Basic network problem/question: PIX 506E

Discussion in 'Cisco' started by John Scholvin, Feb 9, 2005.

  1. I'm setting up a pix 506E to do firewall, NAT, and VPN for my office.
    I am trying to work in stages, getting the network functional in this order:

    Stage 1) Basic inside to outside services: http, ssh, etc. from inside out.
    Stage 2) Incoming services: http, https, and ssh from the outside to
    the right place inside.
    Stage 3) VPN. People working at home can work as if they are in the office.

    Here is the network:

    internet
    |
    perimeter router w/DSL (cisco 2801)
    |
    PIX 506E
    |
    internal network

    We have 5 static IP's from SBC: xx.xx.xx.98 thru xx.xx.xx.102.

    I got a basic configuration for stage 1 working this way:

    router outside IP: xx.xx.xx.102
    router inside IP: xx.xx.xx.98
    PIX outside IP: xx.xx.xx.99
    PIX inside IP: 192.168.0.1

    First problem: I don't want to burn 2 of my public IP addresses on the
    little subnet between the router and the PIX. I originally used
    192.168.200.1 and 192.168.200.2 but I had problems getting things
    working. From the PIX, I could not ping any outside internet addresses
    that way. With the public IP's, I can.

    So, just working on stage 1 for the moment: what do I need to do,
    either in the router or the PIX, so I can use private IP
    numbers on the network between the router and the PIX?

    Here is the PIX configuration:

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ******** encrypted
    passwd ******** encrypted
    hostname pixfw
    domain-name ********.***
    clock timezone CT -6
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group icmp-type icmp_traffic
    icmp-object echo-reply
    icmp-object source-quench
    icmp-object unreachable
    icmp-object time-exceeded
    access-list PERMIT_IN permit icmp any any object-group icmp_traffic
    pager lines 68
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside xx.xx.xx.98 255.255.255.0
    ip address inside 192.168.0.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 xx.xx.xx.98
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    terminal width 80
    Cryptochecksum:*****

    --
    John Scholvin -- -- an E7b5#9 man in an F major world
     
    John Scholvin, Feb 9, 2005
    #1
    1. Advertising

  2. John Scholvin

    RC Guest

    I haven't been checking this group all that often lately so if you reply and
    don't hear back, well what can I say, you get what you pay for.

    Problem one. Your router config. Your outside address should be on a
    separate subnet then your inside. The 5 IPs you mention don't fit into a
    subnet, there should be more or less then 5.

    You can use any private subnet between the router and pix just make sure the
    default gateway on the pix is the IP on the inside of the router, that there
    is a route in the router for your public subnet pointing to the IP on the
    "outside" of the pix, and that the NAT on the pix is using your public
    subnet. This all comes back to your subnet problem.

    A typical system would look like this (I'm making up all the IP addresses).

    DSL interface on the router has an address of 222.222.222.1 with a mask of
    255.255.255.252 (the router at the other end of the T1 would be
    222.222.222.2)

    You can set the router's default gateway as either the DSL interface or
    222.222.222.2 I like to use the far end address but that's just me. The
    router already knows that this subnet is on the DSL interface since it is
    directly connected.

    Assume that your public subnet is 125.125.125.0/29 or 125.125.125.0 through
    125.125.125.8 The 0 and 8 are your network and broadcast addresses and you
    can't use them, this leave you with 6 usable IPs.

    Set you router ethernet port with an IP of 10.10.10.1 255.255.255.252

    Put a static route in the router so that 125.125.125.0/29 goes to 10.10.10.2
    (the "outside" address of the PIX).

    The PIX will have an;
    outside 10.10.10.2 255.255.255.252
    inside 192.168.1.1 255.255.255.0
    default gateway 10.10.10.1

    You can now use your entire public subnet for NAT/PAT within the PIX.

    The config gets a little easier if you don't mind using a public IP on the
    router ethernet and the PIX outside. In this case the router ethernet would
    be 125.125.125.1 255.255.255.248 and you don't need a static route in the
    router since the subnet is now directly connected. The PIX would be;
    outside 125.125.125.2 255.255.255.248
    inside 192.168.1.1 255.255.255.0
    default gateway 125.125.125.1

    Thus concluding today's class of IP 101.


