cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1021
Views
0
Helpful
7
Replies

Initial configuration of PIX525 with multiple VLANs

fieryhail
Level 1
Level 1

Hello Everyone,

I'm very new at firewalling.  I have to setup a PIX to provide 2 DMZ zones with an inside VLAN for workstations.  Right now I have a 3745 router connecting to WAN via ISP's 851 ethernet.  I have 5 static IPs.  Behind the 3745 I have a Catalyst 3550 hosting 3 VLANs.  One for workstations, another for web servers and mail server and a third for CallManager.  I have 6 ethernet interfaces available on PIX.  PIX OS 8.04 and ASDM 6.  What I think I need to do is to put the PIX between the 3745 and the 3550 but I am not sure.  Perhaps the PIX needs to connect directly to the 851?  What I want to do is have the PIX act as firewall for workstations (VLAN 100, 192.168.110.0/24) and create 2 DMZs which are currently in VLANs on the 3550.  I need to be able to use 1 IP for internet access for the workstations and 3 more for webserver DMZ.  I have to be able to PAT ports from different internal IPs on subnet 192.168.10.0/28 to 3 outside IPs.  I know there must be a way to do this, I apologize for being so cnfusing.  Any direction would help with this.  I have searched and have found no guidance on this type of setup.  Thanks in advance.

2 Accepted Solutions

Accepted Solutions

Yes, your proposed topology would work out great.

You do not need an extra router to route traffic from 3550 towards the PIX as PIX will be acting as a router.

You can configure the following interfaces on your PIX:

1) Outside - connect to the 3745 router (using the public ip address, assuming the 3745 is .169, you can configure the PIX outside interface in the same subnet). PIX will be configured with default gateway pointing towards your 3745 (x.x.x.169).

2) Inside - connect to the workgroup switch (you can configure PAT to the PIX outside interface for internal users to have internet connectivity).

3) DMZ-Server - connect to the 3550 server VLAN (for the remaining 3 public ip addresses, you can statically configure the NAT for each server, all servers will have PIX DMZ-Server interface ip address as their default gateway)

4) DMZ-ESX - connect to the 3550 ESX (VLAN 2) - all ESX servers would have PIX DMZ-ESX interface as their default gateway.

5) DMZ-CM - connect to the 3550 CM VLAN - CMs will have PIX DMZ-CM interface as their default gateway.

Hope that helps.

View solution in original post

1) In achieving the following requirement:

PAT 192.168.30.2:80 --> 96.xx.xx.172:420
PAT 192.168.30.2:81 --> 96.xx.xx.172:81

Since NATing is now done on the PIX, please remove the NAT statement on your c851 router.

PIX configuration:

static (DMZ1,Outside) tcp 96.56.78.172 420 192.168.30.2 80 netmask 255.255.255.255
static (DMZ1,Outside) tcp 96.56.78.172 81 192.168.30.2 81 netmask 255.255.255.255

access-list outside_in permit tcp any host 96.56.78.172 eq 420
access-list outside_in permit tcp any host 96.56.78.172 eq 81
access-group outside_in in interface outside

2) For this requirement:

Unrestricted access from PIX, e5 --> PIX, e1 (SSH, HTTP, etc)
DNS to 192.168.30.2 (53, udp)

Unrestricted access from inside network towards DMZ1 network - since this requirement will cover the above 2 lines, you do not need to configure the specific of the above 2 lines.

PIX configuration:

static (inside,DMZ1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

access-list inside_in permit ip 10.1.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-group inside_in in interface inside

3) To answer your ping question:

You can only ping the PIX interface from the directly connected interface as follows:
To be able to ping the inside interface, you would need to ping from the inside network
To be able to ping the DMZ1 interface, you would need to ping from the DMZ1 network
You can't ping the inside interface from DMZ1 network, and vice versa (can't ping DMZ1 interface from inside network). Those are not supported on PIX.
However, you should be able to ping from DMZ1 network towards inside network and vice versa after the above "static (inside,DMZ1)" statement, and also if you have "inspect icmp" configured (check "sh run policy-map")

4) For this requirement:

Ping from DMZ1 network towards inside network, and to allow HTTP from DMZ1 network towards inside network, you would need to create access-list on DMZ1 interface.

PIX configuration:

access-list dmz1_in permit icmp any any
access-list dmz1_in permit tcp 192.168.30.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 80
access-list dmz1_in in interface DMZ1

Hope the above helps, and please kindly rate helpful post so Cisco can match $1 for every rating for the Haiti Earthquake donation.

