Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > allow one private IP to pass to outside interface on PIX

Reply
Thread Tools

allow one private IP to pass to outside interface on PIX

 
 
Brian Bergin
Guest
Posts: n/a
 
      01-12-2005
Our ISP uses Westel DSL modems and in order to update the firmware I have to go
to 192.168.1.254 and do it from there. I'm guessing the PIX by default doesn't
allow private IPs to pass outside so the only way I can access it is to take a
laptop to it and plug directly into the router which kicks everyone else out.
So what I want to be able to do is pass traffic for that one IP address out to
the outside interface, which directly connects to the DSL modem. Is that
possible?

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
 
Reply With Quote
 
 
 
 
Rod Dorman
Guest
Posts: n/a
 
      01-12-2005
In article <(E-Mail Removed)>,
Brian Bergin <(E-Mail Removed)> wrote:
>Our ISP uses Westel DSL modems and in order to update the firmware I
>have to go to 192.168.1.254 and do it from there. I'm guessing the
>PIX by default doesn't allow private IPs to pass outside so the only
>way I can access it is to take a laptop to it and plug directly into
>the router which kicks everyone else out.


How often do you do this that it would be considered a problem?
Besides, doesn't updating the firmware knock them off anyway?

--
-- Rod --
rodd(at)polylogics(dot)com
 
Reply With Quote
 
 
 
 
Brian Bergin
Guest
Posts: n/a
 
      01-12-2005
http://www.velocityreviews.com/forums/(E-Mail Removed) (Rod Dorman) wrote:

|
|How often do you do this that it would be considered a problem?
|Besides, doesn't updating the firmware knock them off anyway?

For a few secs while I upgrade it, but where the modems there are no PCs at the
other end of the building. It's a convenience thing. If it's not possible
that's one thing, if it is, I just want the ability.

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-12-2005
In article <(E-Mail Removed)>,
Brian Bergin <(E-Mail Removed)> wrote:
:Our ISP uses Westel DSL modems and in order to update the firmware I have to go
:to 192.168.1.254 and do it from there. I'm guessing the PIX by default doesn't
:allow private IPs to pass outside

No, the PIX doesn't care about such matters. As far as it is concerned,
the RFC 1918 IP ranges are just plain IP ranges, to be handled
according to your policy nat and access-lists.

:So what I want to be able to do is pass traffic for that one IP address out to
:the outside interface, which directly connects to the DSL modem. Is that
ossible?

Sure. As long as 192.168.1.* is not your inside IP range,
the PIX will allow you to go out to 192.168.1.* by default;
you would have to specifically block it to prevent it.
--
This signature intentionally left... Oh, darn!
 
Reply With Quote
 
Brian Bergin
Guest
Posts: n/a
 
      01-13-2005
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote:

|In article <(E-Mail Removed)>,
|Brian Bergin <(E-Mail Removed)> wrote:
|:Our ISP uses Westel DSL modems and in order to update the firmware I have to go
|:to 192.168.1.254 and do it from there. I'm guessing the PIX by default doesn't
|:allow private IPs to pass outside
|
|No, the PIX doesn't care about such matters. As far as it is concerned,
|the RFC 1918 IP ranges are just plain IP ranges, to be handled
|according to your policy nat and access-lists.
|
|:So what I want to be able to do is pass traffic for that one IP address out to
|:the outside interface, which directly connects to the DSL modem. Is that
|ossible?
|
|Sure. As long as 192.168.1.* is not your inside IP range,
|the PIX will allow you to go out to 192.168.1.* by default;
|you would have to specifically block it to prevent it.

I don't, then, understand why this doesn't work. My inside range is
192.168.2.0/24 and I still can't get to it unless I plug into the modem on the
outside of the PIX. Here's my config if that helps:


PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
hostname pix501
domain-name local.name
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8181
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list outside_acl permit tcp any any eq 8181
access-list outside_acl permit tcp any any eq 3389
access-list outside_acl permit icmp any any echo-reply
access-list outside_acl permit icmp any any unreachable
access-list outside_acl permit icmp any any time-exceeded
access-list outside_acl permit tcp any any eq pptp
access-list outside_acl permit gre any any
pager lines 24
logging on
logging trap notifications
logging facility 23
logging host inside 192.168.2.9
icmp deny any outside
mtu outside 1492
mtu inside 1492
ip address outside pppoe setroute
ip address inside 192.168.2.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
pdm location 192.168.2.9 255.255.255.255 inside
pdm location 192.168.2.101 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
static (inside,outside) tcp interface 3389 192.168.2.9 3389 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 8181 192.168.2.9 8181 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.2.101 pptp netmask
255.255.255.255 0 0
access-group outside_acl in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.41 source outside
ntp server 192.5.41.40 source outside prefer
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXXXXXXXXXXX
no snmp-server enable traps
floodguard enable
fragment chain 1
service resetinbound
telnet 192.168.2.9 255.255.255.255 inside
telnet 192.168.2.101 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname XXXXXXXXXXXXXXXXXXXXXXXXx
vpdn group pppoe_group ppp authentication pap
vpdn username XXXXXXXXXXXXXXXXXXXXXXX password XXXXXXXXXXXXXXXXXXXXXXXXx
dhcpd auto_config outside
terminal width 80
: end
[OK]
pix501(config)#


Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-13-2005
In article <(E-Mail Removed)>,
Brian Bergin <(E-Mail Removed)> wrote:
:(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote:

In article <(E-Mail Removed)>,
Brian Bergin <(E-Mail Removed)> wrote:
:Our ISP uses Westel DSL modems and in order to update the firmware I have to go
:to 192.168.1.254 and do it from there. I'm guessing the PIX by default doesn't
:allow private IPs to pass outside

No, the PIX doesn't care about such matters.

