Newbe needing help

Discussion in 'Cisco' started by dances, Jan 1, 2004.

  1. dances

    dances Guest

    Hi can someone help me please, I have been set the task to configure a
    firewall at the company I work for because they are too tight to get a Cisco
    engineer in.
    I have read as much as I can on the set up and think I have the basics, the
    problem is however our ISP router has a outside address of 00.00.00.216 and
    the gateway is 00.00.00.222 the address between are the ones we can use, my
    question is which address would I use for the firewall, at the moment our
    exchange 2000 is using the 217 address,and a internal address, so do I give
    the outside address of the firewall the 217? or is there a way to use all
    the address range from 217 to 221?
    I know this is easy stuff for someone who knows what they are doing. Thanks
    for any help in advance.
     
    dances, Jan 1, 2004
    #1
    1. Advertising

  2. dances

    Mike Guest

    dances wrote:
    > Hi can someone help me please, I have been set the task to configure a
    > firewall at the company I work for because they are too tight to get a Cisco
    > engineer in.
    > I have read as much as I can on the set up and think I have the basics, the
    > problem is however our ISP router has a outside address of 00.00.00.216 and
    > the gateway is 00.00.00.222 the address between are the ones we can use, my
    > question is which address would I use for the firewall, at the moment our
    > exchange 2000 is using the 217 address,and a internal address, so do I give
    > the outside address of the firewall the 217? or is there a way to use all
    > the address range from 217 to 221?
    > I know this is easy stuff for someone who knows what they are doing. Thanks
    > for any help in advance.
    >
    >

    You might want to double-check those addresses. 00.00.00.xx is not a
    valid ip address. Also, can you provide the subnet mask? Then we can
    go from there.

    Thanks!

    -Mike
     
    Mike, Jan 1, 2004
    #2
    1. Advertising

  3. In article <voWIb.253$>,
    dances <> wrote:
    :Hi can someone help me please, I have been set the task to configure a
    :firewall at the company I work for because they are too tight to get a Cisco
    :engineer in.
    :I have read as much as I can on the set up and think I have the basics, the
    :problem is however our ISP router has a outside address of 00.00.00.216 and
    :the gateway is 00.00.00.222 the address between are the ones we can use, my
    :question is which address would I use for the firewall, at the moment our
    :exchange 2000 is using the 217 address,and a internal address, so do I give
    :the outside address of the firewall the 217? or is there a way to use all
    :the address range from 217 to 221?

    Are you doing peering with your Exchange server? If you are, you are
    going to have some difficulties with the configuration.

    If you are not doing peering with the Exchange server, then you
    can make the PIX outside address any of the addresses from 218 to 221.
    Once you have done that, it is easiest to use private IP addresses
    internally (i.e., you would renumber your Exchange server internally).
    To allow the exchange server to be reached from outside, you would
    then configure a static address translation. For example, if the new
    internal IP address was 10.0.0.217 you would configure

    names
    name 10.0.0.217 ExchangePrivate
    name 0.0.0.217 ExchangePublic

    static (inside, outside) ExchangeExchangePublic ExchangePrivate netmask 255.255.255.255

    You would then create an access-list that permitted the Exchange traffic
    and you would apply that access list to the outside interface:

    access-list out2in permit tcp any ExchangePublic eq smtp
    access-list out2in permit tcp any ExchangePublic eq https
    access-group out2in in interface outside


    If you are peering with the Exchange server, then if you are using
    NetBios as part of the peering [I don't know about Active Directory]
    then you will find that the other end will have problems reaching you
    because the other end will learn the private IP address through NetBios
    and try to contact that private address instead of the public address.
    This is an issue any time Netbios information is being shared between
    sites, including for NT Domain Login purposes. You either have to use
    a VPN between the sites so that the private IP addresses become
    internally routable, or else you have to use fixed static IP addresses
    internally.

    If you are faced with the above situation, or if there are other good
    reasons why you cannot renumber your systems to private IP addresses,
    then you have a configuration challenge. The PIX can NEVER be configured
    to have the same IP subnet on different interfaces, and the PIX cannot
    be configured as a transparent bridge (just filtering the data as it
    goes by.) If you must use public IP addresses internally, then
    you have to arrange so that your inside interface is not on the
    same public IP subnet as your outside interface is. You either need
    to use more than one public IP subnet (probably not an immediate
    option for you) or else you have to "cheat" a bit by putting in
    an inside router carefully configured with a good understanding
    of how routers find hosts.
    --
    csh is bad drugs.
     
