Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
1
Replies

Pix 515 configuration help

glynncounty
Level 1
Level 1

‎10-19-2011 02:57 PM - edited ‎03-11-2019 02:40 PM

I am very confused on how I setup a Pix 515 that I just got to route traffic out a cable modem. First, let me give you a little details on my current network setup and what I am trying to accomplish with this Pix 515. Currently all my users go out the proxy for any internet access, however I have certain users that need to go out the cable modem instead of the proxy server. Below is an example of the current IP setup of a user A:

User A:

IP   10.24.48.52    

mask 255.255.255.0

Gate  10.24.48.224   (proxy)

I want to setup User A like below:

IP    10.24.48.52

mask  255.0.0.0

gate   10.24.48 254  (pix internal address I would like to use)

My reason for 255.0.0.0 is I would like the PIX not to allow anyone coming from the 10.24.48.0 network with a mask of 255.255.255.0 to access the cable modem. I need the average user to go through the Proxy Server for security reasons.

The cable modem that we currently have has DHCP so I would need the external PIX address to accept a DHCP address. I also don't really understand what else I need to setup so if I have say four users hitting the cable modem through the pix how do I direct their web traffic to the correct computer (NAT ?)

I will be plugging the PIX into a cisco switch that all ports are in VLAN 48 so hopefully a static internal address on the pix of 10.24.48.254 will keep me from having to do any routes since all traffic will be originating from the 10.24.48.0 network..

I would greatly appreciate any help.. I have been looking over the Cisco setups but none of them are what I need, not to mention my knowledge is limitied on firewall appliances.

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎10-19-2011 04:26 PM

Glynn

Your addressing first. Your logic here is unfortunately wrong -


My reason for 255.0.0.0 is I would like the PIX not to allow anyone coming from the 10.24.48.0 network with a mask of 255.255.255.0 to access the cable modem. I need the average user to go through the Proxy Server for security reasons.


With a subnet mask of 255.0.0.0 the pix thinks it's inside interface is on the 10.x.x.x network so it will accept any 10.x.x.x address. When traffic is sent it does not include the subnet mask so the pix, as with any device, uses it's subnet mask. A better bet may be to simply use an access-list on the inside interface of the pix to only allow the relevant addresses.

So with that in mind here is the config using hosts 10.24.48.52/53/54 as the ones allowed through the pix

int gi??  <-- your outside interface
ip address dhcp setroute

nat (inside) 10.24.48.0 255.255.255.0


global (outside) 1 interface

object-group network allowed
network-object host 10.24.48.52
network-object host 10.24.48.53
network-object host 10.24.48.54

access-list inside_out permit tcp object-group allowed any eq www

access-group inside_out interface outside

Notes on the above -

1) the NAT config allows NAT for the whole subnet but we are going to use an acl to limit who can actually go through the pix so if you then need to add another 10.24.48.x address you only need to update the acl

2) the config uses an object-group for the hosts. So if you need to allow another host or remove a host you simply edit the object-group and not the acl line.

3) You are right in that you don't need any routes if your pix inside interface is in the same subnet as the clients.


4) Important point. There is an implicit deny at the end of any acl so the above acl only allows those hosts to access the internet using port 80 ie. www. If you need https/ftp then you can either add the extra lines yourself or create an port object-group for all the ports you want to allow. If you add the lines yourself they are exactly as above except for the "eq www" at the end. For https it would obviously be "eq https"  etc.

If the proxy actually uses the pix to go out to the internet then you must make sure you add the access for your proxy as well ie. that would mean adding the proxy address to the object-group and adding lines in the acl for all the ports the proxy uses eg. www/https etc.


Any queries/clarification then let me know.


Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card