Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
5
Helpful
2
Replies

PIX-515 Setup

currancchs
Level 1
Level 1

‎05-02-2018 01:11 PM - edited ‎02-21-2020 07:41 AM

I have an older PIX firewall, it is a PIX-515 running PDM Version 3.0(4) and PIX Version 6.3(5). I am trying to integrate it into a small business network (~15 users). The business has a comcast business gateway with 1 static address that is used for a PBX/VOIP telephone server/system (through a consumer router, which handles DHCP, that feeds a 24 port netgear switch, into which the phone server and phones are plugged into). I do not intend to use the firewall on that network though.

 

The gateway is also currently plugged into an Extreme networks 24 port switch into which a server and user PCs are plugged into, with the server, which runs SBS 2011, handling DHCP/RWA/PPTP VPN duties. All computers on this "data" network, including the comcast gateway, are assigned 192.168.254.xxx addresses.

 

I would like to put the PIX firewall between the comcast gateway and the data switch to secure this network. Unfortunately, I have not had much success. Although I was able to get the firewall to handle outgoing traffic just fine (users could access web pages, email, etc.), I was unable to allow incoming connections from the internet to reach the server (the business needs PPTP VPN and RWA functionality to be available to remote users). I was able to eventually allow incoming connections from the outside interface to the inside interface by allowing any host/network on the outside to reach any host/network on the inside and allowing any type of connection, although this, I believe, makes the firewall pretty much useless. Even with any/any host/network allowed, specifying https/443 and/or PPTP/1723 as the allowed communication types on the source and/or destination ports prevents the connection.

 

I have the gateway setup to port forward incoming requests on ports 443 and 1723 to an address (192.168.252.2 - the firewall outside IP is 192.168.252.253 and the gateway is 192.168.252.254) and then tried to translate that address to 192.168.254.2 on the inside interface. I also tried to place the firewall into the DMZ of the gateway (no bridged mode available on this gateway), and either way does appear to work, but I believe that my access list rules prevent any connection when they should seemingly be allowing it, due to the omission of a source/destination port/protocol in favor of "any" allowing the connection to occur.

 

I do have access to PDM (using a virtual machine running XP/IE8/Ancient Java), in case that is helpful. I also have telnet access working.

 

I have tried PAT and NAT with no real difference.

 

I have attached the results of a "write t" command for reference, but please keep in mind that I have placed the server between two internal networks for testing purposes (192.168.253.xxx is my test "outside" network).

 

Any recommendations would be greatly appreciated. Thanks for reading!

Labels:
Preview file
17 KB
0 Helpful
2 Replies 2

Florin Barhala
Level 6
Level 6

‎05-03-2018 06:33 AM

Hello,

It's been a while since dealing with PIX config, but yours seems alright.
Can you share the output of
show xlate
show run full | sysopt or show run all | sysopt

If | is not supported then go for show run full and search for the default proxy ARP configuration.
Additional things to check:
1. Make sure 192.168.253.2 is NOT taken by another device. Very important check_step.
2. Make sure that NPS Server uses PIX as default gateway so DNAT traffic returns using PIX and not other device.

currancchs
Level 1
Level 1
In response to Florin Barhala

‎05-03-2018 07:25 AM - edited ‎05-03-2018 10:32 AM

Hello and thank you for your suggestions!

 

I have attached a document that provides the information that you requested, mostly in the form of screenshots with (relatively) concise explanations of relevance.

 

Regarding an NPS server, we do not have an NPS server on our network, to my knowledge, but our primary server, an SBS 2011 box on the inside interface, was set to use the firewall as its default gateway.

 

I also double-checked and confirmed that 192.168.253.2 is not in use on that network (nor is 192.168.252.2 in use on the non-test/actual network).

 

For now, I'd just be happy to get translation working between my two local subnets! I'm sure that I'm missing something fairly obvious, but have been staring at this for too long now to recognize precisely what that something might be.

 

Thanks again for reaching out to me! Let me know if there is anything else I can provide that might facilitate the troubleshooting.

Preview file
1267 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card