04-18-2005 02:23 AM - edited 02-21-2020 12:05 AM
Dear All,
I got one problem with new Cisco PIX515E with 2 Fast Ethernet. Let me explain about my scenario:
LAN->Switch->PIX515E->Internet(DSL)
-LAN: Private IP (192.168.1.0/24)
-Switch: Private IP (192.168.1.253/24)
-PIX515E: (outside)registered ip address: xxx.xxx.xxx.xxx & (inside)private ip address: 192.168.1.254/24
With these above scenario, I've 500 users behind my PIX and all those 500 users need to access to internet, mail, and ftp.
I've already configured with the PDM v3.0 with IOS v.6.3(4) but it is not working.
So anybody can help me by explain me step-by-step about this above issue?
Thank you in advanced,
Sothearith Chanty.
04-18-2005 03:15 AM
Sothearith,
Can you post your current pix config please, make sure to take out any sensitive info.
Jay
04-18-2005 06:29 PM
Hi Jay,
Thank you for your help, here is my pix config.
===============================================
PIX Version 6.3(4)
interface ethernet0 auto shutdown
interface ethernet1 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxx
encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.yyy xxx.xxx.xxx.xxx
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
timeout xlate
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxx
: end
===============================================
Actually, I got only one registerd ip address and now already assigned to the outside interface of my pix.
Thank you,
Sothearith Chanty.
04-18-2005 07:38 PM
Hi,
What is missing here is the translation configuration. Use "nat" command to tell the pix what private ip addresses should be translated to access the internet; and the "global" command to specify the public ip address used for translation. In this case the pix outside ip address will be used for translation. Configure:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
# here, any inside ip address (0.0.0.0 0.0.0.0) is translated to the public ip address of the outside interface.
Also, you need a default route. Configure:
route outside 0.0.0.0 0.0.0.0 x.x.x.x
where x.x.x.x is the ip address of the dsl router.
Please let us know if that helped or if you have questions.
Regards,
Mustafa
04-18-2005 11:35 PM
Sothearith,
As per Mustafa's post, you need the 'nat' and 'global' statements plus the route outside command.
If you only have the one public IP address and need to allow SMTP or other service access to the inside interface you can do so as follows:
(in config mode)
> access-list smtp permit tcp any host
> access-group smtp in interface outside
> static (inside,outside) tcp interface smtp
Save with : write mem and also issue command: clear xlate
NOTE: That public ip address for smtp should correspond to your mail MX record ip address!!
Hope this helps and please rate post if it does.
Jay
04-19-2005 01:13 AM
Hi All,
Thanks all of you, but I'm thinking that you are confusing with my explaination, let me explain you again about my scenario:
-I got only one registered ip address which is provided by my local ISP.
-The connection from my office to my ISP is using ADSL (connected with line phone with ADSL modem, and from that ADSL modem there is one UTP port which I can connect cross-cable to my Fast Ethernet 0 (outside) of my Cisco PIX 515E)
-From the Fast Ethernet 1 (inside) of my Cisco PIX 515E is connected to my LAN's Switch and all my internal users are connected to this switch too.
-I have no routing device
-Here is my registered ip address configuration which have to assign to the outside interface of my current Cisco PIX (Fast Ethernet0):
IP: 203.144.66.144/26
Default Gateway: 203.144.66.129 (server of my ISP)
DNS1: 203.144.65.2
DNS2: 210.80.58.66
-The inside ip's address of Cisco PIX 515E (Fast Ethernet 1) will assign with the private network address:
IP: 192.168.0.1/24
With the above configuration I have to allow the internal clients access to internet, mail and ftp.
I'm new to manage this cisco pix, I've read some book only and then I start configure it. I'm very serious with this work, because I must get it done otherwise will be big problem for me.
Please help me if you can.
Thank you again.
Sothearith Chanty.
04-19-2005 03:07 AM
Hi Sothearith,
The configs above should work with your requirements. Have you tried configuring:
pix(config)#nat (inside) 1 0.0.0.0 0.0.0.0
pix(config)#global (outside) 1 interface
pix(config)#route outside 0.0.0.0 0.0.0.0 x.x.66.129 <-- replace this ip with the ISP default gateway
This config allows internet access for all local hosts on 192.168.0.1/24, using a single public ip address.
Moreover, as per Jay's suggestion above, you can add smtp, web, and http servers all utilizing the same single public ip address.
Does that help at all?
04-19-2005 04:07 AM
Hey,
start by changing:
interface ethernet0 auto shutdown
interface ethernet1 auto shutdown
to:
interface ethernet0 auto
interface ethernet1 auto
By default the interfaces are shutdown.
Then do what every one else has been telling you to do namely:
global (outside) 1
netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x <= IP of your dsl device.
The global outside can also be implemented like mhussein put it a while back.
---
pdm is fairly straight forward. To access it from your network, try the following commands:
http server enable
http 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
then access https://192.168.1.254
That should work for the PDM. Infact its probably working but you're not using (ssl) https to access it.
Have fun.
**J.G
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide