06-28-2012 12:43 PM - edited 03-11-2019 04:24 PM
Hello,
I need help configuring a newly reinstated PIX515E with IOS 6.3 to test the configuration of a load balancer.
I would like to setup with two Inside interfaces (or simply two interfaces) for testing. I just need it to pass traffic (basically HTTP and HTTPS) between these two interfaces without using NAT.
The older IOS is causing me some problems.
Another potential issue is that I am trying to connect to an IP on the 192.168.3.x network connected to the same switch using another IP in that network as the Interface IP (3.200). So the HTTP and HTTPS traffic needs to flow from the laptop (192.168.12.100) to the Inside-test interface (12.1) then to the Inside interface (3.200) then to the destination webserver at (3.45) which is connected to the same switch as the Inside (3.200) interface. The other issue I may have is that DNS is not working because I don't have an outside interface configured for Internet access,but trying to connect via IP address does't work either. I may be able to configure a second DNS server for the 192.168.12.X network for testing purposes if needed. I even tried to set the default route to the Interface of the production ASA's inside interface (3.1), but that did not work either.
The office Internet connection is only available directly on the port connected to the ASA (not the PIX) which may be adding some complexity. I am not currently using the outside interface at all.
Any suggested configurations would be helpful.
Here is what I have so far:
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 inside-test security90
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0 eq www
access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0 eq https
access-list acl_insidetest_to_inside permit tcp 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0 eq www
access-list acl_insidetest_to_inside permit tcp 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu inside-test 1500
no ip address outside
ip address inside 192.168.3.200 255.255.255.0
ip address inside-test 192.168.12.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
access-group acl_inside_to_insidetest in interface inside
access-group acl_insidetest_to_inside in interface inside-test
route inside 0.0.0.0 0.0.0.0 192.168.3.1 1 (tried with and without this)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Let me know if see any glaring issues for the scenario I described above or if you have any suggested changes to accomplish my goals.
Thank you for your help.
06-28-2012 07:58 PM
You would need to configure static NAT to itself:
static (inside,insidetest) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
06-29-2012 07:17 AM
Hi Jennifer,
Thank you for the reply.
Would this accomplish the goal of NO NAT between the two interfaces? Would I need to add exemptions for traffic between the two networks or does that defeat the purpose of adding the command in the first place?
I need to make sure that there is not nat between these two interfaces for the purposes of testing the load balancers.
Should I leave the default route in or take it out?
Thank you.
06-29-2012 10:29 AM
Jennifer,
I tried your suggested config and it doesn't seem to have allowed communications between the two networks or to the Internet. Is there something else that I can try?
I also need to make sure there is no NAT. I looked at the Xlate command, but there is no detail option in this version. I looked at the sh xlate and sh xlate debug options too.
Please let me know how to verify the NAT is disabled on this version of IOS.
Sorry if I am not understanding this completely, but I just want to be sure about the NAT. An important and complicated project is based on the results of this testing.
Thank you.
06-29-2012 08:05 PM
The static NAT to itself is performing a no NAT between the 2 interfaces, it works bidirectionally.
You stated that it doesn't seem to allow communication between the 2 networks - pls check your ACL on the interfaces as it is only allowing very limited access, are you trying to access something that you've configured in your ACL? Please remove the ACL for the time being for testing purposes. The static NAT command should allow communication between the 2 internal interfaces, unless you've made other changes in your config.
To access the internet, you will need to NAT/PAT it to a public IP, whether it is on the PIX itself or on other devices.
You can run "capture" on the PIX interface and you will see that the IP is not being NATedd as the "capture" is the last step just before the packet is sent on the wire.
06-29-2012 08:08 PM
and btw, show xlate does show you the local and the global address. If both are the same addresses, that means no NAT is performed. Otherwise, if NAT is performed, it will show the real IP for the local address, and the NATed IP for the global address.
07-01-2012 08:54 AM
I doubt the ACL as well. If the webserver running http/https resides on the inside interface, then the following acl needs to be corrected:
access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0 eq www
access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0 eq https
To be corrected to:
access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 eq www 192.168.12.0 255.255.255.0
access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 eq https 192.168.12.0 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide