allow one private IP to pass to outside interface on PIX

Discussion in 'Cisco' started by Brian Bergin, Jan 12, 2005.

  1. Brian Bergin

    Brian Bergin Guest

    Our ISP uses Westel DSL modems and in order to update the firmware I have to go
    to 192.168.1.254 and do it from there. I'm guessing the PIX by default doesn't
    allow private IPs to pass outside so the only way I can access it is to take a
    laptop to it and plug directly into the router which kicks everyone else out.
    So what I want to be able to do is pass traffic for that one IP address out to
    the outside interface, which directly connects to the DSL modem. Is that
    possible?

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.

    NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
     
    Brian Bergin, Jan 12, 2005
    #1
    1. Advertising

  2. Brian Bergin

    Rod Dorman Guest

    In article <>,
    Brian Bergin <> wrote:
    >Our ISP uses Westel DSL modems and in order to update the firmware I
    >have to go to 192.168.1.254 and do it from there. I'm guessing the
    >PIX by default doesn't allow private IPs to pass outside so the only
    >way I can access it is to take a laptop to it and plug directly into
    >the router which kicks everyone else out.


    How often do you do this that it would be considered a problem?
    Besides, doesn't updating the firmware knock them off anyway?

    --
    -- Rod --
    rodd(at)polylogics(dot)com
     
    Rod Dorman, Jan 12, 2005
    #2
    1. Advertising

  3. Brian Bergin

    Brian Bergin Guest

    (Rod Dorman) wrote:

    |
    |How often do you do this that it would be considered a problem?
    |Besides, doesn't updating the firmware knock them off anyway?

    For a few secs while I upgrade it, but where the modems there are no PCs at the
    other end of the building. It's a convenience thing. If it's not possible
    that's one thing, if it is, I just want the ability.

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.

    NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
     
    Brian Bergin, Jan 12, 2005
    #3
  4. In article <>,
    Brian Bergin <> wrote:
    :Our ISP uses Westel DSL modems and in order to update the firmware I have to go
    :to 192.168.1.254 and do it from there. I'm guessing the PIX by default doesn't
    :allow private IPs to pass outside

    No, the PIX doesn't care about such matters. As far as it is concerned,
    the RFC 1918 IP ranges are just plain IP ranges, to be handled
    according to your policy nat and access-lists.

    :So what I want to be able to do is pass traffic for that one IP address out to
    :the outside interface, which directly connects to the DSL modem. Is that
    :possible?

    Sure. As long as 192.168.1.* is not your inside IP range,
    the PIX will allow you to go out to 192.168.1.* by default;
    you would have to specifically block it to prevent it.
    --
    This signature intentionally left... Oh, darn!
     
    Walter Roberson, Jan 12, 2005
    #4
  5. Brian Bergin

    Brian Bergin Guest

    -cnrc.gc.ca (Walter Roberson) wrote:

    |In article <>,
    |Brian Bergin <> wrote:
    |:Our ISP uses Westel DSL modems and in order to update the firmware I have to go
    |:to 192.168.1.254 and do it from there. I'm guessing the PIX by default doesn't
    |:allow private IPs to pass outside
    |
    |No, the PIX doesn't care about such matters. As far as it is concerned,
    |the RFC 1918 IP ranges are just plain IP ranges, to be handled
    |according to your policy nat and access-lists.
    |
    |:So what I want to be able to do is pass traffic for that one IP address out to
    |:the outside interface, which directly connects to the DSL modem. Is that
    |:possible?
    |
    |Sure. As long as 192.168.1.* is not your inside IP range,
    |the PIX will allow you to go out to 192.168.1.* by default;
    |you would have to specifically block it to prevent it.

    I don't, then, understand why this doesn't work. My inside range is
    192.168.2.0/24 and I still can't get to it unless I plug into the modem on the
    outside of the PIX. Here's my config if that helps:


    PIX Version 6.3(4)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password XXXXXXXXXXXXXXX encrypted
    passwd XXXXXXXXXXXXXXXXX encrypted
    hostname pix501
    domain-name local.name
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol http 8181
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list outside_acl permit tcp any any eq 8181
    access-list outside_acl permit tcp any any eq 3389
    access-list outside_acl permit icmp any any echo-reply
    access-list outside_acl permit icmp any any unreachable
    access-list outside_acl permit icmp any any time-exceeded
    access-list outside_acl permit tcp any any eq pptp
    access-list outside_acl permit gre any any
    pager lines 24
    logging on
    logging trap notifications
    logging facility 23
    logging host inside 192.168.2.9
    icmp deny any outside
    mtu outside 1492
    mtu inside 1492
    ip address outside pppoe setroute
    ip address inside 192.168.2.1 255.255.255.0
    ip verify reverse-path interface outside
    ip audit info action alarm drop reset
    ip audit attack action alarm drop reset
    pdm location 192.168.2.9 255.255.255.255 inside
    pdm location 192.168.2.101 255.255.255.255 inside
    pdm logging notifications 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.2.0 255.255.255.0 0 0
    static (inside,outside) tcp interface 3389 192.168.2.9 3389 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 8181 192.168.2.9 8181 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface pptp 192.168.2.101 pptp netmask
    255.255.255.255 0 0
    access-group outside_acl in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp server 192.5.41.41 source outside
    ntp server 192.5.41.40 source outside prefer
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community XXXXXXXXXXXXXXXXXXX
    no snmp-server enable traps
    floodguard enable
    fragment chain 1
    service resetinbound
    telnet 192.168.2.9 255.255.255.255 inside
    telnet 192.168.2.101 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname XXXXXXXXXXXXXXXXXXXXXXXXx
    vpdn group pppoe_group ppp authentication pap
    vpdn username XXXXXXXXXXXXXXXXXXXXXXX password XXXXXXXXXXXXXXXXXXXXXXXXx
    dhcpd auto_config outside
    terminal width 80
    : end
    [OK]
    pix501(config)#


    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.

    NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
     
    Brian Bergin, Jan 13, 2005
    #5
  6. In article <>,
    Brian Bergin <> wrote:
    :-cnrc.gc.ca (Walter Roberson) wrote:

    :|In article <>,
    :|Brian Bergin <> wrote:
    :|:Our ISP uses Westel DSL modems and in order to update the firmware I have to go
    :|:to 192.168.1.254 and do it from there. I'm guessing the PIX by default doesn't
    :|:allow private IPs to pass outside

    :|No, the PIX doesn't care about such matters.

    :I don't, then, understand why this doesn't work. My inside range is
    :192.168.2.0/24 and I still can't get to it unless I plug into the modem on the
    :eek:utside of the PIX. Here's my config if that helps:

    :pIX Version 6.3(4)

    :ip address outside pppoe setroute
    :ip address inside 192.168.2.1 255.255.255.0

    There is nothing in your configuration that would block
    traffic to 192.168.1.* as a destination.

    I note, though, that your PIX is getting its IP addres via
    pppoe. When you plug the laptop directly into the DSL modem
    for the purposes of transfering data from the firmware
    update site at 192.168.1.254, then is that laptop set up to
    use pppoe?

    My postulation is that the laptop is -not- set to use pppoe,
    and that you can get to the 192.168.1.254 site if you have
    pppoe turned off but that you can't get there if you
    have pppoe turned on. If that happens to be true, then
    you have a spot of trouble in that there is no "policy pppoe"
    on the PIX.
    --
    Admit it -- you peeked ahead to find out how this message ends!
     
    Walter Roberson, Jan 13, 2005
    #6
  7. Brian Bergin

    none Guest

    On Wed, 12 Jan 2005 12:01:44 -0500, Brian Bergin wrote:

    > Our ISP uses Westel DSL modems and in order to update the firmware I have to go
    > to 192.168.1.254 and do it from there. I'm guessing the PIX by default doesn't
    > allow private IPs to pass outside so the only way I can access it is to take a
    > laptop to it and plug directly into the router which kicks everyone else out.
    > So what I want to be able to do is pass traffic for that one IP address out to
    > the outside interface, which directly connects to the DSL modem. Is that
    > possible?
    >
    > Thanks...
    > Brian Bergin
    >
    > I can be reached via e-mail at
    > cisco_dot_news_at_comcept_dot_net.
    >
    > Please post replies to the group so all may benefit.
    >


    I have a very similar setup - your PIX is probably not getting an address
    in the 192.168.1.x range - it probably gets a public address via PPPoE -
    think of the PPPoE as a Point-to-Point tunnel to the ISP's PPPoE server.

    Static NAT would be the way to go on the PIX but I'm not sure that you can
    do any static NAT when using PPPoE on the outside interface. I use an old
    2514 router for management access to the outside router - it is parallel
    to my PIX - it has some access lists on it so I can access the outside
    router but not allow anything else in.


    |----------+--------------| ISP ADSL
    |
    outside router
    |
    |----------+--------+-----| Outside Ethernet
    | |
    PIX 2514
    | |
    |----------+--------+-----| Inside Ethernet


    None
     
    none, Jan 13, 2005
    #7
  8. Brian Bergin

    Brian Bergin Guest

    -cnrc.gc.ca (Walter Roberson) wrote:

    |There is nothing in your configuration that would block
    |traffic to 192.168.1.* as a destination.
    |
    |I note, though, that your PIX is getting its IP addres via
    |pppoe. When you plug the laptop directly into the DSL modem
    |for the purposes of transfering data from the firmware
    |update site at 192.168.1.254, then is that laptop set up to
    |use pppoe?
    |
    |My postulation is that the laptop is -not- set to use pppoe,
    |and that you can get to the 192.168.1.254 site if you have
    |pppoe turned off but that you can't get there if you
    |have pppoe turned on. If that happens to be true, then
    |you have a spot of trouble in that there is no "policy pppoe"
    |on the PIX.

    Correct, the laptop is not setup for PPPoE and that I just put a 192.168.1.0/24
    IP on the laptop to access the modem. Is there a "policy pppoe" that I can put
    in place or am I just out of luck?

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.

    NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
     
    Brian Bergin, Jan 13, 2005
    #8
  9. In article <>,
    Brian Bergin <> wrote:
    :Correct, the laptop is not setup for PPPoE and that I just put a 192.168.1.0/24
    :IP on the laptop to access the modem. Is there a "policy pppoe" that I can put
    :in place or am I just out of luck?

    Quoting myself:

    :|If that happens to be true, then
    :|you have a spot of trouble in that there is no "policy pppoe"
    :|on the PIX.
    --
    "Meme" is self-referential; memes exist if and only if the "meme" meme
    exists. "Meme" is thus logically a meta-meme; but until the existance
    of meta-memes is more widely recognized, "meta-meme" is not a meme.
    -- A Child's Garden Of Memes
     
    Walter Roberson, Jan 13, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page