    "John Scholvin" <> wrote in message
    news:cudj95$qi7$...
    > I'm setting up a pix 506E to do firewall, NAT, and VPN for my office.
    > I am trying to work in stages, getting the network functional in this

    order:
    >
    > Stage 1) Basic inside to outside services: http, ssh, etc. from inside

    out.
    > Stage 2) Incoming services: http, https, and ssh from the outside to
    > the right place inside.
    > Stage 3) VPN. People working at home can work as if they are in the

    office.
    >
    > Here is the network:
    >
    > internet
    > |
    > perimeter router w/DSL (cisco 2801)
    > |
    > PIX 506E
    > |
    > internal network
    >
    > We have 5 static IP's from SBC: xx.xx.xx.98 thru xx.xx.xx.102.
    >
    > I got a basic configuration for stage 1 working this way:
    >
    > router outside IP: xx.xx.xx.102
    > router inside IP: xx.xx.xx.98
    > PIX outside IP: xx.xx.xx.99
    > PIX inside IP: 192.168.0.1
    >
    > First problem: I don't want to burn 2 of my public IP addresses on the
    > little subnet between the router and the PIX. I originally used
    > 192.168.200.1 and 192.168.200.2 but I had problems getting things
    > working. From the PIX, I could not ping any outside internet addresses
    > that way. With the public IP's, I can.
    >
    > So, just working on stage 1 for the moment: what do I need to do,
    > either in the router or the PIX, so I can use private IP
    > numbers on the network between the router and the PIX?
    >
    > Here is the PIX configuration:
    >
    > PIX Version 6.3(3)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password ******** encrypted
    > passwd ******** encrypted
    > hostname pixfw
    > domain-name ********.***
    > clock timezone CT -6
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > object-group icmp-type icmp_traffic
    > icmp-object echo-reply
    > icmp-object source-quench
    > icmp-object unreachable
    > icmp-object time-exceeded
    > access-list PERMIT_IN permit icmp any any object-group icmp_traffic
    > pager lines 68
    > icmp permit any outside
    > icmp permit any inside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside xx.xx.xx.98 255.255.255.0
    > ip address inside 192.168.0.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 xx.xx.xx.98
    > nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

    1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > telnet timeout 5
    > terminal width 80
    > Cryptochecksum:*****
    >
    > --
    > John Scholvin -- -- an E7b5#9 man in an F major

    world
     
    RC, Feb 9, 2005
    #2
    1. Advertising

  3. In article <1107984895.bf2a73e17b6024859dfea8d6387d55ad@teranews>,
    RC <> wrote:
    >Problem one. Your router config. Your outside address should be on a
    >separate subnet then your inside. The 5 IPs you mention don't fit into a
    >subnet, there should be more or less then 5.


    OK. I misstated the case.

    What I think I have with my SBC DSL is a /29 block: xx.xx.xx.96 through
    ..103. I know the .96 and the .103 are unusable by me (network & broadcast).
    So I think I get .97 through .102, a total of 6 addresses.

    But that is in fact all I "get" from SBC. There is no specific public
    address for the DSL on a different subnet.

    Googling around a bit, it sounds like this is the way SBC does business for
    this kind of account:

    http://www.broadbandreports.com/faq/10245

    It looks like I have to play some kind of game with the DSL interface on the
    router to deal with this. So now I'm really confused. The way I had it set
    up, it seemed to work. From the router, I could ping the rest of the world,
    and from the rest of the world, I could ping the 3 public IP addresses I was
    using on the router and pix.

    Any advice?


    --
    John Scholvin -- -- an E7b5#9 man in an F major world
     
    John Scholvin, Feb 9, 2005
    #3
  4. John Scholvin

    Guest

    What function beside PPPOE is the 2801 performing?

    The PIX506E supports PPPOE
     
    , Feb 10, 2005
    #4
  5. In article <>,
    <> wrote:
    >What function beside PPPOE is the 2801 performing?


    Physical ADSL interface via WIC-1ADSL.


    --
    John Scholvin -- -- an E7b5#9 man in an F major world
     
    John Scholvin, Feb 10, 2005
    #5
  6. John Scholvin

    Guest

    You might see if you can configure the 2801 in bridging mode; ie the
    PIX would be configured as a PPPOE client and outbound traffic would be
    bridged thru the 2821.

    You other options owuld be to get an external ADSL modem and connect it
    directly to the PIX outside interface
     
    , Feb 10, 2005
    #6
  7. John Scholvin

    complanet Guest

    RC wrote:
    > I haven't been checking this group all that often lately so if you

    reply and
    > don't hear back, well what can I say, you get what you pay for.
    >
    > Problem one. Your router config. Your outside address should be on a
    > separate subnet then your inside. The 5 IPs you mention don't fit

    into a
    > subnet, there should be more or less then 5.
    >
    > You can use any private subnet between the router and pix just make

    sure the
    > default gateway on the pix is the IP on the inside of the router,

    that there
    > is a route in the router for your public subnet pointing to the IP on

    the
    > "outside" of the pix, and that the NAT on the pix is using your

    public
    > subnet. This all comes back to your subnet problem.
    >
    > A typical system would look like this (I'm making up all the IP

    addresses).
    >
    > DSL interface on the router has an address of 222.222.222.1 with a

    mask of
    > 255.255.255.252 (the router at the other end of the T1 would be
    > 222.222.222.2)
    >
    > You can set the router's default gateway as either the DSL interface

    or
    > 222.222.222.2 I like to use the far end address but that's just me.

