Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX501 Config Help

Reply
Thread Tools

Cisco PIX501 Config Help

 
 
richard.stoneman@gmail.com
Guest
Posts: n/a
 
      03-15-2006
Hi,

I have a Pix 501 which I am trying to configure in the following
environment:

1) Router (10.215.112.33) connected to the internet
2) LAN A (10.215.112.32 / 27)
3) LAN B (10.212.35.0 / 24)
3) Cisco Pix501 (Inside=10.212.35.2, Outside=10.215.112.35)

>From LAN A I can ping the Cisco Pix on 10.215.112.35.
>From LAN B I can ping the Cisco Pix on 10.212.35.2.


I need to be able to do the following:

1) From LAN B I need to be able to access devices on LAN A (such as
10.215.112.33).

2) I need statically assigned NAT (I think!) so that traffic for
10.215.112.34 always goes to 10.212.35.60

Here is my current config:

Building configuration...e <if_name> <audit_name>
: Saved
:
PIX Version 6.3(5)

interface ethernet0 auto_number> disable
interface ethernet1 100full
show|cl
nameif ethernet0 outside security0ace <interface>]
nameif ethernet1 inside security100
show ip [addre
enable password sxoDUvFgNGNRIZl3 encrypted

passwd 2KFQnbNIdI.2KYOU encryptedwall(config)# ip address inside 1
hostname cf-pixfirewall
domain-name xxxxxxxx.local
Interface address
fixup protocol dns maximum-length 512

fixup protocol ftp 21wall(config)# no dhcp
fixup protocol h323 h225 1720
Ambiguous com
fixup protocol h323 ras 1718-1719
fixup protocol sip udp 5060sip2>]
fixup protocol skinny 2000cpd wins <winsip1> [<winsi
fixup protocol smtp 25

fixup protocol sqlnet 1521length>
fixup protocol tftp 69 dhcpd ping_timeout <t
names>
pager lines 24
mtu outside 1500 domain <domain_
mtu inside 1500
ip address outside 10.215.112.35 255.255.255.224ng> | hex <hex_string>
|
ip address inside 10.212.35.2 255.255.255.0 ip <address_1>
[<address_2>]}
ip audit info action alarm

ip audit attack action alarm
pdm logging informational 100v_ifc_name>
pdm history enable show dhcpd
arp timeout 14400s]
global (outside) 1 interfaceixfirewall(con
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.212.35.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a44671637db93e8fb6c3294cbcb3518d
: end
[OK]

 
Reply With Quote
 
 
 
 
mcaissie
Guest
Posts: n/a
 
      03-15-2006
> 1) From LAN B I need to be able to access devices on LAN A (such as
> 10.215.112.33).


nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface

This 2 lines will configure the PIX to nat all traffic coming from the
inside with the outside interface address.
This will allow normal internet access for the inside users.

> 2) I need statically assigned NAT (I think!) so that traffic for
> 10.215.112.34 always goes to 10.212.35.60


static (inside,outside) 10.215.112.34 10.212.35.60 netmask 255.255.255.255 0
0

access-list acl-out permit ip any host 10.215.112.34
access-group acl-out in interface outside

The first line will will make the inside host 10.212.35.60 visible on the
outside at 10.215.112.34.
But you also need to give access permissions with the 2 other lines since
the traffic needs to go from a
less secure to a more secure zone. This is done with the access-list and the
access-group command. My
example allow all ip , but you could be more granular. For example
access-list acl-out permit tcp any host 10.215.112.34 eq 80 would give
only http access.


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi,
>
> I have a Pix 501 which I am trying to configure in the following
> environment:
>
> 1) Router (10.215.112.33) connected to the internet
> 2) LAN A (10.215.112.32 / 27)
> 3) LAN B (10.212.35.0 / 24)
> 3) Cisco Pix501 (Inside=10.212.35.2, Outside=10.215.112.35)
>
>>From LAN A I can ping the Cisco Pix on 10.215.112.35.
>>From LAN B I can ping the Cisco Pix on 10.212.35.2.

