PIX 515E Configuration Help...

Discussion in 'Cisco' started by jsandlin0803, Dec 10, 2005.

  1. jsandlin0803

    jsandlin0803 Guest

    Hey
    I need help setting up my PIX 515E. I have installed asdm and can get
    into the config. I need help with either routing oor nat, or both.

    I have 2 Lan's and a Cisco Router connected. I need to know how to pass
    all internet traffic from each lan to the router for internet access. I
    have not set any nat pools, or static routes, because i am unsure on
    how to do this.

    The lan and wan specs are below


    lan1: 192.168.0.0/24
    lan2: 192.168.1.0/24
    internet nic: 162.40.148.2 (cisco router is 162.40.148.1)


    Please help on getting these on the Internet. Also, i will have remote
    users, but the wizard should take care of that.


    Thanks in advance


    Jason S.
    jsandlin0803, Dec 10, 2005
    #1
    1. Advertising

  2. jsandlin0803

    DoubleD4 Guest

    I'm assuming that you're setup looks something like the following.
    Correct me if it does not. Bear in mind that the PIX will not route
    traffic back out the same interface that it came in on like other
    devices will.


    192.168.1.1 162.40.148.2 -----> Router 162.40.148.1
    e1 e0
    | |
    192.168.0.1 e0--Router PIX
    | |
    | e1
    Switch --------------- 192.168.0.5


    If so, you'll want to do this on your router that is connecting the two
    internal networks:

    ip route 0.0.0.0 0.0.0.0 192.168.0.5


    Then on the PIX you'll want to do the following:

    ip address inside 192.168.0.5 255.255.255.0
    ip address outside 162.40.148.2 255.255.255.248 (or whatever the
    external mask is)
    route outside 0.0.0.0 0.0.0.0 162.40.148.1
    route inside 192.168.1.0 255.255.255.0 192.168.0.1
    nat (inside) 1 0.0.0.0 0.0.0.0
    global (outside) 1 interface
    DoubleD4, Dec 10, 2005
    #2
    1. Advertising

  3. jsandlin0803

    jsandlin0803 Guest

    the diagram is a little confusing. I have 2 switches. On the first is
    the 192.168.0.0/24 subnet. That one is connected to e0 (192.168.0.1).
    The second switch is the 192.168.1.1/24 subnet connected to e1
    (192.168.1.1). The Cisco Router is connected to e3 (162.40.148.2), and
    has the routers address is 162.40.148.1. I need to get internet access
    for both networks of the PIX. Both networks are in the same building,
    just 2 different businesses.

    Thanks
    Jason S.
    jsandlin0803, Dec 11, 2005
    #3
  4. jsandlin0803

    DoubleD4 Guest

    I agree, I suppose the diagram did not work out like I had hoped. So
    when you are referencing e0, e1, and e3, are you talking about the
    interfaces on the PIX itself? How many routers do you have, 1 or 2? I
    assume that the Cisco Router you are talking about is the internet
    router attached to the external interface of the PIX, correct? And
    what is acting as the default gateway assigned to the client computers,
    the PIX, or a router behind the PIX?

    Sorry for so many questions, just trying to get a mental picture of
    your setup.
    DoubleD4, Dec 11, 2005
    #4
  5. jsandlin0803

    jsandlin0803 Guest

    Is there a specific ethernet port for the internet router? i have only
    one router for the internet. It is in ethernet 3 of the PIX. I am
    refering to the PIX interfaces when i say e0,e1, and e3. The default
    gateway is the ip address of the associated PIX interface. For Lan1,
    the gateway is 192.168.0.1 and Lan2 is 192.168.1.1.


    Thanks for your help.
    Jason
    jsandlin0803, Dec 11, 2005
    #5
  6. jsandlin0803

    DoubleD4 Guest

    In that case, it will get a little hairy as far as how the PIX does
    security on its interfaces. I think (I may be wrong) that if the PIX
    has more than two interfaces, it will treat the third as a DMZ
    interface by default. Would it be possible for you to post the
    configuration "sh run" of your PIX? If I looked at the config, I
    should be able to point you in the right direction fairly quickly.
    DoubleD4, Dec 11, 2005
    #6
  7. In article <>,
    jsandlin0803 <> wrote:
    >I need help setting up my PIX 515E. I have installed asdm and can get
    >into the config. I need help with either routing oor nat, or both.


    >I have 2 Lan's and a Cisco Router connected. I need to know how to pass
    >all internet traffic from each lan to the router for internet access. I
    >have not set any nat pools, or static routes, because i am unsure on
    >how to do this.


    >The lan and wan specs are below
    >lan1: 192.168.0.0/24
    >lan2: 192.168.1.0/24
    >internet nic: 162.40.148.2 (cisco router is 162.40.148.1)


    Your reference to asdm indicates you have PIX 7.0. I have not
    studied the 7.0 syntax, so I can't give you the exact commands.

    In PIX 6.x, what you want would be quite simple:

    nat (inside) 1 192.168.0.0 255.255.255.0
    nat (dmz) 1 192.168.1.0 255.255.255.0
    global (outside) 1 interface

    That would be all there would be to it for your configuration
    that you set out in your discussion with DV.

    This configuration would send all traffic, from both lans, out
    through the same single IP address, 162.40.148.2 . If you want
    the traffic seperated, say with the second lan mapping to 162.40.148.3
    then you would use

    nat (inside) 1 192.168.0.0 255.255.255.0
    nat (dmz) 2 192.168.1.0 255.255.255.0
    global (outside) 1 interface
    global (outside) 2 162.40.148.2

    This would PAT both lans, but with different IPs.

    If you happened to want the inside traffic to use one-to-one nat
    as long as IPs were available, and you wanted the traffic seperate,
    then you could use, for example:

    nat (inside) 1 192.168.0.0 255.255.255.0
    nat (dmz) 2 192.168.1.0 255.255.255.0
    global (outside) 1 162.40.148.3-162.40.148.205
    global (outside) 1 162.40.148.206
    global (outside) 2 162.40.148.207-162.40.148.253
    global (outside) 2 192.40.148.254


    You would not need to add any route commands or static commands or any
    access-lists for what you indicated.

    If, though, you want to restrict lan1 from being able to talk to
    lan2, then you would add (PIX 6.x syntax)

    access-list in2out deny ip any 192.168.1.0 255.255.255.0
    access-list in2out permit ip 192.168.0.0 255.255.255.0 any

    access-group in2out in interface inside

    You would not need to do anything to prevent lan2 from talking to lan1.

    If you do want lan2 to be able to talk to lan1, then you would
    need additional configuration, the details of which would depend
    on whether you want wide access or just access to specific hosts.

    If you want the outside world to be able to connect to servers
    on either of the lans (except through the VPNs) then you would
    have additional configuration work.
    --
    Prototypes are supertypes of their clones. -- maplesoft
    Walter Roberson, Dec 11, 2005
    #7
  8. jsandlin0803

    jsandlin0803 Guest

    I have done what you said, and i still cannot get internet access.

    I added
    nat (inside) 1 192.168.0.0 255.255.255.0
    nat (inside2) 1 192.168.1.0 255.255.255.0
    global (outside) 1 interface


    I still cannot connect. I also tried using the startup wizard to start
    fresh, but i still cant connect. All that i have done, is run the
    startup wizard, used PAT for the outside interface (e0), and have lan1
    in e1 and lan2 in e2.

    I may add that the lan2 is not a dmz, but a network like lan1, except a
    different subnet.


    Please help. I need to get connected asap.

    Thanks
    Jason
    jsandlin0803, Dec 11, 2005
    #8
  9. jsandlin0803

    DoubleD4 Guest

    Did you add the "route outside 0.0.0.0 0.0.0.0 162.40.148.1" command?
    Do all your interfaces have the correct IPs assigned to them? Would it
    be possible to post your config?
    DoubleD4, Dec 11, 2005
    #9
  10. jsandlin0803

    jsandlin0803 Guest

    i know how to capture the text correctly on a router, but not sure on
    the PIX. when i use terminal length 0, it is not a valid entry.

