10-15-2004 08:40 AM - edited 02-20-2020 11:41 PM
Dear All,
Hi.Actually I need some help for PIX 515E.Pls. refer the scenario,design & suggest?
Pls. find the following details and attached VLAN Router configuration.
# I want to set like
"My LAN on CISCO 2900 switch (IP range 172.16.29.X... 25 PCs) -- VLAN Router - CISCO PIX ----ISP Public IP"
# Right now it's
"My LAN on CISCO 2900 - VLAN Router (Outside) - ISP"
Router & PIX details:
#Router inside ip - 172.16.29.1 (Inside IP as it is very critical which can't be changed)
#Router outside ip - Which ip should I use? (I tried with 1.1.1.1 255.255.255.0)
#PIX outside ip - Which ip should I use? (My ISP IP? - I tried with 208.144.230.197 which is right now my router's outside)
#PIX inside ip - Which ip should I use? (I tried with 1.1.1.2 255.255.255.0)
#My ISP connection is direct from ISP GW to one ethernet cat 5 on my VLAN router
#I would like to permit www,FTP,web based mail like Yahoomail..etc.. & messenger services
VLAN Router Config:
Current configuration : 1028 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VLANRouter
!
boot-start-marker
boot-end-marker
!
enable password gcsroot
!
no aaa new-model
ip subnet-zero
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 172.16.29.1 172.16.29.240
ip dhcp excluded-address 172.16.29.250 172.16.29.254
!
ip dhcp pool dhcppool
network 172.16.29.0 255.255.255.0
dns-server 208.144.230.1 208.144.230.2
default-router 172.16.29.1
!
!
!
!
controller E1 0/0
!
controller E1 0/1
!
!
interface FastEthernet0/0
ip address 208.144.230.197 255.255.255.224
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.29.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 7 interface FastEthernet0/0 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 208.144.230.200
!
!
access-list 7 permit 172.16.29.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
login
!
!
!
end
Any advice is appreciated.
Regards,
Hiren Mehta.
ORG Informatics Ltd.
Bamako, MALI
AFRICA
Solved! Go to Solution.
10-15-2004 11:07 PM
Hi hiren,
See the answers below:
#Router inside ip - 172.16.29.1 (Inside IP as it is very critical which can't be changed)
When you put the PIX inbetween the router and your switch, you have to put the PIX inside IP as 172.16.29.1 and change the router's inside subnet to someother pool. Do the PAT on the PIX, instead of the router.
#Router outside ip - Which ip should I use? (I tried with 1.1.1.1 255.255.255.0)
Router outside IP will be the one given by the ISP.. The ISP would have given a public IP for the WAN link. This cannot be changed.
#PIX outside ip - Which ip should I use? (My ISP IP? - I tried with 208.144.230.197 which is right now my router's outside)
PIX outside IP should be a global one. ISP would have given you a LAN subnet. Use that. In this case, the router's inside interface will have an IP from this same subnet..
#PIX inside ip - Which ip should I use? (I tried with 1.1.1.2 255.255.255.0)
PIX inside should be 172.16.29.1 , which will be the default gateway for all PCs. If you change this subnet, then all the PCs should have an IP address on the same subnet as decided.
#My ISP connection is direct from ISP GW to one ethernet cat 5 on my VLAN router
did not get this.. is it on the internet router or on the switch ??
#I would like to permit www,FTP,web based mail like Yahoomail..etc.. & messenger services
If all these have to be permitted from inside to outside, you need not open anything.. by default all traffic from inside to outside is permitted (unless u put an access-list and deny )...
10-15-2004 11:07 PM
Hi hiren,
See the answers below:
#Router inside ip - 172.16.29.1 (Inside IP as it is very critical which can't be changed)
When you put the PIX inbetween the router and your switch, you have to put the PIX inside IP as 172.16.29.1 and change the router's inside subnet to someother pool. Do the PAT on the PIX, instead of the router.
#Router outside ip - Which ip should I use? (I tried with 1.1.1.1 255.255.255.0)
Router outside IP will be the one given by the ISP.. The ISP would have given a public IP for the WAN link. This cannot be changed.
