Basic 501 Questions 1

[johnnymc]

Hi,
I have never touched a Cisco device before and the guy that normally handles this stuff recently left so I'm stuck. I have been asked to install a new 501 firewall that the previous guy purchased. Here are my questions:

1. I only need to set this up betwen my network and the outside right? This is my network and where I think I need to place the firewall.

Internet
|
Firewall
|
Main Router----Main network
|
Remote sites---Remote networks

I have three small remote sites with a cisco 1720 router at each site connected through a T-1 to my main 2621 router at my main location. I then have a cable modem running from my main location out to the internet. I just want to confirm this would be the proper placement.

2. The 501 can use an inside and outside ip address. I think I only need to give it an inside address right?

3. My main router is currnetly connected to the cable modem, if I place the 501 in between, will I need to add any commands to the 2621 router?

Any help would be greatly appreciated!!!

 

[doctor2001]

Hi -

A quick qusetion ?

What are you trying to do with the Pix ?

Is this trickly firewall or are you going to use it for client vpn's and vpn tunneling. Do you host you own mail and web server. What do you what to block...what do you need to let in ? Is the 1720 routers a frame relay? I can send you a config sheet if you need it.

 

[johnnymc]

I have most of the ports blocked with the 2621 router so I guess the main function of the 501 would be VPN. We have an exchange server on our main network but no web servers. I have no documentation with the 501, I think the guy who left took it with him. I have some stuff I got from the internet but nothing really explains if I need an outside ip, what rules would govern how I select an address for the outside interface if I did put on on it or where to place the 501 in a basic network like mine.

Any config would be greatly appreciated!

 

[doctor2001]

You should setup this way

Internet --->

Cable modem (DHCP and No ppoe...right) ---->

Pix Firewall (outside address
from cable modem, inside address is a local lan address)---->

LAN ( all your computer on the network including your Cisco 1720 routers that connect your remote offices) ---->

If your default gateway is set to your 1720 you will have to add a route to point internet traffic to your pix...or...make your Pix the default gateway and add a route back to your 1720 for local traffic. The fist suggestion is preferred because the pix is not ment to be a router. I am assuming that your 1720's are a prvate frame relay ?

Does this make sense to you ?

 

[doctor2001]

I think your first problem might be that you are using a pix 501 this is limited to 10 internal users as a standard (50 user with upgrade). How many users are you going to have access the internet?

 

[havanajoe]

Here's how I would set it up.

Reading your original post, I am assuming that at this point in time the traffic on your entire internal lans/wan is routing fine and you are getting your internet connection throught the 2621. So your routing table on the 2621 has the default gateway set to the interface facing the internet. This is where the PIX would be inserted, between the ISP and your 2621.

Here is a basic config from a PIX 515 running 6.2(2). This is running in a similar situation. I have the PIX connected to the ISPs DSL modem. The outside interface sets up the PPPoE connection and sets the route. The internal interface connects to a Cisco 2514 router. The default route on the 2514 is pointing to the PIX. My core router has a 192.168.1.2 address on the E0 and the 10.10.10.1 on E1. I hope this helps you out.

Have fun. Let me know if you need any further help.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password xxx encrypted
passwd xxx encrypted
hostname pix
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list in permit icmp any any echo-reply
access-list in permit icmp any any time-exceeded
access-list in permit icmp any any unreachable
access-list out permit tcp any any eq www
access-list out permit tcp any any eq pop3
access-list out permit tcp any any eq smtp
access-list out permit icmp any any echo
access-list out permit udp any any eq domain
access-list out permit tcp any any eq https
access-list out permit icmp any any
pager lines 24
logging on
logging trap errors
logging host inside 10.10.10.3
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp deny any outside
mtu outside 1492
mtu inside 1500
mtu dmz 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.100.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name attack1 info action alarm
ip audit interface outside attack1
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0
access-group in in interface outside
access-group out in interface inside
access-group out in interface dmz

route inside 10.10.10.0 255.255.255.0 192.168.1.2 1
timeout xlate 0:05:00
timeout conn 0:05:00 half-closed 0:05:00 udp 0:05:00 rpc 0:05:00 h323 0:05:00 sip 0:05:00 sip_media 0:05:00
timeout uauth 0:02:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server xxx source outside prefer
vpdn group dsl request dialout pppoe
vpdn group dsl localname xxx
vpdn group dsl ppp authentication pap
vpdn username xxx password xxx
terminal width 80
pix#