Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX Config Help

Reply
Thread Tools

Cisco PIX Config Help

 
 
Eric Elliston
Guest
Posts: n/a
 
      04-29-2004
Hello,

I am going to install a pix 515E w/2 ethernet ports.

Currently, each server has 2 ethernet ports. One has a public IP and the
other has a private.

When I install the pix, I want the traffic to just pass through the device
and only allow certian ports through. I have set up several pix firewalls
in the past, but I have always used NAT translations to an inside private IP
address. I am trying to avoid removing all the public IP addresses from the
server.

Is there a way to configure a pix to filter traffic without having to use
NAT/PAT? I want it to filter on that public IP address range. My guess is,
it will still be the same.....but this is a HUGE cutover tonight and its in
a datacenter of which I am not familiar with the network.

IF you could please email me the response to http://www.velocityreviews.com/forums/(E-Mail Removed),
that would be great. I will be on the road and I can get my email on my
blackberry.

Thanks!

Eric Elliston


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      04-29-2004
In article <Pq9kc.530982$(E-Mail Removed) >,
Eric Elliston <(E-Mail Removed)> wrote:
:When I install the pix, I want the traffic to just pass through the device
:and only allow certian ports through. I have set up several pix firewalls
:in the past, but I have always used NAT translations to an inside private IP
:address. I am trying to avoid removing all the public IP addresses from the
:server.

:Is there a way to configure a pix to filter traffic without having to use
:NAT/PAT? I want it to filter on that public IP address range.

People sometimes ask for the PIX to be a "filtering bridge", but the
PIX cannot do that. In particular, the IP subnet of each interface must
be distinct. Thus, you might not be able to do what you would like.

Fortunately, there are a couple of work-arounds. You can 'static'
addresses to themselves, and you do not need nat/global pairs for any
address that you static that way. You can use 'nat (inside) 0' followed
by a subnet, and no 'global' statement, if what you need is for the
addresses to go *out* unchanged, but you do not need the outside to
be able to start new connections to those addresses. You can use
'nat (inside) 0 access-list ACLNAME', and no 'global' statement,
and any traffic that matches that ACL will go out with the address
unchanged; there will also be a side effect that any -incoming- traffic
that matches the given ACL (with the source and destinations switched
around) will be permitted to start new connections to the inside even
if you have no 'static' for the destination addresses, as long as
that incoming traffic is permitted by the ACL associated with the outside
interface. Note, though, that proxy-arp is NOT enabled for
the nat 0 access-list construct.


With all these variations, you are still constrained by basic routing:
the interfaces must have different IP ranges, and any public addresses
must be routed by your router to the PIX outside IP (except when you
can use proxy-arp.) In practice, this means that if you have a public
IP range and you want to "insert the PIX in the middle", then you
have to do one of:

(a) use a private IP range to communicate between the router and the
PIX. If you do this, then ensure that on the router, you set up
NAT so that if the PIX sends out packets (such as icmp echo or
icmp ttl-exceeded) that the PIX private address gets translated into a public
address before ending up on the public network; or

(b) subnet the public IP range, using one of the subnets on the outside
interface and a different subnet of the public range for the inside
interface; or

(c) arrange with your ISP to have all your public IP space sent to you
over a small (/29 is common) "carrier" address space that is distinct
from your public IP space, so that your router can route the entire
public address space to the PIX (the outside address of which would
be one of the IPs in the /29). This does, though, require that the
router itself be able to do some amount of bridging, so that the
port the PIX is connected to can be in the same IP range as the carrier
range.


At our site, we went with a combination of (b) and (c): our address
space is sent to us via a "carrier" network, and we broke one of our
/24's into a number of fragments, one of which is shared between the
router and the PIX. [Note that if you break your address space into
multiple fragments that are all routed to the PIX, then you will
probably need 'route' statements on the PIX to send the remaining
fragments to LAN router on your inside interface.]


If you don't control the router (and so can't change the routings
and subnet masks nor use a private IP range), and if you can't get
a "carrier" network, then Yes, you'd -really- like the PIX to
"just filter", but there is no way to configure that, so you -would-,
under those circumstances, be forced into using private IPs and NAT.
--
Rome was built one paycheck at a time. -- Walter Roberson
 
Reply With Quote
 
 
 
 
Matt
Guest
Posts: n/a
 
      04-29-2004
Eric,
Setup NAT like you normally would.
Then use the static command to map an outside address to the machine's
inside address.
Once you've done that the machine will be 'naked' on the internet with
it's inside (10.x.x.x or 192.168.x.x address).
Then just setup access_lists for the outside ip and you'll be all set!

~ M

Eric Elliston wrote:

> Hello,
>
> I am going to install a pix 515E w/2 ethernet ports.
>
> Currently, each server has 2 ethernet ports. One has a public IP and the
> other has a private.
>
> When I install the pix, I want the traffic to just pass through the device
> and only allow certian ports through. I have set up several pix firewalls
> in the past, but I have always used NAT translations to an inside private IP
> address. I am trying to avoid removing all the public IP addresses from the
> server.
>
> Is there a way to configure a pix to filter traffic without having to use
> NAT/PAT? I want it to filter on that public IP address range. My guess is,
> it will still be the same.....but this is a HUGE cutover tonight and its in
> a datacenter of which I am not familiar with the network.
>
> IF you could please email me the response to (E-Mail Removed),
> that would be great. I will be on the road and I can get my email on my
> blackberry.
>
> Thanks!
>
> Eric Elliston
>
>

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      04-29-2004
In article <(E-Mail Removed)>,
Matt <(E-Mail Removed)> wrote:
:Setup NAT like you normally would.
:Then use the static command to map an outside address to the machine's
:inside address.
:Once you've done that the machine will be 'naked' on the internet with
:it's inside (10.x.x.x or 192.168.x.x address).
:Then just setup access_lists for the outside ip and you'll be all set!

Eric (the original poster) explicitly indicated he wanted to use public
IPs inside, and not have to renumber to private (e.g., 10.x.x.x or
192.168.x.x) address ranges.

Your solution thus does not address his needs. He would like to use
same IP address space on both sides of the PIX. See my posting for
a more detailed analysis of the possibilities.
--
millihamlet: the average coherency of prose created by a single monkey
typing randomly on a keyboard. Usenet postings may be rated in mHl.
-- Walter Roberson
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I need some help verifying and cleaning up my Cisco PIX 501 Config xvpnx Cisco 0 01-25-2009 01:28 PM
dll config and web.config and Label Expressions (binding label text to dll config settings) CSharpner ASP .Net 0 04-09-2007 09:00 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
Cisco Pix Basic Config Pix wont route between inside int and outside help? AJ Cisco 2 10-31-2003 05:03 AM



Advertisments