>
> I need to be able to do the following:
>
> 1) From LAN B I need to be able to access devices on LAN A (such as
> 10.215.112.33).
>
> 2) I need statically assigned NAT (I think!) so that traffic for
> 10.215.112.34 always goes to 10.212.35.60
>
> Here is my current config:
>
> Building configuration...e <if_name> <audit_name>
> : Saved
> :
> PIX Version 6.3(5)
>
> interface ethernet0 auto_number> disable
> interface ethernet1 100full
> show|cl
> nameif ethernet0 outside security0ace <interface>]
> nameif ethernet1 inside security100
> show ip [addre
> enable password sxoDUvFgNGNRIZl3 encrypted
>
> passwd 2KFQnbNIdI.2KYOU encryptedwall(config)# ip address inside 1
> hostname cf-pixfirewall
> domain-name xxxxxxxx.local
> Interface address
> fixup protocol dns maximum-length 512
>
> fixup protocol ftp 21wall(config)# no dhcp
> fixup protocol h323 h225 1720
> Ambiguous com
> fixup protocol h323 ras 1718-1719
> fixup protocol sip udp 5060sip2>]
> fixup protocol skinny 2000cpd wins <winsip1> [<winsi
> fixup protocol smtp 25
>
> fixup protocol sqlnet 1521length>
> fixup protocol tftp 69 dhcpd ping_timeout <t
> names>
> pager lines 24
> mtu outside 1500 domain <domain_
> mtu inside 1500
> ip address outside 10.215.112.35 255.255.255.224ng> | hex <hex_string>
> |
> ip address inside 10.212.35.2 255.255.255.0 ip <address_1>
> [<address_2>]}
> ip audit info action alarm
>
> ip audit attack action alarm
> pdm logging informational 100v_ifc_name>
> pdm history enable show dhcpd
> arp timeout 14400s]
> global (outside) 1 interfaceixfirewall(con
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> http server enable
> http 10.212.35.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> terminal width 80
> Cryptochecksum:a44671637db93e8fb6c3294cbcb3518d
> : end
> [OK]
>



 
Reply With Quote
 
 
 
 
richard.stoneman@gmail.com
Guest
Posts: n/a
 
      03-15-2006

mcaissie wrote:
> > 1) From LAN B I need to be able to access devices on LAN A (such as
> > 10.215.112.33).

>
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> global (outside) 1 interface
>
> This 2 lines will configure the PIX to nat all traffic coming from the
> inside with the outside interface address.
> This will allow normal internet access for the inside users.
>


Thankyou - I have added these two lines.

I can successfully ping LAN A (eg 10.215.112.33) from the PIX but NOT
from a client on the inside of the pix (10.212.35.20).I have noticed
that I do not have any static routes set up for the internal and
external interfaces on the pix - is this an issue?

 
Reply With Quote
 
mcaissie
Guest
Posts: n/a
 
      03-15-2006

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>
> mcaissie wrote:
>> > 1) From LAN B I need to be able to access devices on LAN A (such as
>> > 10.215.112.33).

>>
>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>> global (outside) 1 interface
>>
>> This 2 lines will configure the PIX to nat all traffic coming from the
>> inside with the outside interface address.
>> This will allow normal internet access for the inside users.
>>

>
> Thankyou - I have added these two lines.
>
> I can successfully ping LAN A (eg 10.215.112.33) from the PIX but NOT
> from a client on the inside of the pix (10.212.35.20).I have noticed
> that I do not have any static routes set up for the internal and
> external interfaces on the pix - is this an issue?
>


There is no routing issues , those subnets are Directly Connected. But i
think that icmp is denied
by defaul ton the outside, even for the replies. So you can add the
following lines in your
acl_out and give it a try

access-list acl-out permit icmp any any echo-reply
access-list acl-out permit icmp any any source-quench
access-list acl-out permit icmp any any unreachable
access-list acl-out permit icmp any any time-exceeded



 
Reply With Quote
 
richard.stoneman@gmail.com
Guest
Posts: n/a
 
      03-15-2006

> There is no routing issues , those subnets are Directly Connected. But i
> think that icmp is denied
> by defaul ton the outside, even for the replies. So you can add the
> following lines in your
> acl_out and give it a try
>
> access-list acl-out permit icmp any any echo-reply
> access-list acl-out permit icmp any any source-quench
> access-list acl-out permit icmp any any unreachable
> access-list acl-out permit icmp any any time-exceeded


Still no joy! From the clients on the inside I cant access anything on
the outside.

