255.0

dns-server 208.144.230.1 208.144.230.2

default-router 172.16.29.1

controller E1 0/0

controller E1 0/1

interface FastEthernet0/0

ip address 208.144.230.197 255.255.255.224

ip nat outside

duplex auto

speed auto

interface FastEthernet0/1

ip address 172.16.29.1 255.255.255.0

ip nat inside

duplex auto

speed auto

ip nat inside source list 7 interface FastEthernet0/0 overload

ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 208.144.230.200

access-list 7 permit 172.16.29.0 0.0.0.255

line con 0

line aux 0

line vty 0 4

end

Any advice is appreciated.

Regards,

Hiren Mehta.

ORG Informatics Ltd.

Bamako, MALI

AFRICA

Re: PIX 515E configuration help require

sachinraja — Sat, 16 Oct 2004 06:07:58 GMT

Hi hiren,

See the answers below:

#Router inside ip - 172.16.29.1 (Inside IP as it is very critical which can't be changed)

When you put the PIX inbetween the router and your switch, you have to put the PIX inside IP as 172.16.29.1 and change the router's inside subnet to someother pool. Do the PAT on the PIX, instead of the router.

#Router outside ip - Which ip should I use? (I tried with 1.1.1.1 255.255.255.0)

Router outside IP will be the one given by the ISP.. The ISP would have given a public IP for the WAN link. This cannot be changed.

#PIX outside ip - Which ip should I use? (My ISP IP? - I tried with 208.144.230.197 which is right now my router's outside)

PIX outside IP should be a global one. ISP would have given you a LAN subnet. Use that. In this case, the router's inside interface will have an IP from this same subnet..

#PIX inside ip - Which ip should I use? (I tried with 1.1.1.2 255.255.255.0)

PIX inside should be 172.16.29.1 , which will be the default gateway for all PCs. If you change this subnet, then all the PCs should have an IP address on the same subnet as decided.

#My ISP connection is direct from ISP GW to one ethernet cat 5 on my VLAN router

did not get this.. is it on the internet router or on the switch ??

#I would like to permit www,FTP,web based mail like Yahoomail..etc.. & messenger services

If all these have to be permitted from inside to outside, you need not open anything.. by default all traffic from inside to outside is permitted (unless u put an access-list and deny )...

Re: PIX 515E configuration help require

hiruannaofit — Sat, 16 Oct 2004 10:27:44 GMT

Dear Sachin Raja,

Thanks for ur prompt and appropriate reply.Actually u have cleared my confusion exactly I needed but still I have decided my PIX config. with respect to customer requirement. I will test it tonight.

See u.

Re: PIX 515E configuration help require

hiruannaofit — Fri, 22 Oct 2004 14:19:24 GMT

Hi dear sachin,

Thanks for ur reply I have removed my NAT from router and set PAT on PIX but still I am facing some problem :

Actually I have set "access-list permit icmp any any echo-reply" time-exceeded & unreachable.......so now I am able to ping from my PIX console to my ISP GW ip...but still I am not able to access internet or ping from my inside n/w PCs to internet GW.

Pls. find the below details of my n/w and config.and suggest where am I missing?

I need ur help badly, now it's a question of my output....please help me ASAP.

I can't remove my border router because it has been sold to my customers earlier for my SUN servers.

Pls. note my yahoo messenger ID is barodians_us@yahoo.com If u are not disturb u can come on yahoo for chatting to suggest me online.

N/W setup:

#My router inside ip (172.16.29.1/24)--Router outside (10.1.1.1/24)--PIX inside (10.1.1.2/24)--PIX outside (208.144.230.197 255.255.255.224-ISP supplied)

#My ISP Gateway address is 208.144.230.200

#My DNS servers are 208.144.230.1 and 208.144.230.2

#VLAN Config:

boot-start-marker

boot-end-marker

no aaa new-model

ip subnet-zero

no ip dhcp conflict logging

ip dhcp excluded-address 172.16.29.1 172.16.29.240

ip dhcp excluded-address 172.16.29.250 172.16.29.254

interface FastEthernet0/0

ip address 208.144.230.197 255.255.255.224

duplex auto

speed auto

interface FastEthernet0/1

ip address 10.1.1.1 255.255.255.0

duplex auto

speed auto

ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.2

access-list 7 permit 172.16.29.0 0.0.0.255

#PIX 515E config:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname VLANPIX

domain-name VLAN

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol http 80

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

access-list acl_outbound permit icmp any any

access-list acl_outbound permit tcp any any eq pop3

access-list acl_outbound permit tcp any any eq smtp

access-list acl_outbound permit tcp any any eq domain

access-list acl_outbound permit udp any any eq domain

access-list acl_outbound permit tcp any any eq www

access-list acl_outbound permit tcp any any eq telnet

access-list acl_outbound permit tcp any any eq h323

access-list acl_outbound permit tcp any any eq https

access-list acl_outbound permit tcp any any eq 1863

access-list acl_outbound permit tcp any any eq ftp-data

access-list acl_outbound permit tcp any any eq ftp

access-list acl_outbound deny ip any any

access-list acl_inbound permit icmp any any

access-list acl_inbound permit tcp any any eq 1863

access-list acl_inbound permit tcp any any eq ftp

access-list acl_inbound permit tcp any any eq ftp-data

access-list acl_inbound permit tcp any any eq h323

access-list acl_inbound permit tcp any any eq pop3

access-list acl_inbound permit tcp any any eq smtp

access-list acl_inbound permit tcp any any eq www

access-list acl_inbound permit tcp any any eq domain

access-list acl_inbound permit udp any any eq domain

access-list acl_inbound deny ip any any

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

ip address outside 208.144.230.197 255.255.255.224

ip address inside 10.1.1.2 255.255.255.0

global (outside) 1

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

route outside 0.0.0.0 0.0.0.0 208.144.230.200 1

floodguard enable

telnet 10.1.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

Thanks.

Regards,

Hiren Mehta