Cisco PIX Config Help

Discussion in 'Cisco' started by Eric Elliston, Apr 29, 2004.

  1. Hello,

    I am going to install a pix 515E w/2 ethernet ports.

    Currently, each server has 2 ethernet ports. One has a public IP and the
    other has a private.

    When I install the pix, I want the traffic to just pass through the device
    and only allow certian ports through. I have set up several pix firewalls
    in the past, but I have always used NAT translations to an inside private IP
    address. I am trying to avoid removing all the public IP addresses from the
    server.

    Is there a way to configure a pix to filter traffic without having to use
    NAT/PAT? I want it to filter on that public IP address range. My guess is,
    it will still be the same.....but this is a HUGE cutover tonight and its in
    a datacenter of which I am not familiar with the network.

    IF you could please email me the response to ,
    that would be great. I will be on the road and I can get my email on my
    blackberry.

    Thanks!

    Eric Elliston
    Eric Elliston, Apr 29, 2004
    #1
    1. Advertising

  2. In article <Pq9kc.530982$>,
    Eric Elliston <> wrote:
    :When I install the pix, I want the traffic to just pass through the device
    :and only allow certian ports through. I have set up several pix firewalls
    :in the past, but I have always used NAT translations to an inside private IP
    :address. I am trying to avoid removing all the public IP addresses from the
    :server.

    :Is there a way to configure a pix to filter traffic without having to use
    :NAT/PAT? I want it to filter on that public IP address range.

    People sometimes ask for the PIX to be a "filtering bridge", but the
    PIX cannot do that. In particular, the IP subnet of each interface must
    be distinct. Thus, you might not be able to do what you would like.

    Fortunately, there are a couple of work-arounds. You can 'static'
    addresses to themselves, and you do not need nat/global pairs for any
    address that you static that way. You can use 'nat (inside) 0' followed
    by a subnet, and no 'global' statement, if what you need is for the
    addresses to go *out* unchanged, but you do not need the outside to
    be able to start new connections to those addresses. You can use
    'nat (inside) 0 access-list ACLNAME', and no 'global' statement,
    and any traffic that matches that ACL will go out with the address
    unchanged; there will also be a side effect that any -incoming- traffic
    that matches the given ACL (with the source and destinations switched
    around) will be permitted to start new connections to the inside even
    if you have no 'static' for the destination addresses, as long as
    that incoming traffic is permitted by the ACL associated with the outside
    interface. Note, though, that proxy-arp is NOT enabled for
    the nat 0 access-list construct.


    With all these variations, you are still constrained by basic routing:
    the interfaces must have different IP ranges, and any public addresses
    must be routed by your router to the PIX outside IP (except when you
    can use proxy-arp.) In practice, this means that if you have a public
    IP range and you want to "insert the PIX in the middle", then you
    have to do one of:

    (a) use a private IP range to communicate between the router and the
    PIX. If you do this, then ensure that on the router, you set up
    NAT so that if the PIX sends out packets (such as icmp echo or
    icmp ttl-exceeded) that the PIX private address gets translated into a public
    address before ending up on the public network; or

    (b) subnet the public IP range, using one of the subnets on the outside
    interface and a different subnet of the public range for the inside
    interface; or

    (c) arrange with your ISP to have all your public IP space sent to you
    over a small (/29 is common) "carrier" address space that is distinct
    from your public IP space, so that your router can route the entire
    public address space to the PIX (the outside address of which would
    be one of the IPs in the /29). This does, though, require that the
    router itself be able to do some amount of bridging, so that the
    port the PIX is connected to can be in the same IP range as the carrier
    range.


    At our site, we went with a combination of (b) and (c): our address
    space is sent to us via a "carrier" network, and we broke one of our
    /24's into a number of fragments, one of which is shared between the
    router and the PIX. [Note that if you break your address space into
    multiple fragments that are all routed to the PIX, then you will
    probably need 'route' statements on the PIX to send the remaining
    fragments to LAN router on your inside interface.]


    If you don't control the router (and so can't change the routings
    and subnet masks nor use a private IP range), and if you can't get
    a "carrier" network, then Yes, you'd -really- like the PIX to
    "just filter", but there is no way to configure that, so you -would-,
    under those circumstances, be forced into using private IPs and NAT.
    --
    Rome was built one paycheck at a time. -- Walter Roberson
    Walter Roberson, Apr 29, 2004
    #2
    1. Advertising

  3. Eric Elliston

    Matt Guest

    Eric,
    Setup NAT like you normally would.
    Then use the static command to map an outside address to the machine's
    inside address.
    Once you've done that the machine will be 'naked' on the internet with
    it's inside (10.x.x.x or 192.168.x.x address).
    Then just setup access_lists for the outside ip and you'll be all set!

    ~ M

    Eric Elliston wrote:

    > Hello,
    >
    > I am going to install a pix 515E w/2 ethernet ports.
    >
    > Currently, each server has 2 ethernet ports. One has a public IP and the
    > other has a private.
    >
    > When I install the pix, I want the traffic to just pass through the device
    > and only allow certian ports through. I have set up several pix firewalls
    > in the past, but I have always used NAT translations to an inside private IP
    > address. I am trying to avoid removing all the public IP addresses from the
    > server.
    >
    > Is there a way to configure a pix to filter traffic without having to use
    > NAT/PAT? I want it to filter on that public IP address range. My guess is,
    > it will still be the same.....but this is a HUGE cutover tonight and its in
    > a datacenter of which I am not familiar with the network.
    >
    > IF you could please email me the response to ,
    > that would be great. I will be on the road and I can get my email on my
    > blackberry.
    >
    > Thanks!
    >
    > Eric Elliston
    >
    >
    Matt, Apr 29, 2004
    #3
  4. In article <>,
    Matt <> wrote:
    :Setup NAT like you normally would.
    :Then use the static command to map an outside address to the machine's
    :inside address.
    :Once you've done that the machine will be 'naked' on the internet with
    :it's inside (10.x.x.x or 192.168.x.x address).
    :Then just setup access_lists for the outside ip and you'll be all set!

    Eric (the original poster) explicitly indicated he wanted to use public
    IPs inside, and not have to renumber to private (e.g., 10.x.x.x or
    192.168.x.x) address ranges.

    Your solution thus does not address his needs. He would like to use
    same IP address space on both sides of the PIX. See my posting for
    a more detailed analysis of the possibilities.
    --
    millihamlet: the average coherency of prose created by a single monkey
    typing randomly on a keyboard. Usenet postings may be rated in mHl.
    -- Walter Roberson
    Walter Roberson, Apr 29, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AJ
    Replies:
    2
    Views:
    3,451
    Johnny Bravo
    Oct 31, 2003
  2. Remco Bressers
    Replies:
    1
    Views:
    493
    Jyri Korhonen
    Nov 21, 2003
  3. Christian Schneider

    PIX-to-PIX VPN-Config with ACL

    Christian Schneider, Nov 25, 2003, in forum: Cisco
    Replies:
    2
    Views:
    449
    A. Yarrington
    Nov 25, 2003
  4. GVB
    Replies:
    1
    Views:
    2,750
    Martin Bilgrav
    Feb 6, 2004
  5. xvpnx
    Replies:
    0
    Views:
    437
    xvpnx
    Jan 25, 2009
Loading...

Share This Page