#PIX outside ip - Which ip should I use? (My ISP IP? - I tried with 208.144.230.197 which is right now my router's outside)
PIX outside IP should be a global one. ISP would have given you a LAN subnet. Use that. In this case, the router's inside interface will have an IP from this same subnet..
#PIX inside ip - Which ip should I use? (I tried with 1.1.1.2 255.255.255.0)
PIX inside should be 172.16.29.1 , which will be the default gateway for all PCs. If you change this subnet, then all the PCs should have an IP address on the same subnet as decided.
#My ISP connection is direct from ISP GW to one ethernet cat 5 on my VLAN router
did not get this.. is it on the internet router or on the switch ??
#I would like to permit www,FTP,web based mail like Yahoomail..etc.. & messenger services
If all these have to be permitted from inside to outside, you need not open anything.. by default all traffic from inside to outside is permitted (unless u put an access-list and deny )...
10-16-2004 03:27 AM
Dear Sachin Raja,
Thanks for ur prompt and appropriate reply.Actually u have cleared my confusion exactly I needed but still I have decided my PIX config. with respect to customer requirement. I will test it tonight.
See u.
10-22-2004 07:19 AM
Hi dear sachin,
Thanks for ur reply I have removed my NAT from router and set PAT on PIX but still I am facing some problem :
Actually I have set "access-list permit icmp any any echo-reply" time-exceeded & unreachable.......so now I am able to ping from my PIX console to my ISP GW ip...but still I am not able to access internet or ping from my inside n/w PCs to internet GW.
Pls. find the below details of my n/w and config.and suggest where am I missing?
I need ur help badly, now it's a question of my output....please help me ASAP.
I can't remove my border router because it has been sold to my customers earlier for my SUN servers.
Pls. note my yahoo messenger ID is barodians_us@yahoo.com If u are not disturb u can come on yahoo for chatting to suggest me online.
N/W setup:
#My router inside ip (172.16.29.1/24)--Router outside (10.1.1.1/24)--PIX inside (10.1.1.2/24)--PIX outside (208.144.230.197 255.255.255.224-ISP supplied)
#My ISP Gateway address is 208.144.230.200
#My DNS servers are 208.144.230.1 and 208.144.230.2
#VLAN Config:
boot-start-marker
boot-end-marker
no aaa new-model
ip subnet-zero
!
no ip dhcp conflict logging
ip dhcp excluded-address 172.16.29.1 172.16.29.240
ip dhcp excluded-address 172.16.29.250 172.16.29.254
!
interface FastEthernet0/0
ip address 208.144.230.197 255.255.255.224
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
access-list 7 permit 172.16.29.0 0.0.0.255
!
#PIX 515E config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname VLANPIX
domain-name VLAN
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol http 80
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list acl_outbound permit icmp any any
access-list acl_outbound permit tcp any any eq pop3
access-list acl_outbound permit tcp any any eq smtp
access-list acl_outbound permit tcp any any eq domain
access-list acl_outbound permit udp any any eq domain
access-list acl_outbound permit tcp any any eq www
access-list acl_outbound permit tcp any any eq telnet
access-list acl_outbound permit tcp any any eq h323
access-list acl_outbound permit tcp any any eq https
access-list acl_outbound permit tcp any any eq 1863
access-list acl_outbound permit tcp any any eq ftp-data
access-list acl_outbound permit tcp any any eq ftp
access-list acl_outbound deny ip any any
access-list acl_inbound permit icmp any any
access-list acl_inbound permit tcp any any eq 1863
access-list acl_inbound permit tcp any any eq ftp
access-list acl_inbound permit tcp any any eq ftp-data
access-list acl_inbound permit tcp any any eq h323
access-list acl_inbound permit tcp any any eq pop3
access-list acl_inbound permit tcp any any eq smtp
access-list acl_inbound permit tcp any any eq www
access-list acl_inbound permit tcp any any eq domain
access-list acl_inbound permit udp any any eq domain
access-list acl_inbound deny ip any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
ip address outside 208.144.230.197 255.255.255.224
ip address inside 10.1.1.2 255.255.255.0
global (outside) 1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 208.144.230.200 1
floodguard enable
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
Thanks.
Regards,
Hiren Mehta
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide