Solved: Re: creating rules on cisco pix - Page 3

par13 · ‎04-07-2010

Could anyone help me to create a few basic rules that will allow this traffic to flow thru the cisco pix firewall?

internal networks:

192.168.1.0/24

192.168.2.0/24

both needs to be able to search internet websites, browse, and connect to other remote networks (ex. 10.5.1.0/24)

On the other hand, a remote network (ex. 10.5.1.0/24) needs to have access to internal network 192.168.1.0/24

Can you provide an example?

Thanks

Federico Coto Fajardo · ‎04-08-2010

Exactly,

Only that FTP uses TCP ports 20/21 depending if operating in passive or active mode.

Federico.

par13 · ‎04-08-2010

Federico,

At this time, I'm able to find host which are on the same subnet as the ethernet0 on the firewall. But, anything beyond this point, it cannot be found.

The internal host(s) on subnet 146.186.174.128 can not resolve names using a DNS Server on a far network.

Federico Coto Fajardo · ‎04-08-2010

Set the DNS manually on a host to 4.2.2.2 or 8.8.8.8

Try to browse the Internet, see if it works.

Open a browser and go to 198.133.219.25

Federico.

par13 · ‎04-08-2010

Hello,

after adding 0.0.0.0 0.0.0.0 172.31.53.1 1, everything starts to work.

However, I notices that everything from inside of the firewall is been NAT which is ok for isolated networks. I have a few external subnets that needs to see the host ip address not the external firewall address.

How can I fix this little issue?

Federico Coto Fajardo · ‎04-08-2010

If you need outside users to see the real IPs instead than the NATed ones, you just do STATIC NAT to themselves.

In other words, to reach the IP x.x.x.x from the outside, you enter the following:

static (in,out) x.x.x.x x.x.x.x

This is because x.x.x.x is a public, routable IP on the Internet. That's why I ask you if your public ranges were actually yours (you told me they were just testing addresses).

If you don't have public addresses, you should NAT.

In case you own public addresses, you can avoid NATing.

Federico.

par13 · ‎04-08-2010

Sorry to keep asking the same questions: static (in,out) x.x.x.x x.x.x.x

The first group of x.x.x.x = the external ip address of the firewall

The second group of x.x.x.x = the internal set of ip address of a given network

Federico Coto Fajardo · ‎04-08-2010

No,

static (in,out) x.x.x.x x.x.x.x

x.x.x.x is the real IP of the inside host.

Let's say that you want the 200.200.200.0/24 (network behind the Firewall) to be seen from the Internet with the same IPs (not doing NAT).

static (in,out) 200.200.200.0 200.200.200.0 netmask 255.255.255.0

The ACL applied to the outside interface should permit the inbound ports needed.

Hope its clear.

Federico.

par13 · ‎04-08-2010

we actually have non-routable ips that will only work thru our company network. But,

I'm still concern of security and at the same time allowing the networks behind the firewall able to comm

unicate with Active Directory.

If I use static (in,out), this will expose the network to everyone not just the company network. How can I limit the access to this network to just within the company network.