Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 501 Configuration help.

Reply
Thread Tools

Cisco 501 Configuration help.

 
 
Kunal Keshav
Guest
Posts: n/a
 
      09-22-2005
I am new to the CISCO IOS, need help configuring a 501 pix firewall.
This is what my network looks like.

On the lan segment I have 6 machines that need to connect to a server
of our business partner on the WAN side. The Server on the WAN has a
service running on port 6666. All the clients need to connect to the
server on this port. IP address is as follows:

Server Wan side: 192.168.13.5/24
PIX WAN : 192.168.13.6/24
PIX LAN: 192.168.230.1/24
Workstations: 192.168.230.2-.7/24

The server needs to have a one to one NAT to the Workstations
i.e 192.168.13.12= 192.168.230.2
192.168.13.13= 192.168.230.3
..........
..........
192.168.13.17= 192.168.230.7

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-22-2005
In article <(E-Mail Removed). com>,
Kunal Keshav <(E-Mail Removed)> wrote:
:I am new to the CISCO IOS, need help configuring a 501 pix firewall.

For future reference, the PIX series run an operating system
named Finesse. Finesse's existance is nearly undocumented by Cisco,
and you don't get to talk to it directly: it's the real-time kernel
but the user interaction is a different layer that has no name that
I've ever seen.

IOS is the operating system of Cisco's routers and modern switches
and a few other devices, but not the operating system of PIX.


:This is what my network looks like.

:On the lan segment I have 6 machines that need to connect to a server
f our business partner on the WAN side. The Server on the WAN has a
:service running on port 6666. All the clients need to connect to the
:server on this port. IP address is as follows:

:Server Wan side: 192.168.13.5/24
IX WAN : 192.168.13.6/24
IX LAN: 192.168.230.1/24
:Workstations: 192.168.230.2-.7/24

:The server needs to have a one to one NAT to the Workstations
:i.e 192.168.13.12= 192.168.230.2
: 192.168.13.13= 192.168.230.3
: ..........
: ..........
: 192.168.13.17= 192.168.230.7


You didn't post any question


Configuration #1:

names
name 192.168.13.5 BP
name 192.168.13.12 BP_1
name 192.168.13.13 BP_2
name 192.168.13.14 BP_3
name 192.168.13.15 BP_4
name 192.168.13.16 BP_5
name 192.168.13.17 BP_6
name 192.168.230.2 WS_1
name 192.168.230.3 WS_2
name 192.168.230.4 WS_3
name 192.168.230.5 WS_4
name 192.168.230.6 WS_5
name 192.168.203.7 WS_6

object-group service BP_tcp tcp
description the TCP ports used by the business partner server
port-object eq 6666

access-list BS_acl_1 permit tcp host WS_1 host BP object-group BP_tcp
access-list BS_acl_2 permit tcp host WS_2 host BP object-group BP_tcp
access-list BS_acl_3 permit tcp host WS_3 host BP object-group BP_tcp
access-list BS_acl_4 permit tcp host WS_4 host BP object-group BP_tcp
access-list BS_acl_5 permit tcp host WS_5 host BP object-group BP_tcp
access-list BS_acl_6 permit tcp host WS_6 host BP object-group BP_tcp

static (inside,outside) BP_1 access-list BS_acl_1
static (inside,outside) BP_2 access-list BS_acl_2
static (inside,outside) BP_3 access-list BS_acl_3
static (inside,outside) BP_4 access-list BS_acl_4
static (inside,outside) BP_5 access-list BS_acl_5
static (inside,outside) BP_6 access-list BS_acl_6


Configuration #2:

names
name 192.168.13.5 BP
name 192.168.13.12 BP_1
name 192.168.13.13 BP_2
name 192.168.13.14 BP_3
name 192.168.13.15 BP_4
name 192.168.13.16 BP_5
name 192.168.13.17 BP_6
name 192.168.230.2 WS_1
name 192.168.230.3 WS_2
name 192.168.230.4 WS_3
name 192.168.230.5 WS_4
name 192.168.230.6 WS_5
name 192.168.203.7 WS_6

object-group service BP_tcp tcp
description the TCP ports used by the business partner server
port-object eq 6666

access-list BS_acl_1 permit tcp host WS_1 host BP object-group BP_tcp
access-list BS_acl_2 permit tcp host WS_2 host BP object-group BP_tcp
access-list BS_acl_3 permit tcp host WS_3 host BP object-group BP_tcp
access-list BS_acl_4 permit tcp host WS_4 host BP object-group BP_tcp
access-list BS_acl_5 permit tcp host WS_5 host BP object-group BP_tcp
access-list BS_acl_6 permit tcp host WS_6 host BP object-group BP_tcp

nat (inside) 101 access-list BS_acl_1
nat (inside) 102 access-list BS_acl_2
nat (inside) 103 access-list BS_acl_3
nat (inside) 104 access-list BS_acl_4
nat (inside) 105 access-list BS_acl_5
nat (inside) 106 access-list BS_acl_6

global (outside) 101 BP_1
global (outside) 102 BP_2
global (outside) 103 BP_3
global (outside) 104 BP_4
global (outside) 105 BP_5
global (outside) 106 BP_6


The difference between these two configurations is

a) in the first configuration, the original source port from the
workstation will arrive intact at the server

b) in the second configuration, the PIX will PAT (Port Address Translate)
the original workstation source port, but uniquely for each IP

c) in the first configuration, if the outside access-list permits, the
server would be able to initiate connections to -any- TCP port on
the workstation, as long as the server used source port 6666 when it did so

d) in the second configuration, the server would not be able to initiate
connections to the workstation.

e) in the first configuration, if the protocol should be UDP instead of TCP,
then the server will be able to send UDP replies back to the workstation
after longer than 30 seconds idleness, as long as the server used port
6666 to send the replies.

f) in the second configuration, if the protocol should be UDP instead of TCP,
then the server will be able to send UDP replies back to the workstation
[using source port 6666] only if the connection has not been idle for more
than 30 seconds; after 30 seconds, the replies would be blocked until
the inside formed a new UDP stream. [The 30 second figure is a
globally configurable parameter.]
--
Many food scientists have reported chocolate to be the single most
craved food. -- Northwestern University, 2001
 
Reply With Quote
 
 
 
 
KK
Guest
Posts: n/a
 
      09-23-2005
Hey Walter,

Thanks for all the info. It will help me a lot. Can you tell me how to
modify the global config for the 30 second time out?

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-23-2005
In article <(E-Mail Removed). com>,
KK <(E-Mail Removed)> wrote:
:Thanks for all the info. It will help me a lot. Can you tell me how to
:modify the global config for the 30 second time out?

http://www.cisco.com/univercd/cc/td/....htm#wp1026093

A mistake in my posting: the default is 2 minutes, not 30 seconds.
The minimum is 1 minute.
--
"It is important to remember that when it comes to law, computers
never make copies, only human beings make copies. Computers are given
commands, not permission. Only people can be given permission."
-- Brad Templeton
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
Betrifft:Cisco PIX 501, Configuration problems in DMZ Heiko Mo?mann Cisco 0 01-31-2005 07:11 AM
Cisco PIX 501, Configuration problems in DMZ Heiko Mo?mann Cisco 3 01-26-2005 09:28 AM
Cisco PIX 501, Configuration problems in DMZ Heiko Mo?mann Cisco 1 01-24-2005 12:04 PM



Advertisments