Cisco 501 Configuration help.

Discussion in 'Cisco' started by Kunal Keshav, Sep 22, 2005.

  1. Kunal  Keshav

    Kunal Keshav Guest

    I am new to the CISCO IOS, need help configuring a 501 pix firewall.
    This is what my network looks like.

    On the lan segment I have 6 machines that need to connect to a server
    of our business partner on the WAN side. The Server on the WAN has a
    service running on port 6666. All the clients need to connect to the
    server on this port. IP address is as follows:

    Server Wan side: 192.168.13.5/24
    PIX WAN : 192.168.13.6/24
    PIX LAN: 192.168.230.1/24
    Workstations: 192.168.230.2-.7/24

    The server needs to have a one to one NAT to the Workstations
    i.e 192.168.13.12= 192.168.230.2
    192.168.13.13= 192.168.230.3
    ..........
    ..........
    192.168.13.17= 192.168.230.7
     
    Kunal Keshav, Sep 22, 2005
    #1
    1. Advertising

  2. In article <>,
    Kunal Keshav <> wrote:
    :I am new to the CISCO IOS, need help configuring a 501 pix firewall.

    For future reference, the PIX series run an operating system
    named Finesse. Finesse's existance is nearly undocumented by Cisco,
    and you don't get to talk to it directly: it's the real-time kernel
    but the user interaction is a different layer that has no name that
    I've ever seen.

    IOS is the operating system of Cisco's routers and modern switches
    and a few other devices, but not the operating system of PIX.


    :This is what my network looks like.

    :On the lan segment I have 6 machines that need to connect to a server
    :eek:f our business partner on the WAN side. The Server on the WAN has a
    :service running on port 6666. All the clients need to connect to the
    :server on this port. IP address is as follows:

    :Server Wan side: 192.168.13.5/24
    :pIX WAN : 192.168.13.6/24
    :pIX LAN: 192.168.230.1/24
    :Workstations: 192.168.230.2-.7/24

    :The server needs to have a one to one NAT to the Workstations
    :i.e 192.168.13.12= 192.168.230.2
    : 192.168.13.13= 192.168.230.3
    : ..........
    : ..........
    : 192.168.13.17= 192.168.230.7


    You didn't post any question ;-)


    Configuration #1:

    names
    name 192.168.13.5 BP
    name 192.168.13.12 BP_1
    name 192.168.13.13 BP_2
    name 192.168.13.14 BP_3
    name 192.168.13.15 BP_4
    name 192.168.13.16 BP_5
    name 192.168.13.17 BP_6
    name 192.168.230.2 WS_1
    name 192.168.230.3 WS_2
    name 192.168.230.4 WS_3
    name 192.168.230.5 WS_4
    name 192.168.230.6 WS_5
    name 192.168.203.7 WS_6

    object-group service BP_tcp tcp
    description the TCP ports used by the business partner server
    port-object eq 6666

    access-list BS_acl_1 permit tcp host WS_1 host BP object-group BP_tcp
    access-list BS_acl_2 permit tcp host WS_2 host BP object-group BP_tcp
    access-list BS_acl_3 permit tcp host WS_3 host BP object-group BP_tcp
    access-list BS_acl_4 permit tcp host WS_4 host BP object-group BP_tcp
    access-list BS_acl_5 permit tcp host WS_5 host BP object-group BP_tcp
    access-list BS_acl_6 permit tcp host WS_6 host BP object-group BP_tcp

    static (inside,outside) BP_1 access-list BS_acl_1
    static (inside,outside) BP_2 access-list BS_acl_2
    static (inside,outside) BP_3 access-list BS_acl_3
    static (inside,outside) BP_4 access-list BS_acl_4
    static (inside,outside) BP_5 access-list BS_acl_5
    static (inside,outside) BP_6 access-list BS_acl_6


    Configuration #2:

    names
    name 192.168.13.5 BP
    name 192.168.13.12 BP_1
    name 192.168.13.13 BP_2
    name 192.168.13.14 BP_3
    name 192.168.13.15 BP_4
    name 192.168.13.16 BP_5
    name 192.168.13.17 BP_6
    name 192.168.230.2 WS_1
    name 192.168.230.3 WS_2
    name 192.168.230.4 WS_3
    name 192.168.230.5 WS_4
    name 192.168.230.6 WS_5
    name 192.168.203.7 WS_6

    object-group service BP_tcp tcp
    description the TCP ports used by the business partner server
    port-object eq 6666

    access-list BS_acl_1 permit tcp host WS_1 host BP object-group BP_tcp
    access-list BS_acl_2 permit tcp host WS_2 host BP object-group BP_tcp
    access-list BS_acl_3 permit tcp host WS_3 host BP object-group BP_tcp
    access-list BS_acl_4 permit tcp host WS_4 host BP object-group BP_tcp
    access-list BS_acl_5 permit tcp host WS_5 host BP object-group BP_tcp
    access-list BS_acl_6 permit tcp host WS_6 host BP object-group BP_tcp

    nat (inside) 101 access-list BS_acl_1
    nat (inside) 102 access-list BS_acl_2
    nat (inside) 103 access-list BS_acl_3
    nat (inside) 104 access-list BS_acl_4
    nat (inside) 105 access-list BS_acl_5
    nat (inside) 106 access-list BS_acl_6

    global (outside) 101 BP_1
    global (outside) 102 BP_2
    global (outside) 103 BP_3
    global (outside) 104 BP_4
    global (outside) 105 BP_5
    global (outside) 106 BP_6


    The difference between these two configurations is

    a) in the first configuration, the original source port from the
    workstation will arrive intact at the server

    b) in the second configuration, the PIX will PAT (Port Address Translate)
    the original workstation source port, but uniquely for each IP

    c) in the first configuration, if the outside access-list permits, the
    server would be able to initiate connections to -any- TCP port on
    the workstation, as long as the server used source port 6666 when it did so

    d) in the second configuration, the server would not be able to initiate
    connections to the workstation.

    e) in the first configuration, if the protocol should be UDP instead of TCP,
    then the server will be able to send UDP replies back to the workstation
    after longer than 30 seconds idleness, as long as the server used port
    6666 to send the replies.

    f) in the second configuration, if the protocol should be UDP instead of TCP,
    then the server will be able to send UDP replies back to the workstation
    [using source port 6666] only if the connection has not been idle for more
    than 30 seconds; after 30 seconds, the replies would be blocked until
    the inside formed a new UDP stream. [The 30 second figure is a
    globally configurable parameter.]
    --
    Many food scientists have reported chocolate to be the single most
    craved food. -- Northwestern University, 2001
     
    Walter Roberson, Sep 22, 2005
    #2
    1. Advertising

  3. Kunal  Keshav

    KK Guest

    Hey Walter,

    Thanks for all the info. It will help me a lot. Can you tell me how to
    modify the global config for the 30 second time out?
     
    KK, Sep 23, 2005
    #3
  4. In article <>,
    KK <> wrote:
    :Thanks for all the info. It will help me a lot. Can you tell me how to
    :modify the global config for the 30 second time out?

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1026093

    A mistake in my posting: the default is 2 minutes, not 30 seconds.
    The minimum is 1 minute.
    --
    "It is important to remember that when it comes to law, computers
    never make copies, only human beings make copies. Computers are given
    commands, not permission. Only people can be given permission."
    -- Brad Templeton
     
    Walter Roberson, Sep 23, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian P Flounders

    PIX 501 configuration help: T1 with IP range

    Brian P Flounders, Jun 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    617
    Brian P Flounders
    Jun 7, 2004
  2. Heiko Mo?mann
    Replies:
    1
    Views:
    2,999
    Daniel Prinsloo - www.CherryFive.com
    Jan 24, 2005
  3. Heiko Mo?mann
    Replies:
    3
    Views:
    2,463
    Daniel Prinsloo - www.CherryFive.com
    Jan 26, 2005
  4. Heiko Mo?mann
    Replies:
    0
    Views:
    518
    Heiko Mo?mann
    Jan 31, 2005
  5. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    674
    Walter Roberson
    May 20, 2006
Loading...

Share This Page