how to setup pix 501 between public IP addresses network and the world

[Guest_imported]

Hola, gurus!

I have a network consisting of three servers with public IP addresses. I want to put a pix 501 between the servers and the rest of the world. I want to preserve the public IP addresses on the servers and use the pix as a "transparent" firewall.

I have read the documentation, the command reference, the postings on several forums and I drowned in them :-(

Any help will be mostly appretiated! If possible, please give commands which I should issue to the pix.

Thanks in advance!

 

[mheianna]

This are some command that you must use :

First enter in configuration mode using the "configuration terminal" :

Example :
pix#configuration terminal
PIX(config)#

Enable the interfaces :
interface ethernet0 10baset (outisde interface)
interface ethernet1 10baset (inside interface)

Set the ip address :
ip address outside 64.116.225.2 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0

This command is used to set the ip address that all the host will use when send traffic to the internet.

global (outside) 1 64.116.225.2

in this command all the host that have any ip address will pass traffic to the internet. You can specify a network ex:192.168.1.0 255.255.255.0 :
nat (inside) 1 0.0.0.0 0.0.0.0

this is used like a Default gateway in a host. The 64.116.225.1 is the ISP's router.
route outside 0.0.0.0 0.0.0.0 64.116.225.1 1

this command enable to this particular host in your inside LAN to telnet the firewall.
telnet 192.168.1.2 255.255.255.255 inside

this command create a static association betwen a Public and Private Address. All the traffic that comes from the internet to 64.116.225.2 will be translated to 192.168.1.3
static (inside, outside) 64.116.225.2 192.168.1.3

this command open different types of traffic to your inside host. In this example, the

http://www service

is open. The default is " deny all traffic "
conduit permit ip host 64.116.225.2 eq 80 host 192.168.1.3 eq 80

Those are the basics commands, download this PDF from Cisco web site to learn more advanced commands.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/config.htm

regards

 

[Guest_imported]

Thanks a lot for the help! Only, doesn't this solution suppose change of IP addresses (from public to private) ?

 

[yizhar]

HI.

It is not a good idea and I have never tried to place a pix without changing neighbor ip addressing in some way.
Using the same ip subnet on both sides is not recommended or possible.

Either reconfigure the servers or the ISP router with a different ip address.
For example, you can acquire a range of 8 addresses or more (plan for future use) from your ISP, then use the ip address which is currently used by your router Ethernet interface and give it to the pix inside interface, and at the same time reconfigure ISP router Ethernet interface and pix outside interface with addresses from the new range.
This will require tight cooperation with ISP of course.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar