Cisco PIX501 Config Help

Discussion in 'Cisco' started by richard.stoneman@gmail.com, Mar 15, 2006.

  1. Guest

    Hi,

    I have a Pix 501 which I am trying to configure in the following
    environment:

    1) Router (10.215.112.33) connected to the internet
    2) LAN A (10.215.112.32 / 27)
    3) LAN B (10.212.35.0 / 24)
    3) Cisco Pix501 (Inside=10.212.35.2, Outside=10.215.112.35)

    >From LAN A I can ping the Cisco Pix on 10.215.112.35.
    >From LAN B I can ping the Cisco Pix on 10.212.35.2.


    I need to be able to do the following:

    1) From LAN B I need to be able to access devices on LAN A (such as
    10.215.112.33).

    2) I need statically assigned NAT (I think!) so that traffic for
    10.215.112.34 always goes to 10.212.35.60

    Here is my current config:

    Building configuration...e <if_name> <audit_name>
    : Saved
    :
    PIX Version 6.3(5)

    interface ethernet0 auto_number> disable
    interface ethernet1 100full
    show|cl
    nameif ethernet0 outside security0ace <interface>]
    nameif ethernet1 inside security100
    show ip [addre
    enable password sxoDUvFgNGNRIZl3 encrypted

    passwd 2KFQnbNIdI.2KYOU encryptedwall(config)# ip address inside 1
    hostname cf-pixfirewall
    domain-name xxxxxxxx.local
    Interface address
    fixup protocol dns maximum-length 512

    fixup protocol ftp 21wall(config)# no dhcp
    fixup protocol h323 h225 1720
    Ambiguous com
    fixup protocol h323 ras 1718-1719
    fixup protocol sip udp 5060sip2>]
    fixup protocol skinny 2000cpd wins <winsip1> [<winsi
    fixup protocol smtp 25

    fixup protocol sqlnet 1521length>
    fixup protocol tftp 69 dhcpd ping_timeout <t
    names>
    pager lines 24
    mtu outside 1500 domain <domain_
    mtu inside 1500
    ip address outside 10.215.112.35 255.255.255.224ng> | hex <hex_string>
    |
    ip address inside 10.212.35.2 255.255.255.0 ip <address_1>
    [<address_2>]}
    ip audit info action alarm

    ip audit attack action alarm
    pdm logging informational 100v_ifc_name>
    pdm history enable show dhcpd
    arp timeout 14400s]
    global (outside) 1 interfaceixfirewall(con
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.212.35.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:a44671637db93e8fb6c3294cbcb3518d
    : end
    [OK]
     
    , Mar 15, 2006
    #1
    1. Advertising

  2. mcaissie Guest

    > 1) From LAN B I need to be able to access devices on LAN A (such as
    > 10.215.112.33).


    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    global (outside) 1 interface

    This 2 lines will configure the PIX to nat all traffic coming from the
    inside with the outside interface address.
    This will allow normal internet access for the inside users.

    > 2) I need statically assigned NAT (I think!) so that traffic for
    > 10.215.112.34 always goes to 10.212.35.60


    static (inside,outside) 10.215.112.34 10.212.35.60 netmask 255.255.255.255 0
    0

    access-list acl-out permit ip any host 10.215.112.34
    access-group acl-out in interface outside

    The first line will will make the inside host 10.212.35.60 visible on the
    outside at 10.215.112.34.
    But you also need to give access permissions with the 2 other lines since
    the traffic needs to go from a
    less secure to a more secure zone. This is done with the access-list and the
    access-group command. My
    example allow all ip , but you could be more granular. For example
    access-list acl-out permit tcp any host 10.215.112.34 eq 80 would give
    only http access.


    <> wrote in message
    news:...
    > Hi,
    >
    > I have a Pix 501 which I am trying to configure in the following
    > environment:
    >
    > 1) Router (10.215.112.33) connected to the internet
    > 2) LAN A (10.215.112.32 / 27)
    > 3) LAN B (10.212.35.0 / 24)
    > 3) Cisco Pix501 (Inside=10.212.35.2, Outside=10.215.112.35)
    >
    >>From LAN A I can ping the Cisco Pix on 10.215.112.35.
    >>From LAN B I can ping the Cisco Pix on 10.212.35.2.

    >
    > I need to be able to do the following:
    >
    > 1) From LAN B I need to be able to access devices on LAN A (such as
    > 10.215.112.33).
    >
    > 2) I need statically assigned NAT (I think!) so that traffic for
    > 10.215.112.34 always goes to 10.212.35.60
    >
    > Here is my current config:
    >
    > Building configuration...e <if_name> <audit_name>
    > : Saved
    > :
    > PIX Version 6.3(5)
    >
    > interface ethernet0 auto_number> disable
    > interface ethernet1 100full
    > show|cl
    > nameif ethernet0 outside security0ace <interface>]
    > nameif ethernet1 inside security100
    > show ip [addre
    > enable password sxoDUvFgNGNRIZl3 encrypted
    >
    > passwd 2KFQnbNIdI.2KYOU encryptedwall(config)# ip address inside 1
    > hostname cf-pixfirewall
    > domain-name xxxxxxxx.local
    > Interface address
    > fixup protocol dns maximum-length 512
    >
    > fixup protocol ftp 21wall(config)# no dhcp
    > fixup protocol h323 h225 1720
    > Ambiguous com
    > fixup protocol h323 ras 1718-1719
    > fixup protocol sip udp 5060sip2>]
    > fixup protocol skinny 2000cpd wins <winsip1> [<winsi
    > fixup protocol smtp 25
    >
    > fixup protocol sqlnet 1521length>
    > fixup protocol tftp 69 dhcpd ping_timeout <t
    > names>
    > pager lines 24
    > mtu outside 1500 domain <domain_
    > mtu inside 1500
    > ip address outside 10.215.112.35 255.255.255.224ng> | hex <hex_string>
    > |
    > ip address inside 10.212.35.2 255.255.255.0 ip <address_1>
    > [<address_2>]}
    > ip audit info action alarm
    >
    > ip audit attack action alarm
    > pdm logging informational 100v_ifc_name>
    > pdm history enable show dhcpd
    > arp timeout 14400s]
    > global (outside) 1 interfaceixfirewall(con
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 10.212.35.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > terminal width 80
    > Cryptochecksum:a44671637db93e8fb6c3294cbcb3518d
    > : end
    > [OK]
    >
     
    mcaissie, Mar 15, 2006
    #2
    1. Advertising

  3. Guest

    mcaissie wrote:
    > > 1) From LAN B I need to be able to access devices on LAN A (such as
    > > 10.215.112.33).

    >
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > global (outside) 1 interface
    >
    > This 2 lines will configure the PIX to nat all traffic coming from the
    > inside with the outside interface address.
    > This will allow normal internet access for the inside users.
    >


    Thankyou - I have added these two lines.

    I can successfully ping LAN A (eg 10.215.112.33) from the PIX but NOT
    from a client on the inside of the pix (10.212.35.20).I have noticed
    that I do not have any static routes set up for the internal and
    external interfaces on the pix - is this an issue?
     
    , Mar 15, 2006
    #3
  4. mcaissie Guest

    <> wrote in message
    news:...
    >
    > mcaissie wrote:
    >> > 1) From LAN B I need to be able to access devices on LAN A (such as
    >> > 10.215.112.33).

    >>
    >> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >> global (outside) 1 interface
    >>
    >> This 2 lines will configure the PIX to nat all traffic coming from the
    >> inside with the outside interface address.
    >> This will allow normal internet access for the inside users.
    >>

    >
    > Thankyou - I have added these two lines.
    >
    > I can successfully ping LAN A (eg 10.215.112.33) from the PIX but NOT
    > from a client on the inside of the pix (10.212.35.20).I have noticed
    > that I do not have any static routes set up for the internal and
    > external interfaces on the pix - is this an issue?
    >


    There is no routing issues , those subnets are Directly Connected. But i
    think that icmp is denied
    by defaul ton the outside, even for the replies. So you can add the
    following lines in your
    acl_out and give it a try

    access-list acl-out permit icmp any any echo-reply
    access-list acl-out permit icmp any any source-quench
    access-list acl-out permit icmp any any unreachable
    access-list acl-out permit icmp any any time-exceeded
     
    mcaissie, Mar 15, 2006
    #4
  5. Guest


    > There is no routing issues , those subnets are Directly Connected. But i
    > think that icmp is denied
    > by defaul ton the outside, even for the replies. So you can add the
    > following lines in your
    > acl_out and give it a try
    >
    > access-list acl-out permit icmp any any echo-reply
    > access-list acl-out permit icmp any any source-quench
    > access-list acl-out permit icmp any any unreachable
    > access-list acl-out permit icmp any any time-exceeded


    Still no joy! From the clients on the inside I cant access anything on
    the outside.

    Here's my config now in case you can see anything else I've missed:

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password sxoDUvFgNGNRIZl3 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname cf-pixfirewall
    domain-name xxxxxxxxx.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_access_in permit tcp any any
    access-list acl-out permit icmp any any echo-reply
    access-list acl-out permit icmp any any source-quench
    access-list acl-out permit icmp any any unreachable
    access-list acl-out permit icmp any any time-exceeded
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 10.215.112.35 255.255.255.224
    ip address inside 10.212.35.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group inside_access_in in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.212.35.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:9dc4bc6c12225487786f091c4809b551
    : end
     
    , Mar 15, 2006
    #5
  6. In article <>,
    <> wrote:

    >Still no joy! From the clients on the inside I cant access anything on
    >the outside.


    >PIX Version 6.3(5)


    Thanks, that previous config was too messy to parse.

    >access-list inside_access_in permit tcp any any


    >access-list acl-out permit icmp any any echo-reply
    >access-list acl-out permit icmp any any source-quench
    >access-list acl-out permit icmp any any unreachable
    >access-list acl-out permit icmp any any time-exceeded


    You don't use that ACL, acl-out .

    >global (outside) 1 interface
    >nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >access-group inside_access_in in interface inside


    You allow all tcp access out, but you don't allow even one
    system to do DNS (UDP).
     
    Walter Roberson, Mar 16, 2006
    #6
  7. Guest

    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    >
    > >Still no joy! From the clients on the inside I cant access anything on
    > >the outside.

    >
    > >PIX Version 6.3(5)

    >
    > Thanks, that previous config was too messy to parse.
    >
    > >access-list inside_access_in permit tcp any any

    >
    > >access-list acl-out permit icmp any any echo-reply
    > >access-list acl-out permit icmp any any source-quench
    > >access-list acl-out permit icmp any any unreachable
    > >access-list acl-out permit icmp any any time-exceeded

    >
    > You don't use that ACL, acl-out .
    >
    > >global (outside) 1 interface
    > >nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > >access-group inside_access_in in interface inside

    >
    > You allow all tcp access out, but you don't allow even one
    > system to do DNS (UDP).


    How can I allow all traffic out? Is there a single command to do this?
    I still can't get to anything externally from the internal clients but
    I can from the PIX. To be honest, I'm only using the Pix for
    NAT...security isn't an issue in this environment.
     
    , Mar 16, 2006
    #7
  8. In article <>,
    <> wrote:

    >Walter Roberson wrote:
    >> In article <>,
    >> <> wrote:


    >> >PIX Version 6.3(5)


    >> >access-list inside_access_in permit tcp any any


    >> >access-group inside_access_in in interface inside


    >How can I allow all traffic out? Is there a single command to do this?


    Use
    no access-group inside_access_in in interface inside
    to deactivate the access-group .

    If there is no access-group for the inside interface, all connections
    are permitted outwards, provided that there is a translation for it.
    Your nat/ global pair provides the translation.
     
    Walter Roberson, Mar 17, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jens Meyer
    Replies:
    4
    Views:
    1,681
    Rik Bain
    Dec 22, 2003
  2. sw
    Replies:
    2
    Views:
    2,852
  3. Replies:
    1
    Views:
    664
    Mike Gauthier
    Sep 10, 2007
  4. Martin
    Replies:
    2
    Views:
    713
    BoBraxton
    Dec 19, 2007
  5. John6819

    Cisco PIX501

    John6819, Oct 26, 2008, in forum: Cisco
    Replies:
    0
    Views:
    543
    John6819
    Oct 26, 2008
Loading...

Share This Page