03-04-2004 07:24 AM - edited 02-20-2020 11:16 PM
Trying to install a 501 on a small business network that is hosted by another company. They currently have it set up with 172.17.xxx.xxx for their internal LAN and have it routed(?) to be 216.201.xxx.xxx on the outside.
I set the inside address to the LAN gateway and the outside interface to the public router IP? correct?
03-04-2004 07:37 AM
randy
the inside IP shall be the LAN PCs gateway and if u have a router after the outside interface , the interface ip of the router connecting to your outside interface will be your Next Hop address, for static routing.
Shukky
03-04-2004 08:31 AM
How do I add the DNS servers to the equation. it looks like it either cannot find them or cannot get them through the firewall ??
03-04-2004 09:28 AM
access-list acl_inside permit udp any any eq 53
where acl_inside is the access list on the LAN side of the pix.
03-04-2004 10:27 AM
Well, i am TOTALLY clueless now. Nothing is working right, so I must be doing something terribly wrong.
I DO NOT have access to the router configurations upstream of me, or of the router within our LAN, all I have is a sheet of paper with this info.....
Local Area Network IP 172.17.2.0 255.255.255.0
Ethernet/Gatway IP 172.17.2.1
Usable IP range 172.17.2.2-172.17.2.254
PUBLIC ip addresses
Network IP 216.201.xxx.32 255.255.255.248
Router Public IP 216.201.xxx.33
Usable IPs 216.201.xxx.34-38
Domain Name Servers
66.196.216.10
66.196.212.10
Here is my PIX setup...what have I done wrong ?
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl permit udp any any eq domain
access-list acl permit tcp any any
access-list acl permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 216.201.xxx.33 255.255.255.248
ip address inside 172.17.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 216.201.xxx.34-216.201.xxx.38 netmask 255.255.255.248
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl in interface inside
conduit permit tcp any any
conduit permit icmp any any
conduit permit ip any any
conduit permit icmp any any echo-reply
route outside 0.0.0.0 0.0.0.0 216.201.xxx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 172.17.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 66.196.216.10
terminal width 80
03-04-2004 03:59 PM
I see 1 major problem. The PIX outside interface is 216.201.xxx.33 and you have a default route of "route outside 0.0.0.0 0.0.0.0 216.201.xxx.33 1". This will not work because it is the same interface of the PIX. The default route should point to the device connected on the other end of the outside interface of the PIX, for example the router.
route outside 0.0.0.0 0.0.0.0 216.201.xxx.32 1 should be the PIX's default route to its next hop.
You don't need the dhcpd dns 66.196.216.10
And these statements are basically opening up this firewall:
access-list acl permit udp any any eq domain
access-list acl permit tcp any any
access-list acl permit ip any any
access-group acl in interface inside
This is allowed as soon as you apply the basic commands.. NAT, GLOBAL etc...
conduit permit tcp any any
conduit permit ip any any
These are opening up the pix to the world.
The default configuration of the PIX firewall is NOTHING IN AND NOTHING OUT. You allow inside connections thru the PIX with the NAT, GLOBAL, IP Adderss, Interface Auto etc... But the permit statements you have is allowing all IP all TCP traffic from the outside to the inside networks.
let me know if this helps. I'll watch for your reply.
Curt
03-09-2004 08:57 AM
Should the PIX's outside interface be THE SAME AS the router ip which the PIX is connected to ????
03-09-2004 09:25 AM
03-09-2004 09:37 AM
Thank you, I am trying it now
03-09-2004 11:31 AM
We got it working! Thanks. We also had to have the ISP provider remove NAT from the router.
03-10-2004 12:12 AM
Hi Randy,
I am glad that it worked, can you please rate the post, as this will help others who may be experiencing the same problem.
Thanks - Jay.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide