Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > I have a new ISP and need to change the PIX--Help!

Reply
Thread Tools

I have a new ISP and need to change the PIX--Help!

 
 
Dylan
Guest
Posts: n/a
 
      09-02-2004
I need to change the rules on the pix 515 for our new ISP.

We use NAT for outside service to get to our internal web servers.
The firewall forward service from different public IPs to the internal
ones. The part I'm confused about is how does the firewall listen on
multiple IPs? I checked out current rules and the global is the
following.

global (outside) 1 interface

No range, how does it know to lisen on these other ips.

What is the best practice for an ISP migration?
Change ip address of adapter.
edit rule set with new ips.
done?


Below is a copy of our current config

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password (censored) encrypted
passwd (censored) encrypted
hostname 515
domain-name x.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging buffered notifications
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.74 255.255.255.248
ip address inside 10.1.1.254 255.255.255.0
ip address dmz 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 10.1.1.130 www netmask
255.255.255.255
0 0
static (inside,outside) udp interface 1200 10.1.1.130 1200 netmask
255.255.255.2
55 0 0
static (inside,outside) udp interface 1201 10.1.1.130 1201 netmask
255.255.255.2
55 0 0
static (inside,outside) udp interface 1202 10.1.1.130 1202 netmask
255.255.255.2
55 0 0
static (inside,outside) udp interface 1203 10.1.1.130 1203 netmask
255.255.255.2
55 0 0
static (inside,outside) udp interface 1204 10.1.1.130 1204 netmask
255.255.255.2
55 0 0
static (inside,outside) udp interface 1205 10.1.1.130 1205 netmask
255.255.255.2
55 0 0
static (inside,outside) udp interface 1206 10.1.1.130 1206 netmask
255.255.255.2
55 0 0
static (inside,outside) tcp x.x.x.76 smtp 10.1.1.4 smtp netmask
255.255.255
..255 0 0
static (inside,outside) tcp x.x.x.76 www 10.1.1.5 www netmask
255.255.255.2
55 0 0
static (inside,outside) tcp x.x.x.76 pop3 10.1.1.5 pop3 netmask
255.255.255
..255 0 0
static (inside,outside) tcp x.x.x.76 3389 10.1.1.5 3389 netmask
255.255.255
..255 0 0
static (inside,outside) tcp x.x.x.76 33333 10.1.1.4 33333 netmask
255.255.2
55.255 0 0
static (inside,outside) tcp x.x.x.76 https 10.1.1.5 https netmask
255.255.2
55.255 0 0
static (inside,outside) x.x.x.77 10.1.1.7 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.75 10.0.0.1 netmask 255.255.255.255 0 0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
conduit permit icmp any any echo-reply
conduit permit esp host x.x.x.75 any
conduit permit udp host x.x.x.75 eq isakmp any
conduit permit udp host x.x.x.75 eq 10000 any
conduit permit udp host x.x.x.75 eq 4500 any
conduit permit tcp host x.x.x.76 eq smtp any
conduit permit tcp host x.x.x.76 eq www any
conduit permit tcp host x.x.x.76 eq pop3 any
conduit permit tcp host x.x.x.77 eq www any
conduit permit icmp any any
conduit permit udp host 10.1.1.7 eq 1433 any
conduit permit tcp host 10.1.1.7 eq 1433 any
conduit permit udp host x.x.x.77 eq 1433 any
conduit permit tcp host x.x.x.77 eq 20000 any
conduit permit tcp host x.x.x.77 eq 20002 any
conduit permit tcp host x.x.x.77 eq 20004 any
conduit permit tcp host x.x.x.77 eq 20006 any
conduit permit tcp host x.x.x.77 eq 20008 any
conduit permit tcp host x.x.x.77 eq 20010 any
conduit permit tcp host x.x.x.77 eq 20012 any
conduit permit tcp host x.x.x.77 eq 20014 any
conduit permit tcp host x.x.x.77 eq 20016 any
conduit permit tcp host x.x.x.77 eq 20018 any
conduit permit tcp host x.x.x.77 eq 20020 any
conduit permit tcp host x.x.x.77 eq 20022 any
conduit permit tcp host x.x.x.77 eq 20024 any
conduit permit tcp host x.x.x.77 eq 20026 any
conduit permit tcp host x.x.x.77 eq 20028 any
conduit permit tcp host x.x.x.77 eq 20030 any
conduit permit tcp host x.x.x.77 gt 1023 any
conduit permit udp host x.x.x.77 gt 1023 any
conduit permit udp interface outside eq 1200 any
conduit permit udp interface outside eq 1201 any
conduit permit udp interface outside eq 1202 any
conduit permit udp interface outside eq 1203 any
conduit permit udp interface outside eq 1204 any
conduit permit udp interface outside eq 1205 any
conduit permit udp interface outside eq 1206 any
conduit permit tcp x.x.x.76 eq 3389 any
conduit permit tcp host x.x.x.76 eq 33333 any
conduit permit tcp host x.x.x.76 eq https any
route outside 0.0.0.0 0.0.0.0 x.x.x.73 1
route inside 192.168.130.0 255.255.255.0 10.1.1.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
console timeout 0
terminal width 80

: end
 
Reply With Quote
 
 
 
 
Chris
Guest
Posts: n/a
 
      09-02-2004

"Dylan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I need to change the rules on the pix 515 for our new ISP.
>
> We use NAT for outside service to get to our internal web servers.
> The firewall forward service from different public IPs to the internal
> ones. The part I'm confused about is how does the firewall listen on
> multiple IPs? I checked out current rules and the global is the
> following.
>
> global (outside) 1 interface
>
> No range, how does it know to lisen on these other ips.
>
> What is the best practice for an ISP migration?
> Change ip address of adapter.
> edit rule set with new ips.
> done?


It's done using ..

static (inside,outside) tcp x.x.x.76 smtp 10.1.1.4 smtp netmask
255.255.255.255 0 0

And then allowing this traffic in using conduits or acl's.
etc..


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need to dial a remote computer, and have it establish dialup ISP connection pulliam@ouisoft.com Computer Support 3 12-28-2007 02:32 PM
I Need a new dial up ISP irwell Digital Photography 13 06-10-2007 11:16 PM
Need help configuring PIX 501 after ISP IP adddress change eljainc Cisco 6 03-22-2007 09:46 PM
A Paradise DNS address change? What change? There was no change. Tony Neville NZ Computing 7 09-22-2006 01:02 PM
How does typical ISP traffic shaping/bandwidth limiting work ? Do ISP's allow bursty traffic per second ? Skybuck Flying Cisco 0 01-19-2006 08:50 PM



Advertisments