View solution in original post

7 Replies 7

Panos Kampanakis
Cisco Employee
Cisco Employee

You can achieve that on the PIX using subinterfaces and vlans.

outside vlan

|

PIX----insidevlan

|dmz

vlan

You can PAT or NAt from isnide to dmz, inside to outside, dmz to outside that is not a problem.

So I would expect you to use the PIX for your vlans and have the router in front of the PIX faving only the outside vlan.

I hope it helps a little.

PK

This link has a few sample configuration with switches with nice diagrams.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/examples.html

Hope you can find one that suites your requirements.

This link has sub interface configs: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1044006

-KS

I drew up a diagram which is what I would like to put together.  Hopefully someone can tell me if this is possible or if I am wrong in assuming this config IS possible.  I have 5 static IPs assigned from ISP (no more available unfortuneately.  My ISP's router is xx.xx.xx.169.  The 3745 currently does PAT for the servers coming off the 3550.  The 3745 also has voice-ports for use with CallManager as well as handles a SIP trunk.  Because of this I think it needs to stay in front of the PIX.  I think the PIX also needs a static IP assigned to it to enable the use of it as a VPN server, currently the 3745 is acting as a VPN server.  The 3550 has 3 vlans, one for servers which include web and media streaming (srv1 - srv3).  They use a private IP subnet, 192.168.10.0/28.  Vlan 2 would be for ESX hosts (esx1, esx2).  IP subnet for those is 192.168.50.6/29.  The CallManager servers are on a third vlan with private subnet 172.16.0.0/16.  What I would like to do if possible since the PIX has 6 ethernet interfaces, attach a PIX interface to each vlan on the 3550 as a "separate" network.  I believe since the 3550 is Layer 3 this is possible, then have the PIX perform PAT.  The CallManagers do not need internet access, they need to be reachable by VPN from the internet.  They also need to be able to access the 3745 by inside IP to access the SIP trunk and voice-ports.  The servers (srv1-srv3) need PAT access to 2 static IPs on various ports.  80, 24, 443, plus others.  ESX do not need internet access.  The workgroup switch is a 3524 and that connects the LAN machines to the internet, it needs to be able to go outside so that all LAN machines have internet access through a single static IP.  Any help is greatly appreciated.  If someone has a better idea design-wise that canbetter accomplish what I am trying to do, I'd love to hear that also.  I believe I need to assign a static IP to both the PIX outside interface as well as the 3745 but I may be mistaken in this assumption.  Thanks in advance.

My other question in regards to this proposed configuration, is whether it is possible by using the layer 3 switch behind the PIX, or do i actually require a router coming off the PIX in between a routed interface on each VLAN on the 3550?  For instance, setup 3 routed interfaces on the 3550, and forward traffic from vlan 1 through routerA through the PIX and then the internet, samet thing for vlan 2.  Another routed interface on 3550 connecting to routerB and then through the PIX to the internet and then the same thing again with a third router and routed interface on the 3550.  Sorry for being so confusing.  I'm just trying to figure out the best way to achieve the desired results.

Yes, your proposed topology would work out great.

You do not need an extra router to route traffic from 3550 towards the PIX as PIX will be acting as a router.

You can configure the following interfaces on your PIX:

1) Outside - connect to the 3745 router (using the public ip address, assuming the 3745 is .169, you can configure the PIX outside interface in the same subnet). PIX will be configured with default gateway pointing towards your 3745 (x.x.x.169).

2) Inside - connect to the workgroup switch (you can configure PAT to the PIX outside interface for internal users to have internet connectivity).

3) DMZ-Server - connect to the 3550 server VLAN (for the remaining 3 public ip addresses, you can statically configure the NAT for each server, all servers will have PIX DMZ-Server interface ip address as their default gateway)

4) DMZ-ESX - connect to the 3550 ESX (VLAN 2) - all ESX servers would have PIX DMZ-ESX interface as their default gateway.

5) DMZ-CM - connect to the 3550 CM VLAN - CMs will have PIX DMZ-CM interface as their default gateway.

Hope that helps.

Thank you for the reply halijenn.  I hope that somehow I can get this setup up and running..  In response to your reply.

I attached a new diagram to this post, one that displays the current topology that I am having difficulty with.  I scaled the design back for now to attempt making troubleshooting this situation easier.  I believe that all relevant information is contained within the diagram.

