Cisco 506e

Discussion in 'Cisco' started by vollind@harneyesd.k12.or.us, Dec 8, 2004.

  1. 12.or.us

    12.or.us Guest

    Is it possible to assign 3 IP addresses on the same subnet to the
    ouside of a 506e? Is it also possible to nat 3 internal networks to
    those external ip"s. For Instance:

    External IP Internal IP

    159.121.228.6 - 172.16.0.0 - 172.16.0.255
    159.121.228.7 - 192.168.0.0 - 192.168.0.255
    159.121.228.8 - 10.0.0.0 - 10.0.0.255

    I am a newbie with cisco so I need this spelled out to me complete with
    the commands. I want to setup three different networks behind this
    506e and route each one out a different ip for the purpose of vpn
    connections etc.

    Setup for a computer would be:

    IP Address 172.16.0.3
    Subnet Mask 255.255.255.0
    Gateway 172.16.0.1

    and so on.
     
    12.or.us, Dec 8, 2004
    #1
    1. Advertising

  2. 12.or.us

    mcaissie Guest

    You can create 3 global-ip associated with 3 nat rules

    access-list acl1 permit ip 172.16.0.0 255.255.255.0 any
    access-list acl2 permit ip 192.168.0.0 255.255.255.0 any
    access-list acl3 permit ip 10.0.0.0 255.255.255.0 any

    global (outside) 1 159.121.228.6
    global (outside) 2 159.121.228.7
    global (outside) 3 159.121.228.8

    nat (inside) 1 access-list acl1
    nat (inside) 2 access-list acl2
    nat (inside) 3 access-list acl3



    <12.or.us> wrote in message
    news:...
    > Is it possible to assign 3 IP addresses on the same subnet to the
    > ouside of a 506e? Is it also possible to nat 3 internal networks to
    > those external ip"s. For Instance:
    >
    > External IP Internal IP
    >
    > 159.121.228.6 - 172.16.0.0 - 172.16.0.255
    > 159.121.228.7 - 192.168.0.0 - 192.168.0.255
    > 159.121.228.8 - 10.0.0.0 - 10.0.0.255
    >
    > I am a newbie with cisco so I need this spelled out to me complete with
    > the commands. I want to setup three different networks behind this
    > 506e and route each one out a different ip for the purpose of vpn
    > connections etc.
    >
    > Setup for a computer would be:
    >
    > IP Address 172.16.0.3
    > Subnet Mask 255.255.255.0
    > Gateway 172.16.0.1
    >
    > and so on.
    >
     
    mcaissie, Dec 8, 2004
    #2
    1. Advertising

  3. In article <>,
    <12.or.us> wrote:
    :Is it possible to assign 3 IP addresses on the same subnet to the
    :eek:uside of a 506e? Is it also possible to nat 3 internal networks to
    :those external ip"s. For Instance:

    Sorry, what was it you did not understand about my posting yesterday
    when you asked this same question with a different phrasing?

    If the method was not clear to you after reading my response, then
    instead of re-posting, you should have asked specific questions in reply.

    http://groups.google.ca/groups?selm=cp4vcf$o02$
    --
    Warning: potentially contains traces of nuts.
     
    Walter Roberson, Dec 8, 2004
    #3
  4. 12.or.us

    12.or.us Guest

    Thank you very much this is very helpful. What are the commands for
    creating a access-list, the command for creating a global (outside) and
    a nat(inside). I know the pix only at it's basic level (enough to be
    dangerous)
     
    12.or.us, Dec 8, 2004
    #4
  5. In article <>,
    <12.or.us> wrote:
    :Thank you very much this is very helpful. What are the commands for
    :creating a access-list, the command for creating a global (outside) and
    :a nat(inside). I know the pix only at it's basic level (enough to be
    :dangerous)

    Log in to the PIX. If you are using ssh, then you need to know that
    the default username is 'pix'. You will not be able to use ssh or
    telnet until some basic configuration has been put in place by connecting
    via the serial console. [Unless, that is, your 506E has PIX 6.2 or later:
    in that case, you will be able to connect from the inside by putting
    yourself on the 192.168.1.x network and addressing the PIX as 192.168.1.1 .]

    Once logged into the PIX, give the command enable and enter the enable
    password when prompted. There is very little you can do with the PIX
    when you are not in enable mode.

    Once you are in enable mode, to configure something, give the command
    configure terminal
    and then type in the configuration statements you want. Give the
    configuration statement exit to leave configuration mode. While you
    are in configuration mode, you will still have full access to all
    commands that you would have in enable mode. For example, while you
    are in the middle of configuring something, you can

    show access-list

    to have the access-lists displayed.

    A common access-list configuration statement would look something like

    access-list out2in permit tcp any host 69.70.71.72 eq smtp

    'out2in' is an arbitrary label that can be be a number as well (and
    that doesn't mean anything special, it's just a name as far as the PIX
    is concerned.) I would generally advise against using dashes ('-') when
    you are creating arbitrary names, though, as there are two places in
    the pix configuration where the dash would be interpreted as indicating
    a range instead of as just a part of a name. More obscurely, there is
    an extended form of the 'show' command in which underscores ('_') are
    treated as single-character wildcards unless they are prefixed with a
    backslash ('\').

    To continue adding to an access-list, just type in more statements
    with the same access-list name when you are in configure mode.

    When you are finished creating an access-list and want it to be
    in effect on the outside interface, then in configure mode give
    the command access-group out2in in interface outside

    where 'out2in' is replaced by whatever ACL name you were creating.


    To create a global command, be in configure mode and type it in.
    Same with 'nat' commands. The other poster gave good examples of
    what you might want to put into 'global' and 'nat' commands for
    your situation.


    When you are finished your configuration session, and you want
    to have the changes you just did to still be in effect when the
    PIX is next rebooted, command write memory from either configure
    mode or from enable mode.


    I recommend to you that you bookmark this page:

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/index.htm

    and that you start by reading the Configuration Guide, and proceed
    from there to the Command Reference.


    Note: there is also a graphical configuration interface named 'pdm'
    that is available. If it is installed [on your pix] and enabled,
    then you can connect to your pix via https://The.IP.Add.ress
    and you will get the nice GUI.
    --
    Disobey all self-referential sentences!
     
    Walter Roberson, Dec 8, 2004
    #5
  6. 12.or.us

    12.or.us Guest

    Thank you for your reply. I am still having a problem getting the other
    networks to go through the firewall. Here is what I have done so far.

    access-list acl1 pemit ip 172.16.0.0 255.255.255.0 any

    global (outside) 1 159.121.228.71

    nat (inside) 1 access-list acl1

    route inside 172.16..0.0 255.255.255.0 159.121.228.71

    global (inside) 1 172.16.0.1

    Each of the commands took ok. Here is the scenario I am trying to get
    this to work with. I want to run both the 192. and the 172 networks
    into an HP switch which the 506e is plugged into. I want to be able to
    give each network a default gateway (for instance the 192. network will
    have a 192.168.0.1 gateway) the 172. network will have a 172.16.0.1
    gateway. One of the problems I am seeing is when I create a global ip
    on the pix for instance:

    global (outside) 1 159.121.228.71

    I can't ping that ip address from outside the pix. I also can't ping
    the global inside 172 ip. Either there is some configuration on the
    pix I am missing or additional equipment is need to make this work.
    Any help would be greatly appreciated.
     
    12.or.us, Dec 9, 2004
    #6
  7. In article <>,
    <12.or.us> wrote:
    :Here is what I have done so far.

    :access-list acl1 pemit ip 172.16.0.0 255.255.255.0 any

    :global (outside) 1 159.121.228.71

    :nat (inside) 1 access-list acl1

    When you are configuring to allow traffic out to 'any', you would
    normally skip going through an access list, and just code

    nat (inside) 1 172.16.0.0 255.255.255.0

    :route inside 172.16..0.0 255.255.255.0 159.121.228.71

    That seems unlikely. That would imply that 159.121.228.71 is
    the IP address of an inside router, but your global statement indicates
    that you also want all outgoing traffic mapped to appear to be
    from 159.121.228.71 . Your configuration would lead us to deduce
    that 159.121.228.71 is an address on the inside interface and that
    you must have an outside router that is either routing 159.121.228.71
    to the PIX or else that your outside router has a secondary IP
    address range that includes 159.121.228.71 and you are counting
    on proxy arp.

    My take, though, given your other configuration commands, is that
    you don't know how to configure a PIX and that one or more of your
    statements is just plain wrong.


    :global (inside) 1 172.16.0.1

    Useless. Eliminate that.


    :Each of the commands took ok. Here is the scenario I am trying to get
    :this to work with. I want to run both the 192. and the 172 networks
    :into an HP switch which the 506e is plugged into. I want to be able to
    :give each network a default gateway (for instance the 192. network will
    :have a 192.168.0.1 gateway) the 172. network will have a 172.16.0.1
    :gateway.

    The PIX will not handle act as multiple gateway addresses on the
    same interface. If you want multiple inside networks, you must have
    an internal router [unless *every* machine on one of the networks
    is Windows NT/2000/XP, in which case you can use an ugly hack that
    works but is decidedly not recommended.]

    : One of the problems I am seeing is when I create a global ip
    :eek:n the pix for instance:

    :global (outside) 1 159.121.228.71

    :I can't ping that ip address from outside the pix.

    It isn't at all clear what relationship 159.121.228.71 has to
    your outside address range. That IP address appears to be a public
    IP belonging to the State of Oregon whose email address is reflected
    in your header, so I would suspect that 159.121.228.71 is a public
    IP that you want to use on your outside network -- in which case
    your 'route' statement is wrong, because your route statement
    is set up to try to send 172.16 over to that IP.

    : I also can't ping
    :the global inside 172 ip.

    You can't ping an inside interface IP from the outside. [Not unless
    you have established a VPN to the inside interface and configured
    it as a 'management interface'.]

    : Either there is some configuration on the
    :pix I am missing or additional equipment is need to make this work.

    Both I suspect.


    How many public IP's do you have? If you only one public IP then
    your configuration needs to be slightly different than if you
    have multiple public IPs. Here's the part in common. Sustitute
    appropriate values for the IP addresses and netmasks. oi<n>, ii<n>,
    om<n>, im<n> are placeholders here, as you haven't given ehough
    information for us to deduce what the proper netmasks are.

    : set up the outside IP. Change oi4 and om4 to proper values.
    ip address outside 159.121.228.oi4 255.255.255.om4

    : set up the inside IP. Change ii2-ii4 and im2-im4 to proper values.
    ip address inside 192.ii2.ii3.ii4 255.im2.im3.im4

    : allow main inside network to go out. Change ii2-ii3 and im2-im4
    : to same values as for ip address outside, but ib4 should be the
    : base address of the range (usually 0 if you are doing a 192.168
    : private range, but you haven't given us enough information to know that)
    nat (inside) 1 192.ii2.ii3.ib4 255.im2.im3.im4

    : allow second inside network to go out. This at least we have enough
    : information to fully fill out.
    nat (inside) 1 172.16.0.0 255.255.255.0

    : tell the PIX how to find 172.16/24 on the inside.
    : 192.ii2.ii3.ri4 should be changed to the IP address of an inside
    : router that is on the same IP address range as your inside interface.
    route inside 172.16.0.0 255.255.255.0 192.ii2.ii3.ri4

    : allow some icmp from the outside to the inside LANs. PIX is not
    : very good at figuring out which icmp are "replies" and needs some help
    : in knowing what to let through. There is nothing special about
    : the name outside2inside, it's just an arbitrary label that needs to
    : be used consistantly with the access-group command.
    access-list outside2inside permit icmp any any echo-reply
    access-list outside2inside permit icmp any any ttl-exceeded
    access-list outside2inside permit icmp any any unreachable

    : activate the outside ACL against the outside interface.
    : outside2inside is an arbitrary label as above, but everything else
    : is literal.
    access-group outside2inside in interface outside


    Now choose one of these two:


    :Single outside IP case:

    : allow all internal traffic to be sent to outside via Port Address
    : Translation (PAT) through the outside interface IP address.
    : 'interface' is a literal keyword.
    global (outside) 1 interface


    :Multiple outside IP addresses case, with 159.121.228.71 being in
    :the range of the outside IP but NOT being the same as the outside IP:
    global (outside) 1 159.121.228.71


    To repeat myself for emphasis: to have the PIX handle multiple
    internal networks, you *need* an inside router [unless you want
    to use a really ugly hack], and the internal machines should be set
    to have their gateway point to the internal router rather than the PIX.
    The internal router should then have a default route that points to
    the single 192.* inside IP of the PIX.
    --
    This is not the same .sig the second time you read it.
     
    Walter Roberson, Dec 9, 2004
    #7
  8. <12.or.us> wrote:

    > Is it possible to assign 3 IP addresses on the same
    > subnet to the ouside of a 506e?


    Sorry, that can't be done.

    > Is it also possible to nat 3 internal networks to
    > those external ip"s.


    Yes, that's pretty easy:

    global (outside) 1 159.121.228.6
    global (outside) 2 159.121.228.7
    global (outside) 3 159.121.228.8
    nat (inside) 1 172.16.0.0 255.255.255.0 0 0
    nat (inside) 2 192.168.0.0 255.255.255.0 0 0
    nat (inside) 3 10.0.0.0 255.255.255.0 0 0

    And then you need a router to the inside network in
    order to route two of the three internal networks
    to the Pix because the inside interface of the Pix
    can only have one IP assigned (well, you could try
    with VLANs, but that's an other story).
     
    Jyri Korhonen, Dec 9, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. qazaka
    Replies:
    0
    Views:
    379
    qazaka
    Sep 24, 2003
  2. Mark
    Replies:
    2
    Views:
    2,707
  3. paul tomlinson

    VOIP using Cisco PIX 506e and Cisco 837

    paul tomlinson, Jan 21, 2004, in forum: Cisco
    Replies:
    1
    Views:
    1,032
    Walter Roberson
    Jan 21, 2004
  4. Kai
    Replies:
    0
    Views:
    7,659
  5. andypatterson24
    Replies:
    2
    Views:
    2,891
    andypatterson24
    Apr 25, 2008
Loading...

Share This Page