Re: How to use PIX with NAT in a DMZ Scenario

Discussion in 'Cisco' started by Trond Hindenes, Jul 22, 2003.

  1. Hi, thanks for the input

    I finally made it working, below is my entire config, hopefully some
    other guy won``t have to pull his hair for months before getting it
    right, like i did :-|

    (IP-adresses and passwords masked)

    Building configuration...
    : Saved
    :
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    enable password aaa
    passwd aaa
    hostname pix
    domain-name
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 216.198.33.228 DMZ01-OSL
    name 216.198.33.229 DMZ02-OSL_EXT
    name 216.40.230.4 alpha_kazaa_com
    name 213.248.107.10 kazaa_server
    name 216.198.33.234 ADMIN02_DMZ
    name 216.198.33.230 web03-osl
    name 216.198.33.231 CSG1_DMZ
    name 216.198.33.232 CSG2_DMZ
    object-group service UDPNormal udp
    port-object eq dnsix
    port-object eq domain
    port-object eq rip
    object-group service HTTP_HTTPS tcp
    port-object eq https
    port-object eq www
    object-group service utg_tcp tcp
    port-object eq ldap
    port-object eq ftp-data
    port-object eq 3389
    port-object eq ftp
    port-object eq www
    port-object eq imap4
    port-object eq pop3
    port-object eq smtp
    port-object eq nntp
    port-object eq https
    port-object eq telnet
    port-object eq pptp
    port-object eq citrix-ica
    port-object eq 7202
    port-object eq domain
    port-object eq 1551
    object-group service utg_udp udp
    port-object eq domain
    port-object eq time
    port-object eq ntp
    object-group service vpn_udp udp
    port-object eq isakmp
    port-object eq 10000
    access-list outside_access_in permit tcp any host web03-osl
    object-group HTTP_HTTPS
    access-list outside_access_in permit tcp any host CSG2_DMZ
    object-group HTTP_HTTPS
    access-list outside_access_in permit tcp 10.61.6.0 255.255.255.0 any
    access-list outside_access_in deny ip any any
    access-list DMZ_access_in permit ip any 10.61.6.0 255.255.255.0
    access-list DMZ_access_in permit ip any any
    access-list DMZ_access_in deny tcp any any
    access-list DMZ_access_in deny udp any any
    access-list nonat permit ip 10.61.6.0 255.255.255.0 10.61.6.0
    255.255.255.0
    access-list inside_access_in permit tcp any any object-group utg_tcp
    access-list inside_access_in permit ip any host ADMIN02_DMZ
    access-list inside_access_in permit udp any any object-group utg_udp
    access-list inside_access_in deny udp any eq 1214 any
    access-list inside_access_in deny tcp any eq 1214 any
    access-list inside_access_in deny ip host kazaa_server any
    access-list inside_access_in deny tcp any host alpha_kazaa_com
    access-list inside_access_in deny tcp any host kazaa_server
    access-list inside_access_in permit ip any host Dynal_VPN
    access-list inside_access_in permit udp any host DKM_VPN object-group
    vpn_udp
    access-list inside_access_in permit tcp any host Neomail eq 2095
    access-list inside_access_in permit tcp any Cloudmark_subn_1
    255.255.255.0 eq 2703
    access-list inside_access_in permit tcp any host KLINK_Server1
    access-list inside_access_in permit tcp any host KLINK_Server2
    pager lines 24
    logging on
    logging timestamp
    logging trap informational
    logging history alerts
    logging host inside 10.1.1.63
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 216.198.32.124 255.255.255.248
    ip address inside 10.61.6.1 255.255.255.128
    ip address DMZ 216.198.33.226 255.255.255.240
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name citp attack action alarm drop
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 10.61.6.110-10.61.6.125
    pdm location 10.61.6.0 255.255.255.0 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0
    static (inside,DMZ) 10.61.6.0 10.61.6.0 netmask 255.255.255.0 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group DMZ_access_in in interface DMZ
    route outside 0.0.0.0 0.0.0.0 216.198.32.121 1
    route inside 10.61.6.0 255.255.255.0 10.61.6.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server dc01-osl protocol radius
    aaa-server dc01-osl (inside) host 10.61.6.11 columbus timeout 5
    aaa-server dc02-osl protocol radius
    aaa-server dc02-osl (inside) host 10.61.6.11 abrakadabra timeout 5
    aaa-server RSA protocol radius
    aaa-server RSA (inside) host 10.1.1.40 abrakadabra timeout 5
    http server enable
    http 10.61.6.0 255.255.255.0 inside
    snmp-server host inside 10.1.1.63
    snmp-server location Oslo
    no snmp-server contact
    snmp-server community columbus_oslo
    snmp-server enable traps
    tftp-server inside 10.1.1.134 pixconfig240103
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set normalset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 30 set transform-set normalset
    crypto map newmap 20 ipsec-isakmp dynamic dynmap
    crypto map newmap client authentication dc02-osl
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ******** address 196.119.27.147 netmask 255.255.255.255
    no-xauth
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication rsa-sig
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400
    vpngroup vpn3000 split-dns columbus.no
    vpngroup vpn3000 idle-time 1800
    vpngroup vpn3000 password ********
    telnet 10.61.6.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 128 required
    vpdn group 1 client configuration address local ippool
    vpdn group 1 client configuration dns 10.61.6.11
    vpdn group 1 client configuration wins 10.61.6.11
    vpdn group 1 client authentication aaa dc02-osl
    vpdn group 1 pptp echo 60
    vpdn enable outside
    terminal width 80
    Cryptochecksum:7518717db80485776ad86d31ffff652f
     
    Trond Hindenes, Jul 22, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Afshin

    NAT on DVB based scenario

    Afshin, Oct 22, 2003, in forum: Cisco
    Replies:
    0
    Views:
    413
    Afshin
    Oct 22, 2003
  2. ae
    Replies:
    5
    Views:
    632
  3. Jose
    Replies:
    3
    Views:
    1,987
  4. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,952
    Walter Roberson
    Sep 25, 2005
  5. Jack
    Replies:
    0
    Views:
    724
Loading...

Share This Page