    Walter Roberson, Jan 1, 2004
    #3
  4. dances

    dances Guest

    sorry I was just hiding the real address as we dont have a firewall yet
    (hehe) but the subnet mask is 255.255.255.248, and lets say the outside
    address is 214.42.167.216
    "Mike" <> wrote in message
    news:...
    > dances wrote:
    > > Hi can someone help me please, I have been set the task to configure a
    > > firewall at the company I work for because they are too tight to get a

    Cisco
    > > engineer in.
    > > I have read as much as I can on the set up and think I have the basics,

    the
    > > problem is however our ISP router has a outside address of 00.00.00.216

    and
    > > the gateway is 00.00.00.222 the address between are the ones we can use,

    my
    > > question is which address would I use for the firewall, at the moment

    our
    > > exchange 2000 is using the 217 address,and a internal address, so do I

    give
    > > the outside address of the firewall the 217? or is there a way to use

    all
    > > the address range from 217 to 221?
    > > I know this is easy stuff for someone who knows what they are doing.

    Thanks
    > > for any help in advance.
    > >
    > >

    > You might want to double-check those addresses. 00.00.00.xx is not a
    > valid ip address. Also, can you provide the subnet mask? Then we can
    > go from there.
    >
    > Thanks!
    >
    > -Mike
    >
     
    dances, Jan 1, 2004
    #4
  5. dances

    dances Guest

    Thanks Walter
    I'll let you know how I go on, back to work Monday
    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bt1j9f$b0s$...
    > In article <voWIb.253$>,
    > dances <> wrote:
    > :Hi can someone help me please, I have been set the task to configure a
    > :firewall at the company I work for because they are too tight to get a

    Cisco
    > :engineer in.
    > :I have read as much as I can on the set up and think I have the basics,

    the
    > :problem is however our ISP router has a outside address of 00.00.00.216

    and
    > :the gateway is 00.00.00.222 the address between are the ones we can use,

    my
    > :question is which address would I use for the firewall, at the moment our
    > :exchange 2000 is using the 217 address,and a internal address, so do I

    give
    > :the outside address of the firewall the 217? or is there a way to use all
    > :the address range from 217 to 221?
    >
    > Are you doing peering with your Exchange server? If you are, you are
    > going to have some difficulties with the configuration.
    >
    > If you are not doing peering with the Exchange server, then you
    > can make the PIX outside address any of the addresses from 218 to 221.
    > Once you have done that, it is easiest to use private IP addresses
    > internally (i.e., you would renumber your Exchange server internally).
    > To allow the exchange server to be reached from outside, you would
    > then configure a static address translation. For example, if the new
    > internal IP address was 10.0.0.217 you would configure
    >
    > names
    > name 10.0.0.217 ExchangePrivate
    > name 0.0.0.217 ExchangePublic
    >
    > static (inside, outside) ExchangeExchangePublic ExchangePrivate netmask

    255.255.255.255
    >
    > You would then create an access-list that permitted the Exchange traffic
    > and you would apply that access list to the outside interface:
    >
    > access-list out2in permit tcp any ExchangePublic eq smtp
    > access-list out2in permit tcp any ExchangePublic eq https
    > access-group out2in in interface outside
    >
    >
    > If you are peering with the Exchange server, then if you are using
    > NetBios as part of the peering [I don't know about Active Directory]
    > then you will find that the other end will have problems reaching you
    > because the other end will learn the private IP address through NetBios
    > and try to contact that private address instead of the public address.
    > This is an issue any time Netbios information is being shared between
    > sites, including for NT Domain Login purposes. You either have to use
    > a VPN between the sites so that the private IP addresses become
    > internally routable, or else you have to use fixed static IP addresses
    > internally.
    >
    > If you are faced with the above situation, or if there are other good
    > reasons why you cannot renumber your systems to private IP addresses,
    > then you have a configuration challenge. The PIX can NEVER be configured
    > to have the same IP subnet on different interfaces, and the PIX cannot
    > be configured as a transparent bridge (just filtering the data as it
    > goes by.) If you must use public IP addresses internally, then
    > you have to arrange so that your inside interface is not on the
    > same public IP subnet as your outside interface is. You either need
    > to use more than one public IP subnet (probably not an immediate
    > option for you) or else you have to "cheat" a bit by putting in
    > an inside router carefully configured with a good understanding
    > of how routers find hosts.
    > --
    > csh is bad drugs.
     
    dances, Jan 2, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BOB
    Replies:
    0
    Views:
    446
  2. ANTHONY J. WOOD

    needing help with sp1 and sp 2

    ANTHONY J. WOOD, Sep 14, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    406
    Mikish
    Sep 14, 2004
  3. santa
    Replies:
    3
    Views:
    817
  4. Dianna

    im a newbe to the use net, please help!

    Dianna, Aug 1, 2006, in forum: Computer Support
    Replies:
    6
    Views:
    357
    Rhonda Lea Kirk
    Aug 1, 2006
  5. Luiz Horacio

    Big problem with printing - desperately needing help

    Luiz Horacio, Sep 6, 2007, in forum: Wireless Networking
    Replies:
    0
    Views:
    315
    Luiz Horacio
    Sep 6, 2007
Loading...

Share This Page