:I don't, then, understand why this doesn't work. My inside range is
:192.168.2.0/24 and I still can't get to it unless I plug into the modem on the
utside of the PIX. Here's my config if that helps:

IX Version 6.3(4)

:ip address outside pppoe setroute
:ip address inside 192.168.2.1 255.255.255.0

There is nothing in your configuration that would block
traffic to 192.168.1.* as a destination.

I note, though, that your PIX is getting its IP addres via
pppoe. When you plug the laptop directly into the DSL modem
for the purposes of transfering data from the firmware
update site at 192.168.1.254, then is that laptop set up to
use pppoe?

My postulation is that the laptop is -not- set to use pppoe,
and that you can get to the 192.168.1.254 site if you have
pppoe turned off but that you can't get there if you
have pppoe turned on. If that happens to be true, then
you have a spot of trouble in that there is no "policy pppoe"
on the PIX.
--
Admit it -- you peeked ahead to find out how this message ends!
 
Reply With Quote
 
none
Guest
Posts: n/a
 
      01-13-2005
On Wed, 12 Jan 2005 12:01:44 -0500, Brian Bergin wrote:

> Our ISP uses Westel DSL modems and in order to update the firmware I have to go
> to 192.168.1.254 and do it from there. I'm guessing the PIX by default doesn't
> allow private IPs to pass outside so the only way I can access it is to take a
> laptop to it and plug directly into the router which kicks everyone else out.
> So what I want to be able to do is pass traffic for that one IP address out to
> the outside interface, which directly connects to the DSL modem. Is that
> possible?
>
> Thanks...
> Brian Bergin
>
> I can be reached via e-mail at
> cisco_dot_news_at_comcept_dot_net.
>
> Please post replies to the group so all may benefit.
>


I have a very similar setup - your PIX is probably not getting an address
in the 192.168.1.x range - it probably gets a public address via PPPoE -
think of the PPPoE as a Point-to-Point tunnel to the ISP's PPPoE server.

Static NAT would be the way to go on the PIX but I'm not sure that you can
do any static NAT when using PPPoE on the outside interface. I use an old
2514 router for management access to the outside router - it is parallel
to my PIX - it has some access lists on it so I can access the outside
router but not allow anything else in.


|----------+--------------| ISP ADSL
|
outside router
|
|----------+--------+-----| Outside Ethernet
| |
PIX 2514
| |
|----------+--------+-----| Inside Ethernet


None


 
Reply With Quote
 
Brian Bergin
Guest
Posts: n/a
 
      01-13-2005
(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote:

|There is nothing in your configuration that would block
|traffic to 192.168.1.* as a destination.
|
|I note, though, that your PIX is getting its IP addres via
|pppoe. When you plug the laptop directly into the DSL modem
|for the purposes of transfering data from the firmware
|update site at 192.168.1.254, then is that laptop set up to
|use pppoe?
|
|My postulation is that the laptop is -not- set to use pppoe,
|and that you can get to the 192.168.1.254 site if you have
|pppoe turned off but that you can't get there if you
|have pppoe turned on. If that happens to be true, then
|you have a spot of trouble in that there is no "policy pppoe"
|on the PIX.

Correct, the laptop is not setup for PPPoE and that I just put a 192.168.1.0/24
IP on the laptop to access the modem. Is there a "policy pppoe" that I can put
in place or am I just out of luck?

Thanks...
Brian Bergin

I can be reached via e-mail at
cisco_dot_news_at_comcept_dot_net.

Please post replies to the group so all may benefit.

NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-13-2005
In article <(E-Mail Removed)>,
Brian Bergin <(E-Mail Removed)> wrote:
:Correct, the laptop is not setup for PPPoE and that I just put a 192.168.1.0/24
:IP on the laptop to access the modem. Is there a "policy pppoe" that I can put
:in place or am I just out of luck?

Quoting myself:

If that happens to be true, then
you have a spot of trouble in that there is no "policy pppoe"
on the PIX.
--
"Meme" is self-referential; memes exist if and only if the "meme" meme
exists. "Meme" is thus logically a meta-meme; but until the existance
of meta-memes is more widely recognized, "meta-meme" is not a meme.
-- A Child's Garden Of Memes
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) kyoo Cisco 22 04-12-2008 03:37 PM
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Two ISPs, One 3640 Router, and PIX 515 with one outside interface TechGuy Cisco 2 08-03-2004 09:59 AM
allow ssh only on outside interface, but telnet on inside interface of router no-one Cisco 0 07-28-2004 04:17 PM
PIX: how to allow 1 host from outside interface to access another host on the inside interface? jonnah Cisco 1 04-21-2004 02:26 PM



Advertisments