Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
907
Views
0
Helpful
6
Replies

Need test configuration help with PIX515E

RandallMing
Level 1
Level 1

‎06-28-2012 12:43 PM - edited ‎03-11-2019 04:24 PM

Hello,

I need help configuring a newly reinstated PIX515E with IOS 6.3 to test the configuration of a load balancer.

I would like to setup with two Inside interfaces (or simply two interfaces) for testing. I just need it to pass traffic (basically HTTP and HTTPS) between these two interfaces without using NAT.

The older IOS is causing me some problems.

Another potential issue is that I am trying to connect to an IP on the 192.168.3.x network connected to the same switch using another IP in that network as the Interface IP (3.200). So the HTTP and HTTPS traffic needs to flow from the laptop (192.168.12.100) to the Inside-test interface (12.1) then to the Inside interface (3.200) then to the destination webserver at (3.45) which is connected to the same switch as the Inside (3.200) interface. The other issue I may have is that DNS is not working because I don't have an outside interface configured for Internet access,but trying to connect via IP address does't work either. I may be able to configure a second DNS server for the 192.168.12.X network for testing purposes if needed. I even tried to set the default route to the Interface of the production ASA's inside interface (3.1), but that did not work either.

The office Internet connection is only available directly on the port connected to the ASA (not the PIX) which may be adding some complexity. I am not currently using the outside interface at all.

Any suggested configurations would be helpful.

Here is what I have so far:

PIX Version 6.3(5)

interface ethernet0 auto shutdown

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 inside-test security90

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0 eq www

access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0 eq https

access-list acl_insidetest_to_inside permit tcp 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0 eq www

access-list acl_insidetest_to_inside permit tcp 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0 eq https

pager lines 24

mtu outside 1500

mtu inside 1500

mtu inside-test 1500

no ip address outside

ip address inside 192.168.3.200 255.255.255.0

ip address inside-test 192.168.12.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

access-group acl_inside_to_insidetest in interface inside

access-group acl_insidetest_to_inside in interface inside-test

route inside 0.0.0.0 0.0.0.0 192.168.3.1 1 (tried with and without this)

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

                  

Let me know if see any glaring issues for the scenario I described above or if you have any suggested changes to accomplish my goals.

Thank you for your help.

Labels:
0 Helpful
6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-28-2012 07:58 PM

You would need to configure static NAT to itself:

static (inside,insidetest) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

0 Helpful

RandallMing
Level 1
Level 1
In response to Jennifer Halim

‎06-29-2012 07:17 AM

Hi Jennifer,

Thank you for the reply.

Would this accomplish the goal of NO NAT between the two interfaces? Would I need to add exemptions for traffic between the two networks or does that defeat the purpose of adding the command in the first place?

I need to make sure that there is not nat between these two interfaces for the purposes of testing the load balancers.

Should I leave the default route in or take it out?

Thank you.

0 Helpful

RandallMing
Level 1
Level 1
In response to RandallMing

‎06-29-2012 10:29 AM

Jennifer,

I tried your suggested config and it doesn't seem to have allowed communications between the two networks or to the Internet. Is there something else that I can try?

I also need to make sure there is no NAT. I looked at the Xlate command, but there is no detail option in this version. I looked at the sh xlate and sh xlate debug options too.

Please let me know how to verify the NAT is disabled on this version of IOS.

Sorry if I am not understanding this completely, but I just want to be sure about the NAT. An important and complicated project is based on the results of this testing.

Thank you.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to RandallMing

‎06-29-2012 08:05 PM

The static NAT to itself is performing a no NAT between the 2 interfaces, it works bidirectionally.

You stated that it doesn't seem to allow communication between the 2 networks - pls check your ACL on the interfaces as it is only allowing very limited access, are you trying to access something that you've configured in your ACL? Please remove the ACL for the time being for testing purposes. The static NAT command should allow communication between the 2 internal interfaces, unless you've made other changes in your config.

To access the internet, you will need to NAT/PAT it to a public IP, whether it is on the PIX itself or on other devices.

You can run "capture" on the PIX interface and you will see that the IP is not being NATedd as the "capture" is the last step just before the packet is sent on the wire.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎06-29-2012 08:08 PM

and btw, show xlate does show you the local and the global address. If both are the same addresses, that means no NAT is performed. Otherwise, if NAT is performed, it will show the real IP for the local address, and the NATed IP for the global address.

0 Helpful

Gautam Bhagwandas
Cisco Employee
Cisco Employee

‎07-01-2012 08:54 AM

I doubt the ACL as well. If the webserver running http/https resides on the inside interface, then the following acl needs to be corrected:

access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0 eq www

access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0 eq https

To be corrected to:

access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 eq www 192.168.12.0 255.255.255.0

access-list acl_inside_to_insidetest permit tcp 192.168.3.0 255.255.255.0 eq https 192.168.12.0 255.255.255.0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card