cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
424
Views
12
Helpful
9
Replies

Newb, Help me to configure my pix to route this...

jquintard
Level 1
Level 1

Hi,

I have a PIX connected to a switch (Inside interface) and to a router (Ouside interface).

On the switch, I have somes servers. Each server have an ethernet inferface with a public ip address (on the network 80.64.226.1/24, the first address is my router). The servers have just one public port (tcp/80) and can be used to navigate on the internet with a browser.

Could you give me a simple configuration for my PIX with this information ?

Thanks a lot !

Jerome

9 Replies 9

pkhatri
Level 11
Level 11

TRy this:

access-list 110 permit tcp any 80.64.226.0 255.255.255.0 eq www

!

static (inside,outside) 80.64.226.0 80.64.226.0 netmask 255.255.255.0 0 0

!

access-group 110 in interface outside

Hope that helps - pls rate the post if it does.

Paresh

Hi Paresh, thanks for your response.

So the configuration below is possible ?

access-list 110 permit tcp any host 80.64.226.10 eq www

static (inside,outside) 80.64.226.10 80.64.226.10 netmask 255.255.255.255 0 0

access-group 110 in interface outside

It's a good news for me ! All the PIX docs/tutorials give this default configuration :

static (inside,outside) 80.64.226.10 dns 192.168.1.10 netmask 255.255.255.255 0 0

So, since 3 month I have set a private IP to all my servers and a assign a public IP with a static route on the pix. This is not a good solution because in my case, my dns server is behind the inside interface.

I have two others little questions,

- In this example, the static route, transfer packets from the 80.64.226.10 on the outside interface to the 80.64.226.10 on the inside interface. So, are there a way to create automatically this static route for all my servers (note I have more than 100 servers) or must I add a static route for each new server ?

- The outside interface of my router have a public IP. My servers have a public IP. What I must set to the inside interface ? A private IP like 192.168.1.1 ??? But this IP have utility ?? No ?

Thanks for your help !

Jérôme

You should be able to use:

static (inside,outside) 80.64.226.0 dns 192.168.1.0 netmask 255.255.255.0 0 0

(not totally sure about this - try it out)

The inside interface of your PIX should have an IP in the same range as your servers i.e 80.64.226.x. It's used only for traffic generated by the PIX and not much else.. but it's gotta be on the same subnet.

Pls remember to rate posts that help.

Paresh

> static (inside,outside) 80.64.226.0 dns 192.168.1.0 netmask 255.255.255.0 0 0

This your response for which question ? :):)

> The inside interface of your PIX should have an IP in the same range as your servers i.e 80.64.226.x.

But In my case, I have 3 ranges (80.64.226.1/24, 81.62.104.224/24 and 213.251.124.224/24) what I must set ?

Thanks !

Jérôme

That was a response to this question:

- In this example, the static route, transfer packets from the 80.64.226.10 on the outside interface to the 80.64.226.10 on the inside interface. So, are there a way to create automatically this static route for all my servers (note I have more than 100 servers) or must I add a static route for each new server ?

Instead of specifying all server addresses manually, you can just use a single static statement, as such:

static (inside,outside) 80.64.226.0 80.64.226.0 netmask 255.255.255.0 0 0

Now, you are saying that you have multiple public ranges. Are all of these connected to a LAN switch with different VLANs for each or are they all sitting on the same broadcast segment ?

Paresh

> static (inside,outside) 80.64.226.0 80.64.226.0 netmask 255.255.255.0 0 0

Ok ! Is this possible to block all traffic to this network and add permit rule to specific address/port ?

> Now, you are saying that you have multiple public ranges. Are all of

On the same broadcast segment.

Jérôme

Answer to question 1:

When doing this, the access-list will be used to limit your traffic to specific ports. The static mapping will apply a blanket mapping for all ports. I find this simpler so that you don't have to keep adding to your static mappings if you need to change ports in the future. You can use static mappings with ports if you want to do port translation, though.. for example, translate incoming port 80 to port 8080.

As to your issue of having multiple broadcast segments: there is another thread in the Firewalling forum where this was discussed. Someone claimed to have configured that by using an address from one of the ranges as the PIX inside address. Then, they got all the servers to point to this address as the default gateway, regardless of which networkthey belonged to. I'm still a bit skeptical about this approach though...

A better option is to use a L3 switch so that you can create a VLAN per public network and then use inter-vlan routing to get them to communicate with each other and the PIX. What sort of switch are you using ?

Paresh

> The static mapping will apply a blanket mapping for all ports.

Yes but i'ts dangerous...

> What sort of switch are you using ?

A L3... 5 Catalyst 2950EI uplinked. But can you explain how to do it ? I have never use inter-vlan routing.

But, in my case, this is the best solution for you ?

Jérôme

>> Yes but i'ts dangerous...I don't want to let a ssh public...

Not really.. the ACL will drop that even before you get to the static mapping point. Remeber that the only thing that the 'static' statement is doing is providing NAT mappings for inbound traffic. So it should be safe to do so.

Unfortunately, the 2950EI switch does not support IP routing so that is not an option for you. Yet another alternative is to still create VLANs on the switch for each public network and then create VLAN interfaces on the PIX.. you will then have three inside-facing interfaces on the PIX and on each of them you can assign an address from the appropriate public network. However, the availability of this feature depends on the type of PIX and the licence you have - can you post the output of 'sh ver' from your PIX.

One more alternative is to place another router between the PIX and the switch to do inter-vlan routing...

Hope that helps - pls do rate the post if it does.

Paresh

Review Cisco Networking for a $25 gift card