    I need the command so that it will not say <more>.


    Thanks
    Jason
    jsandlin0803, Dec 11, 2005
    #10
  11. jsandlin0803

    DoubleD4 Guest

    Can't you just hit space bar all the way to the end and then copy all
    the text?
    DoubleD4, Dec 12, 2005
    #11
  12. jsandlin0803

    jsandlin0803 Guest

    i added the command you said, and here is my running config. I cannot
    try and see if it connects right now, but see if this look right.

    Thanks
    Jason



    pixfirewall# sh run
    : Saved
    :
    PIX Version 7.0(4)
    !
    hostname pixfirewall
    domain-name default.domain
    enable password /r9ayOm.CUP8NGkt encrypted
    names
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 162.40.148.2 255.255.255.248
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet2
    nameif inside2
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    !
    interface Ethernet3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    !
    http-map test
    strict-http action allow log
    !
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu inside2 1500
    no failover
    asdm image flash:/asdm-504.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 10 0.0.0.0 0.0.0.0
    nat (inside2) 2 192.168.0.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 162.40.148.1 1
    route inside2 192.168.0.0 255.255.255.0 192.168.0.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.0.0 255.255.255.0 inside2
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 15
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 inside
    dhcpd lease 3600
    dhcpd ping_timeout 50
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    Cryptochecksum:b81536603c19f6ff29ccbd845352592e
    : end
    jsandlin0803, Dec 12, 2005
    #12
  13. jsandlin0803

    DoubleD4 Guest

    Delete all these commands:

    global (outside) 10 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 10 0.0.0.0 0.0.0.0
    nat (inside2) 2 192.168.0.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 162.40.148.1 1
    route inside2 192.168.0.0 255.255.255.0 192.168.0.1 1

    and enter them like this:

    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside2) 1 192.168.0.0 255.255.255.0
    global (outside) 1 interface
    route outside 0.0.0.0 0.0.0.0 162.40.148.1

    It should work after you do that.
    DoubleD4, Dec 12, 2005
    #13
  14. jsandlin0803

    jsandlin0803 Guest

    Thanks for all of your help. I will put these in and try it out when i
    get back to work. I will let you guys know if it works or not.

    Thanks again

    Jason
    jsandlin0803, Dec 12, 2005
    #14
  15. jsandlin0803

    jsandlin0803 Guest

    While we are at it, can you suggest a way to set up vpn users to access
    the 192.168.0.0/24 network? I will use the wizard. Which interface do i
    choose and all that? Can i use the microsoft vpn connection software?
    What will i need to do to enable remote desktop to this network?

    Thanks
    Jason
    jsandlin0803, Dec 12, 2005
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul Stewart

    PIX Configuration Problem - 515E

    Paul Stewart, Jul 7, 2003, in forum: Cisco
    Replies:
    2
    Views:
    6,691
    Michael Hatzis
    Jul 9, 2003
  2. John Strow

    PIX 515E configuration

    John Strow, Jan 10, 2004, in forum: Cisco
    Replies:
    4
    Views:
    909
    John Strow
    Jan 10, 2004
  3. Edwin
    Replies:
    1
    Views:
    1,019
    Walter Roberson
    May 4, 2004
  4. Roberto Diaz

    Save Configuration Cisco pix 515e

    Roberto Diaz, Jul 28, 2004, in forum: Cisco
    Replies:
    3
    Views:
    12,823
    Ivan Ostres
    Jul 30, 2004
  5. flamer

    Cisco PIX 515E Configuration

    flamer , Jan 9, 2010, in forum: Cisco
    Replies:
    2
    Views:
    1,195
    flamer
    Feb 14, 2010
Loading...

Share This Page