96.xx.xx.169 is the IP address of the c851 (ISP Router).  I removed the 3745 from the picture at this point.  The PIX connects directly to the c851.  The PIX outside is set to 96.56.78.174/29.  I setup a test vlan on the 3550 and created a DMZ (DMZ1) on PIX, e1, security-50).  One interface on the vlan is connected to PIX, e1.  The other interface is connected to a server (30.2).  I want to be able to:

PAT 192.168.30.2:80 --> 96.xx.xx.172:420

PAT 192.168.30.2:81 --> 96.xx.xx.172:81

Unrestricted access from PIX, e5 --> PIX, e1 (SSH, HTTP, etc)

DNS to 192.168.30.2 (53, udp)

Since the PIX is connected on the outside interface (e0) to the ISP router (c851), I should be able to do this I think.  The c851 "contains" all my static IP addresses assigned from my ISP.

When I did this, when logged into the PIX, I can ping 30.2 fine.  When logged into the server, I can ping 30.1 (PIX) with no problem.  I can NOT ping 30.1 (PIX,e1) from a workstation connected to 10.1.1.0/24, PIX, e5).  This confuses me because PIX, e1 is set to security-50 and PIX, e5 is set to security-100.  I thought I could reach any lower security interface from a higher but this does not appear to work.  I can not ping PIX e1, or the server connected to that interface from the workstation that runs ASDM (10.1.1.5)  In ASDM.

At this point I am thinking that my problem may lie with ACLs perhaps.  Do you have any guidance on what kind of ACLs I would assign to enable full unrestricted access from 10.1.1.0/24 (PIX, e5) to any system connected to 192.168.30.0/29 (PIX, e1)?  And also to enable http to go FROM any system on 192.168.30.0/29 (PIX, e1) to hosts on 10.1.1.0/24 (PIX, e5).  I'm trying to take this pne step at a time.  Once I can get connectivity between the two interfaces on the PIX, then I plan to establish NAT connectivity from systems on 192.168.30.0/29 out the PIX outside interface (PIX, e0) using NAT.  I apologize for my confusing post.  I tried to be as precise as possible.  If any config files from PIX are needed/helpful, let me know and I'll post them.

I think once I can accomplish what I detailed in here, then I ought to be able to accomplish the rest of what I need to do.  It's just the first time getting systems behind the PIX to communicate with other systems behind the PIX and out to the Internet from behind the PIX.  Thank you again for any assistance.

1) In achieving the following requirement:

PAT 192.168.30.2:80 --> 96.xx.xx.172:420
PAT 192.168.30.2:81 --> 96.xx.xx.172:81

Since NATing is now done on the PIX, please remove the NAT statement on your c851 router.

PIX configuration:

static (DMZ1,Outside) tcp 96.56.78.172 420 192.168.30.2 80 netmask 255.255.255.255
static (DMZ1,Outside) tcp 96.56.78.172 81 192.168.30.2 81 netmask 255.255.255.255

access-list outside_in permit tcp any host 96.56.78.172 eq 420
access-list outside_in permit tcp any host 96.56.78.172 eq 81
access-group outside_in in interface outside

2) For this requirement:

Unrestricted access from PIX, e5 --> PIX, e1 (SSH, HTTP, etc)
DNS to 192.168.30.2 (53, udp)

Unrestricted access from inside network towards DMZ1 network - since this requirement will cover the above 2 lines, you do not need to configure the specific of the above 2 lines.

PIX configuration:

static (inside,DMZ1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

access-list inside_in permit ip 10.1.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-group inside_in in interface inside

3) To answer your ping question:

You can only ping the PIX interface from the directly connected interface as follows:
To be able to ping the inside interface, you would need to ping from the inside network
To be able to ping the DMZ1 interface, you would need to ping from the DMZ1 network
You can't ping the inside interface from DMZ1 network, and vice versa (can't ping DMZ1 interface from inside network). Those are not supported on PIX.
However, you should be able to ping from DMZ1 network towards inside network and vice versa after the above "static (inside,DMZ1)" statement, and also if you have "inspect icmp" configured (check "sh run policy-map")

4) For this requirement:

Ping from DMZ1 network towards inside network, and to allow HTTP from DMZ1 network towards inside network, you would need to create access-list on DMZ1 interface.

PIX configuration:

access-list dmz1_in permit icmp any any
access-list dmz1_in permit tcp 192.168.30.0 255.255.255.0 10.1.1.0 255.255.255.0 eq 80
access-list dmz1_in in interface DMZ1

Hope the above helps, and please kindly rate helpful post so Cisco can match $1 for every rating for the Haiti Earthquake donation.

Thank you very much Halijenn for your excellent assistance.  I apologize for being so convoluted and confusing.  I am confident will continue to grow and gain a better understanding of firewalling in general.  Your help has been invaluable.  Once again, thank you.

Review Cisco Networking for a $25 gift card