topic Re: Pix configuration in Network Security

Pix configuration

sq — Fri, 21 Feb 2020 06:19:18 GMT

I reelly need some help , I could not resolve with my self.

I am connect a Cisco 3620 Router to the Internet, and I am getting IP address.

Pix 515 is also connected to the Router in one side and to a switch on the other side:

Internet-----Router-------Pix-----LAN.

My problem is that ,my Pc could not make a connection to The internet:

I have tried NAT, Global , and access-list , and I could not solved.

Did any body show me the right site , or give me configuration which works.

Thanks.

Re: Pix configuration

rj.remien — Tue, 22 Oct 2002 22:15:28 GMT

Hi Said,

Here is basically what you need

Nat (inside) 1 0.0.0.0 0.0.0.0

Global (outside) 1 x.x.x.x (Public IP address or outside interface of Pix IP address)

Can you submit your config without private info?

Thanks,

Re: Pix configuration

sq — Tue, 22 Oct 2002 23:13:03 GMT

Hi RJ

It `s very nice to get a answer.Here are my config:

pixfirewall(config)# sh conf

: Saved

: Written by enable_15 at 02:03:12.574 UTC Tue Oct 22 2002

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password ( password is removed )

passwd ( password is removed )

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

logging on

logging buffered errors

logging trap notifications

interface ethernet0 100basetx

interface ethernet1 100basetx

interface ethernet2 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside dhcp

ip address inside 10.1.1.2 255.0.0.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media

0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

<--- More --->

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd lease 3000

dhcpd ping_timeout 750

dhcpd domain chello.no

dhcpd auto_config outside

terminal width 80

Cryptochecksum:7994f8a1e6cb35e2ff6cdb2f8b0e021c

pixfirewall(config)#

Did`nt I need to apply en access-list from outside to inside of PIx???

Could you make changes in my config , so I can try yours configuration

Thanks

Said

Re: Pix configuration

gfullage — Wed, 23 Oct 2002 04:49:19 GMT

Said,

To go from a higher security interface to a lower (inside to outside), you need a nat/global pair. Add the following to your config and see how you go:

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 interface

This will NAT everything on the inside to your outside interface's IP address. You should be able to get out now. You don't specifically need an access-list since the PIX will automatically allow the returning traffic back in.

If you want traffic to originate from the outside and come inot your network, then you need a static and an access-list.

PIX command reference is here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/index.htm

Re: Pix configuration

sq — Thu, 24 Oct 2002 16:29:44 GMT

Hi Glenn Fullager.

If I understind you , if I want to trafikk from inside to inside:

nat ( inside) 1.10.0.0.0 255.0.0.0

global ( outside) 1 interface ( not ip outside ip address: )

Traffikk back is automatically allowed.

originated Traffikk from trafikk to my LAN:

static ( outside,inside ) x.x.x.x , 10.0.0.0

access-list 110 permit tcp any any eq www.

access-group 110 in interface outside.

Is that correct confiuration static and access-list.

Said

Re: Pix configuration

rj.remien — Thu, 24 Oct 2002 17:29:15 GMT

Hi Said,

To recap this post:

Add this to your config for internal users to access Internet resources:

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 interface - This will translate all of your internal IP addresses using the IP address of the outside interface. Return traffic is allowed back without further configuration.

Let's say you have a web server on your inside LAN at IP - 10.1.1.10. Add this to your config to allow users from the Internet to access your web server.

Static (inside,outside) x.x.x.x 10.1.1.10 netmask 255.255.255.255 ( x.x.x.x is an IP address on your outside subnet.)

access-list 110 permit tcp any host 10.1.1.10 eq www

access-group 110 in interface outside

Hope this helps.

Re: Pix configuration

sampathsr — Fri, 25 Oct 2002 00:35:27 GMT

Hi:

Hope the config worked. If it did'nt still work try replacing this:

ip address outside dhcp

with

ip address outside x.x.x.x y.y.y.y

Best regards / Sampath

Sampathsr@yahoo.com

Re: Pix configuration

sq — Fri, 25 Oct 2002 21:36:42 GMT

Hei RJ REMIEN

It`s works when I use only PIx , directed connected to Internet like this :

Internet----Pix--------LAN

config # ip address outside dhcp.

config#nat 1 0 0

config #global 1 interface ( Outside interface is PAT )

config#route 0.0.0.0 0.0.0.0 x.x.x.x ( x.x.x.x is default gateway of ISP)

But when I connect like this:

Internet----Router----PIX------LAN

I could not use this configuration:

config#nat 1 0 0

config #global 1 interface ( outside interface is 192.168.1.70 )

config#route 0.0.0.0 0.0.0.0 x.x.x.x ( x.x.x.x is default gateway of ISP)

Interne Ip address of Router and outside ip address of PIx are working is 192.168.1.0

Is that because my outside interface ( PIX ) have a non routable ip address , so my LAN could not connect to Internet ????

It`s have nothing to with global:

config#global 1 interface

config#global 1 192.168.1.70

Thanks

Said

Re: Pix configuration

rj.remien — Sun, 27 Oct 2002 03:33:35 GMT

Hi Said,

If you can connect directly to the Internet with your PIX, what are you using as the bridging device to translate your line to Ethernet? (e.g. DSL line - you would need a DSL modem/router to bridge the phone line to ethernet.) Is your network at a colocation facility.? You would be able to directly connect your PIX in that situation. If that is the case, you do not even need your router.

In regards to your question about the outside PIX interface being an RFC 1918 address, you are correct about needing it to be a valid public IP address.

2 questions:

1. When you connect directly to the Internet with the PIX, is the outside interface of the PIX 192.168.1.70? If it is, your ISP should be doing some natting. If not, it will probably work but you are not supposed to route any 192.168.x.x address on the Internet and a lot of sites will block your traffic.

2. How is your network connected to the ISP - T1,DSL, ISDN?

Thanks,

Re: Pix configuration

sq — Tue, 29 Oct 2002 18:41:18 GMT

Hei RJ REMIEN

I am sorry for this late, I was out of Internet.

With you help I have managed to to configure my PIX and Router correctly.

Internet---Router---PIX---LAN and everything is well done. But Outside users cannnot make a connection with my LAN.

Is that I need to configure my Pix with static ,and conduit or I have to use access-list ??

Answering to your question , I am using Cable , 700/250 dow/uplo.

Said

Re: Pix configuration

tahirk — Wed, 30 Oct 2002 05:34:21 GMT

Dear Fellow

In order to make your inside servers accessible to the outside network for a specific traffic you have to make use of both static commands and access lists.

Static command will statically map the inside address with the corresponding outside ip Address and that is called as static nating.

Acccess lists will allow only specific traffic to hit your server, so that outside world can have only http communication (for example) with your inside webserver and nothing else.

Regards

Tahir Khan

Network Engineer

Sigma Systems International.

Re: Pix configuration

girish_g — Thu, 31 Oct 2002 04:59:01 GMT

HI ,

Kindly have a look at the caveats for cisco PIX 515.

If you have a pc which has a mac address starting with 00 -08 pix cannot communicate with it. This is a unresolved caveat

Give it a shot

your requirements are relatively simple

I hope you have put a access-group command to bind the access list to the interface

-girish.gopalrao

Re: Pix configuration

gfullage — Thu, 31 Oct 2002 05:04:23 GMT

This bug (CSCdt47829) is fixed in the following minimum versions:

6.1(4), 6.0(4) and 6.2(1)