    The
    > router already knows that this subnet is on the DSL interface since

    it is
    > directly connected.
    >
    > Assume that your public subnet is 125.125.125.0/29 or 125.125.125.0

    through
    > 125.125.125.8 The 0 and 8 are your network and broadcast addresses

    and you
    > can't use them, this leave you with 6 usable IPs.
    >
    > Set you router ethernet port with an IP of 10.10.10.1 255.255.255.252
    >
    > Put a static route in the router so that 125.125.125.0/29 goes to

    10.10.10.2
    > (the "outside" address of the PIX).
    >
    > The PIX will have an;
    > outside 10.10.10.2 255.255.255.252
    > inside 192.168.1.1 255.255.255.0
    > default gateway 10.10.10.1
    >
    > You can now use your entire public subnet for NAT/PAT within the PIX.
    >
    > The config gets a little easier if you don't mind using a public IP

    on the
    > router ethernet and the PIX outside. In this case the router ethernet

    would
    > be 125.125.125.1 255.255.255.248 and you don't need a static route in

    the
    > router since the subnet is now directly connected. The PIX would be;
    > outside 125.125.125.2 255.255.255.248
    > inside 192.168.1.1 255.255.255.0
    > default gateway 125.125.125.1
    >
    > Thus concluding today's class of IP 101.
    >
    >
    > "John Scholvin" <> wrote in message
    > news:cudj95$qi7$...
    > > I'm setting up a pix 506E to do firewall, NAT, and VPN for my

    office.
    > > I am trying to work in stages, getting the network functional in

    this
    > order:
    > >
    > > Stage 1) Basic inside to outside services: http, ssh, etc. from

    inside
    > out.
    > > Stage 2) Incoming services: http, https, and ssh from the outside

    to
    > > the right place inside.
    > > Stage 3) VPN. People working at home can work as if they are in the

    > office.
    > >
    > > Here is the network:
    > >
    > > internet
    > > |
    > > perimeter router w/DSL (cisco 2801)
    > > |
    > > PIX 506E
    > > |
    > > internal network
    > >
    > > We have 5 static IP's from SBC: xx.xx.xx.98 thru xx.xx.xx.102.
    > >
    > > I got a basic configuration for stage 1 working this way:
    > >
    > > router outside IP: xx.xx.xx.102
    > > router inside IP: xx.xx.xx.98
    > > PIX outside IP: xx.xx.xx.99
    > > PIX inside IP: 192.168.0.1
    > >
    > > First problem: I don't want to burn 2 of my public IP addresses on

    the
    > > little subnet between the router and the PIX. I originally used
    > > 192.168.200.1 and 192.168.200.2 but I had problems getting things
    > > working. From the PIX, I could not ping any outside internet

    addresses
    > > that way. With the public IP's, I can.
    > >
    > > So, just working on stage 1 for the moment: what do I need to do,
    > > either in the router or the PIX, so I can use private IP
    > > numbers on the network between the router and the PIX?
    > >
    > > Here is the PIX configuration:
    > >
    > > PIX Version 6.3(3)
    > > interface ethernet0 auto
    > > interface ethernet1 auto
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > enable password ******** encrypted
    > > passwd ******** encrypted
    > > hostname pixfw
    > > domain-name ********.***
    > > clock timezone CT -6
    > > fixup protocol dns maximum-length 512
    > > fixup protocol ftp 21
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol http 80
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol sip 5060
    > > fixup protocol sip udp 5060
    > > fixup protocol skinny 2000
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol tftp 69
    > > names
    > > object-group icmp-type icmp_traffic
    > > icmp-object echo-reply
    > > icmp-object source-quench
    > > icmp-object unreachable
    > > icmp-object time-exceeded
    > > access-list PERMIT_IN permit icmp any any object-group icmp_traffic
    > > pager lines 68
    > > icmp permit any outside
    > > icmp permit any inside
    > > mtu outside 1500
    > > mtu inside 1500
    > > ip address outside xx.xx.xx.98 255.255.255.0
    > > ip address inside 192.168.0.1 255.255.255.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 xx.xx.xx.98
    > > nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    > > timeout xlate 0:05:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00

    h225
    > 1:00:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > telnet timeout 5
    > > terminal width 80
    > > Cryptochecksum:*****
    > >
    > > --
    > > John Scholvin -- -- an E7b5#9 man in an F

    major
    > world
     
    complanet, Feb 11, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. marti314
    Replies:
    1
    Views:
    2,152
    Walter Roberson
    Aug 5, 2005
  2. Michiel
    Replies:
    4
    Views:
    4,737
    Michiel
    Aug 22, 2006
  3. Michiel
    Replies:
    2
    Views:
    973
    Michiel
    Aug 22, 2006
  4. Michiel
    Replies:
    19
    Views:
    1,228
    Michiel
    Aug 24, 2006
  5. Michiel
    Replies:
    0
    Views:
    2,354
    Michiel
    Aug 25, 2006
Loading...

Share This Page