Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
3
Replies

How to use PIX same Router

nhuongpham
Level 1
Level 1

‎04-09-2005 06:44 AM - edited ‎02-21-2020 12:04 AM

Dear Sir/Madam,

I have network as follows:

LAN---Inside-PIX-Ouside---Router---Dial-up + Internet

IP address of LAN is 192.168.10.0 255.255.255.0, In LAN there is a host IP address 192.168.10.2 static NAT with 210.x.x.76

IP address of inside is 192.168.10.1

Ip address of outside interface is 210.x.x.74

Ip address of F0/0 Router is 210.x.x.73

User can access to my network from internet or dial-up to modem on Router.

Now at router ( or any host connect to outside interface) I can PING to ouside interface, I can PING to 210.x.x.76 ( static NAT of 192.168.10.2) but I can’t PING 192.168.10.2 (or any host in LAN)

I want users connect by dial-up can access to my LAN with private IP address (no NAT), this mean I want use PIX the same Router.

Can you help me!

Thanks very much,

PIX Version 6.3(4)

interface ethernet0 100basetx

interface ethernet1 100basetx

interface ethernet2 100basetx

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxx

passwd xxxx

hostname pix515e

domain-name libsiss.edu.vn

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 100 permit icmp any any

access-list 100 permit tcp any host 210.x.x.76 eq www

access-list 100 permit tcp any host 210.x.x.76 eq smtp

access-list 100 permit tcp any host 210.x.x.76 eq ftp

access-list 100 permit tcp any host 210.x.x.76 eq pop3

access-list 100 permit tcp any host 210.x.x.76 eq ident

access-list 100 permit tcp any host 210.x.x.76 eq https

access-list 100 permit tcp any host 210.x.x.76 eq 3389

access-list 100 permit tcp any host 210.x.x.76 eq ftp-data

access-list 100 permit tcp any host 210.x.x.76 eq imap4

access-list 100 permit tcp any host 210.x.x.76 eq telnet

access-list 100 permit tcp any any eq pptp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 210.x.x.x.x.255.248

ip address inside 192.168.10.1 255.255.255.0

ip address dmz 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

static (inside,outside) 210.x.x.x.x.10.2 netmask 255.x.x.255 0 0

static (dmz,outside) 210.x.x.x.168.2.11 netmask 255.x.x.255 0 0

access-group 100 in interface outside

route outside 0.0.0.x.x.x.x.245.46.73 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.10.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎04-10-2005 12:37 AM

hello,

You can do two things to access the server on its private ip 192.168.10.2...

1) after connecting on router dialup or internet, you can have a cisco vpn client to get connected to the pix.. pix will be the vpn server. you will have a ip pool on the pix, which is same as the internal LAN (or different).. after connecting on vpn , you can have ur users access the server on its private IP through the VPN.

2) you need to do a NONAT to the traffic from 192.168.10.2 to the router ip pool. this will not nat the traffic when the guys coming from the IP pool on the dialup router, try to access the server.

nat (inside) 0 access-list nonat

access-list nonat permit ip host 192.168.10.2 210.245.46.0 255.255.255.0

The first solution is the best one and used worldwide by all, because it provides encryption and authentication of data packets.. second one is not a secure way of doing it.

hope this helps.. all the best.. rate replies if found useful..

Raj

0 Helpful

nhuongpham
Level 1
Level 1
In response to sachinraja

‎04-11-2005 01:40 AM

Thanks, now I have a new problems:

At router( or any host connect to PIX outside interface) I can PING to 192.168.1.2 or 210.x.x.76 but PCs dial_up to Router can't PING to 192.168.1.2 or 210.x.x.76 although them can PING to PIX outside interface ( or any PC in this network).

Thanks & Best Regards

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 2620XM

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

enable password cisco

!

username test password 0 test

no network-clock-participate slot 1

no network-clock-participate wic 0

aaa new-model

!

!

aaa authentication ppp default local

aaa session-id common

ip subnet-zero

ip cef

!

!

!

ip domain name tnu.edu.vn

no ftp-server write-enable

!

!

!

!

interface Loopback1

ip address 1.x.x.x.255.255.0

!

interface FastEthernet0/0

ip address 210.x.x.x55.255.255.248

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface Serial0/1

no ip address

shutdown

!

interface Group-Async1

ip unnumbered Loopback1

no ip mroute-cache

dialer in-band

dialer idle-timeout 600

dialer rotary-group 1

dialer-group 1

autodetect encapsulation ppp

async default routing

async dynamic address

async mode interactive

peer default ip address pool LocalPool

no fair-queue

group-range 33 48

!

interface Dialer1

ip unnumbered Loopback1

encapsulation ppp

ip tcp header-compression passive

no ip mroute-cache

dialer in-band

dialer-group 1

peer default ip address pool LocalPool

no cdp enable

ppp authentication chap pap calin

!

ip local pool LocalPool 210.x.x.x.245.46.78

ip classless

ip route 0.0.x.x.x.0.0 Serial0/0

ip route 192.168.1.0 255.255.255.0 F0/0

ip http server

!

access-list 1 permit any

dialer-list 1 protocol ip list 1

no cdp run

!

line con 0

line 33 48

no flush-at-activation

modem InOut

modem autoconfigure type usr_courier

transport input all

autoselect during-login

autoselect ppp

flowcontrol hardware

line aux 0

line vty 0 4

password xxx

!

!

end

0 Helpful

sachinraja
Level 9
Level 9
In response to nhuongpham

‎04-11-2005 02:34 AM

hello

you will not be able to ping .76 from the PCs since you have dont a nonat on the pix.. u can for sure ping 192,168.1.2.. if you are able to ping this IP from the router, but not from the PCs (which are in the same LAN network), check the settings on the PC.. are there any personal firewalls ? when you do a tracert, where does it go ? try adding specific route for 192.168.1.2 pointing to pix outside...

let us know

Raj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card