Here's my config now in case you can see anything else I've missed:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password sxoDUvFgNGNRIZl3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cf-pixfirewall
domain-name xxxxxxxxx.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_access_in permit tcp any any
access-list acl-out permit icmp any any echo-reply
access-list acl-out permit icmp any any source-quench
access-list acl-out permit icmp any any unreachable
access-list acl-out permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.215.112.35 255.255.255.224
ip address inside 10.212.35.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.212.35.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9dc4bc6c12225487786f091c4809b551
: end

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      03-16-2006
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:

>Still no joy! From the clients on the inside I cant access anything on
>the outside.


>PIX Version 6.3(5)


Thanks, that previous config was too messy to parse.

>access-list inside_access_in permit tcp any any


>access-list acl-out permit icmp any any echo-reply
>access-list acl-out permit icmp any any source-quench
>access-list acl-out permit icmp any any unreachable
>access-list acl-out permit icmp any any time-exceeded


You don't use that ACL, acl-out .

>global (outside) 1 interface
>nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>access-group inside_access_in in interface inside


You allow all tcp access out, but you don't allow even one
system to do DNS (UDP).
 
Reply With Quote
 
richard.stoneman@gmail.com
Guest
Posts: n/a
 
      03-16-2006

Walter Roberson wrote:
> In article <(E-Mail Removed) .com>,
> <(E-Mail Removed)> wrote:
>
> >Still no joy! From the clients on the inside I cant access anything on
> >the outside.

>
> >PIX Version 6.3(5)

>
> Thanks, that previous config was too messy to parse.
>
> >access-list inside_access_in permit tcp any any

>
> >access-list acl-out permit icmp any any echo-reply
> >access-list acl-out permit icmp any any source-quench
> >access-list acl-out permit icmp any any unreachable
> >access-list acl-out permit icmp any any time-exceeded

>
> You don't use that ACL, acl-out .
>
> >global (outside) 1 interface
> >nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> >access-group inside_access_in in interface inside

>
> You allow all tcp access out, but you don't allow even one
> system to do DNS (UDP).


How can I allow all traffic out? Is there a single command to do this?
I still can't get to anything externally from the internal clients but
I can from the PIX. To be honest, I'm only using the Pix for
NAT...security isn't an issue in this environment.

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      03-17-2006
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:

>Walter Roberson wrote:
>> In article <(E-Mail Removed) .com>,
>> <(E-Mail Removed)> wrote:


>> >PIX Version 6.3(5)


>> >access-list inside_access_in permit tcp any any


>> >access-group inside_access_in in interface inside


>How can I allow all traffic out? Is there a single command to do this?


Use
no access-group inside_access_in in interface inside
to deactivate the access-group .

If there is no access-group for the inside interface, all connections
are permitted outwards, provided that there is a translation for it.
Your nat/ global pair provides the translation.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco VPN client access to PIX501's internal network Martin Cisco 2 12-19-2007 07:14 PM
I want to create Site to Site VPN with Cisco PIX501 and Linksys RV082 thanhtike@gmail.com Cisco 1 09-10-2007 10:03 PM
Sitting behind a local pix501 and can't access an external site with Pix501 from Cisco VPN CLient- why? simon Cisco 1 09-21-2004 12:52 PM
Help with PIX501 & CISCO 831 Router sw Cisco 2 04-29-2004 12:23 PM
PIX501 and VPN Client 4.0 config problem Jens Meyer Cisco 4 12-22-2003 08:40 PM



Advertisments