09-11-2003 05:35 AM - edited 02-20-2020 10:59 PM
I'm attempting to set up a PIX to firewall for devices on a valid IP subnet. This is a 506e, with only two interfaces.
I'm having trouble finding a config example, and wondering if that's because this isn't a supported configuration.
Any pointers?
Thanks,
Daryl
Solved! Go to Solution.
09-11-2003 01:33 PM
Hi there,
What you want to achieve is possible and quite easy to configure. There is no restriction in terms of having no public address at your inside interface. Allthough you do not want to do any translation you still may need a static command.
The minimal config you need would not be nat 0, like some may think, and this works, but only if the PIX does not have to do proxy-ARP for IP adresses behind the PIX. If the PIX does need to proxy-ARP for these adresses you should configure it this way:
static (inside, outside) 111.111.111.208
111.111.111.208 netmask 255.255.255.240
If you use this command and remove the
nat (inside) 0 command it will work fine also. The main difference is that with the static command in place the PIX does proxy-ARP for the IP-addresses behind your PIX and when using nat 0 commands it doesn´t.
In case you do not need proxy-ARP you could do it with nat 0, but then you need nat 0 on both interfaces at your PIX, so, you would need:
nat (inside) 0 & nat (outside) 0
Determine if you need proxy-ARP at your edge router:
Is there a route (with the correct next hop) at your edgerouter pointing to 111.111.111.208/28 or does your router think this is a connected network?
If your router thinks it is a directly connected subnet for some reason (this reason could be that this router is not an ip-classless router) then the router does want to send packets to the MAC adres and does an ARP request. In that case the PIX does need to proxy-ARP.
Doing proxy-ARp is no problem at all for the PIX, cause if you use my first way of configuring as described earlier, then the PIX does proxy-ARP for all adresses within the static command.
Don´t know if this solves your problem, but this could very well be the case.
Otherwise, you could post your config here (remember to remove passwords first then) and we can take a look into it.
Another thing got to my mind just now. It could also be the case that your edgerouter has an ARP table which still contains mappings for the IP adresses which now resides behind your firewall. In that case you would have to do a clear ARP at your edge router.
Hope this helps.
Kind regards,
Leo
09-11-2003 06:09 AM
nat 0 = no nat. Read up on the nat command
09-11-2003 06:13 AM
I'm well aware that nat 0 = no nat.
Are you saying that you have a working configuration as I described, or are you just posting somehthing obvious?
09-11-2003 06:13 AM
Hello Daryl -
Here are examples to get you going..
**FORGOT TO ADD THIS URL - YOUR ANSWER**
and lot more examples can be found here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
Hope this helps - Jay
09-11-2003 06:21 AM
I probably wansn't as clear as I should have been in my first post. What I'm looking to do is have valid IP blocks on both interfaces.
Configuring no nat between the subnets, specifying allow ip any any from inside to outside, and pointing an "inside" machine at the inside address of the PIX as a default gateway doesn't pass any traffic. I know a PIX can't really route, so I'm confused as to how to make this work, or if it's even possible.
09-11-2003 07:14 AM
The pix is a routing firewall. It doesn't offer the routing functionality of a IOS device, but it cannot act as a bridging firewall. Installing a pix generally means segmentation of your network somewhere, as it routes
09-11-2003 07:42 AM
OK, that's pretty much what I thought...I'm just being a bit too general in my statements.
What I have is:
Edge Router interface (111.111.111.193/29)----(111.111.111.194/29)PIX E0--PIX E1(111.111.111.209/28)
With the hosts to be protected on the E1 interface.
09-11-2003 01:33 PM
Hi there,
What you want to achieve is possible and quite easy to configure. There is no restriction in terms of having no public address at your inside interface. Allthough you do not want to do any translation you still may need a static command.
The minimal config you need would not be nat 0, like some may think, and this works, but only if the PIX does not have to do proxy-ARP for IP adresses behind the PIX. If the PIX does need to proxy-ARP for these adresses you should configure it this way:
static (inside, outside) 111.111.111.208
111.111.111.208 netmask 255.255.255.240
If you use this command and remove the
nat (inside) 0 command it will work fine also. The main difference is that with the static command in place the PIX does proxy-ARP for the IP-addresses behind your PIX and when using nat 0 commands it doesn´t.
In case you do not need proxy-ARP you could do it with nat 0, but then you need nat 0 on both interfaces at your PIX, so, you would need:
nat (inside) 0 & nat (outside) 0
Determine if you need proxy-ARP at your edge router:
Is there a route (with the correct next hop) at your edgerouter pointing to 111.111.111.208/28 or does your router think this is a connected network?
If your router thinks it is a directly connected subnet for some reason (this reason could be that this router is not an ip-classless router) then the router does want to send packets to the MAC adres and does an ARP request. In that case the PIX does need to proxy-ARP.
Doing proxy-ARp is no problem at all for the PIX, cause if you use my first way of configuring as described earlier, then the PIX does proxy-ARP for all adresses within the static command.
Don´t know if this solves your problem, but this could very well be the case.
Otherwise, you could post your config here (remember to remove passwords first then) and we can take a look into it.
Another thing got to my mind just now. It could also be the case that your edgerouter has an ARP table which still contains mappings for the IP adresses which now resides behind your firewall. In that case you would have to do a clear ARP at your edge router.
Hope this helps.
Kind regards,
Leo
09-12-2003 09:54 AM
A combination of Layer 0 problems (stupid engineer - me) and not knowing if what I was trying was possible made me not contune on beating my head againt the wall. Based on your message I was able to get things working as expected.
Thank you very much for the help,
Daryl
09-14-2003 07:34 AM
Good to hear it is all okay then.
Kind regards,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide