topic Re: Cisco Pix 506 Question... in Network Security

Cisco Pix 506 Question...

adamf — Fri, 21 Feb 2020 05:58:18 GMT

Hello..

I have a Cisco Pix 506 in a small enterprise network.. (less than 100 nodes).. with 3 remote locations.. my problem is.. I'm using a wireless gateway.. and i can ONLY have 1 outside IP address.. will this affect my PIX.. ppl told me I had to have a pool of ip addresses for pix to work.. can't I trick it.. with just the one outside IP address I have! Please help me! I dont need to be fired this early.

There is no DMZ.. Just Inside ----- Outside..

Please help! 🙂

Thanks..

Re: Cisco Pix 506 Question...

danrodri — Sat, 02 Feb 2002 03:28:55 GMT

Adam,

The PIX supports PAT, which should meet your needs. A "pool" of addresses is typically used when you are doing NAT and have been assigned a range of addresses by your ISP. Keep in mind PAT can conflict with applications that require high ports.

Hope that helps.

Re: Cisco Pix 506 Question...

adamf — Sat, 02 Feb 2002 06:04:25 GMT

Well.. on our inside network we do use NAT.. does that matter? .. and .. can you tell me where to find a sample config of PAT?!

thanks a million

Re: Cisco Pix 506 Question...

bdube — Sat, 02 Feb 2002 16:19:31 GMT

There is no difference in terms of command to activate PAT or NAT (same command "NAT" apply to inside net). It's just dependent to the number of addresses apply with the global command to the outside. If you specify only one address with global, it's PAT. If you specify many adddresses with global, it's NAT.

Ben

Re: Cisco Pix 506 Question...

adamf — Sat, 02 Feb 2002 18:31:55 GMT

What about access-lists?>.. are they needed for traffic to flow in and out?.. if i dont configure any access lists.. will my inside network be able to hit the internet?

and what about when im setting up my "global" and the other command.. can't think of it right off.. it gives me an error saying it can't be the same IP address?.. thanks

Re: Cisco Pix 506 Question...

bdube — Sat, 02 Feb 2002 18:58:00 GMT

Instead of specifying an address with global command, use this one:

global (outside) 1 interface

You don't need necessarly access-list(ACL) combine with a NAT & Global pair to give access to your internal users to the Internet. NAT & Global pair are enough to give access to outside. You can use the ACL only to restrict what your users can do. In this case, apply the ACL to the inside interface. If you don't want to restrict, don't use ACL.

Ben

Re: Cisco Pix 506 Question...

adamf — Sat, 02 Feb 2002 19:01:10 GMT

I know this is alot to ask.. but can you give me a sample config of the nat/global pair?.. i thank you so much.. bless you.

adam

Re: Cisco Pix 506 Question...

exigent — Sun, 03 Feb 2002 19:08:28 GMT

Adam,

Here is all you need. This is assuming that you have 1 routeable IP address (besides your router).

192.168.1.1=Pix inside address ip (def gateway for all your internal PCs)

10.0.0.2=your 1 routeable IP address

10.0.0.1=your internet router

config t

ip add inside 192.168.1.1

ip add outside 10.0.0.2

nat 1 0 0

global (outside) 1 10.0.0.2 interface

route 0 0 10.0.0.1

write mem (to save the config)

The interface command is what activates PAT (port address translation). NAT is not available to you because do not have a pool of IP address. Just keep in mind that you are limited to about 64,000 (forget the exact #) connections. You can do a sho xlat to verify but for 100 users it should be more then enough. You can still do static mappings between ports to your 1 IP address. Just remember to refer the outside IP address in your static commands.

Make sure that the interfaces are up by doing a sho int e0 and e1 command.

Sincerely,

Alex

Re: Cisco Pix 506 Question...

adamf — Sun, 03 Feb 2002 21:19:45 GMT

i'm gettin an overlapping error..

my current def gateway is 10.137.1.200 which is a 3810 router with all the frame connetions.. i so would my pix inside def gateway change to 10.137.1.200?.. or would i change that in the routers?.. also.. isn't internet router and default gateway the same thing?.. then the routable ip is the public ip address?.

have any idea what im doing wrong

Re: Cisco Pix 506 Question...

adamf — Sun, 03 Feb 2002 21:36:37 GMT

Also...

i just found that in my routers.. and workstations.. the default gateway is 10.137.1.200.. and on my firewall/2610 router.. the gateway is 66.x.x.198.. but the outside ip address is 66.x.x.193.. does this give you something to work with?..

Re: Cisco Pix 506 Question...

bdube — Sun, 03 Feb 2002 23:53:41 GMT

Adam,

Default gateway is a concept you must apply individually to each network equipment with routing capabilities, firewalls, hosts, routers and so on. Generally, default gateway indicated the direction for trafics where there is no explicit routes configured. It's the direction of last resort.

As i understand, your 3810 is an internal router with frame connection, perhaps, for branch offices. Then the default gateway for this router should indicated the next hop to the Internet, probably the PIX interface where the 3810 is connected. Except if you have a router between the 3810 & the PIX, this time the default gateway for the 3810 is the "in-between" router. For the PIX, default gatway if the next hop to the Internet, probably the ISP's router interface directly connected with the PIX.

Regards,

Ben

Re: Cisco Pix 506 Question...

exigent — Mon, 04 Feb 2002 04:42:22 GMT

Adam,

1. The default gateway for the pix would be 66.x.x.198 ( route 0 0 66.x.x.198)

2. The def gateway for your internal side is a tricky situation depending on how routing works in your company. I suggest you call Cisco TAC for more detailed assistance since any changes made to default gateways may affect hosts being able to contact other hosts on your frame relay network.

Re: Cisco Pix 506 Question...

adamf — Mon, 04 Feb 2002 15:19:49 GMT

ALL THE INFORMATION YOU NEED!

THanks you guys!

Cisco 3810a Router - Gateway Last Resort-> 10.137.1.202

Cisco 3810b Router - Gateway Last Resort-> 10.137.1.200

Cisco 2610 Router(firewall to be replaced) - Gateway Last Resort-> 66.21.32.193

Interface Outside of 2610 firewall/router -> 66.21.32.198

Inside Lan Computer gateway -> 10.137.1.200

Wireless CSU/DSU -> 66.21.32.197