Need Guidance on pix 515 setup 1

[backupbob]

I just started a new job and one thing that needs to be done is setup the 515E UR Pix that they have. It is just setting off of the DMZ on the router right now running the extra (witch is the extra net that has its own interface on the Pix). I have a pretty good idea what I am going to do but thought I would get some guidance, or better thoughts on how I should implement the Pix into this network with the router (cisco 2621). I thought about hooking up the Pix outside to the interface FastEthernet0/0 of the router.
Thanks, for the help.

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 extra security50
enable password ######## encrypted
passwd ####### encrypted
hostname pix
domain-name ############
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list extra permit ip xx4.xxx.217.0 255.255.255.0 x2.xx.10.0 255.255.
255.0
access-list extra permit ip xx4.xxx.216.0 255.255.255.0 x2.xx.10.0 255.255.
255.0
access-list extra permit ip xx4.xxx.218.0 255.255.255.0 x2.xx.10.0 255.255.
255.0
access-list extra permit ip xx9.xxx.0.0 255.255.0.0 x2.xx.10.0 255.255.255.
0
access-list extra permit ip host xx5.xxx.193.100 x2.xx.10.0 255.255.255.0
pager lines 24
logging on
logging monitor debugging
interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 10baset
mtu outside 1500
mtu inside 1500
mtu extra 1500
ip address outside x4.xx.xx.131 255.255.255.xxx
ip address inside 10.100.0.250 255.255.0.0
ip address extra x2.xx.10.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside x4.xx.xx.133
failover ip address inside 10.100.0.251
failover ip address extra 0.0.0.0
pdm location 10.100.0.24 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,extra) x2.xx.10.41 10.100.0.41 netmask 255.255.255.255 0 0
static (inside,extra) x2.xx.10.60 10.100.0.60 netmask 255.255.255.255 0 0
static (inside,extra) x2.xx.10.61 10.100.0.61 netmask 255.255.255.255 0 0
static (inside,extra) x2.xx.10.62 10.100.0.62 netmask 255.255.255.255 0 0
static (inside,extra) x2.xx.10.63 10.100.0.63 netmask 255.255.255.255 0 0
static (inside,extra) x2.xx.10.68 10.100.0.68 netmask 255.255.255.255 0 0
static (inside,extra) x2.xx.10.5 10.100.5.5 netmask 255.255.255.255 0 0
static (inside,extra) x2.xx.10.65 10.100.0.65 netmask 255.255.255.255 0 0
static (inside,extra) x2.xx.10.66 10.100.0.66 netmask 255.255.255.255 0 0
access-group extra in interface extra
route outside 0.0.0.0 0.0.0.0 x4.xx.xx.129 1
route extra xx9.xxx.0.0 255.255.0.0 x2.xx.10.1 1
route extra xx4.xxx.156.14 255.255.255.255 x2.xx.10.1 1
route extra xx4.xxx.216.0 255.255.255.0 x2.xx.10.1 1
route extra xx4.xxx.217.0 255.255.255.0 x2.xx.10.1 1
route extra xx4.xxx.218.0 255.255.255.0 x2.xx.10.1 1
route extra xx5.xxx.193.100 255.255.255.255 x2.xx.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.100.0.0 255.255.0.0 inside
snmp-server host inside 10.100.0.40
snmp-server location ############
snmp-server contact #####################
snmp-server community watchdog
snmp-server enable traps
tftp-server inside 10.100.0.16 cisco/pix
floodguard enable
no sysopt route dnat
terminal width 80
Cryptochecksum:#######################


This is the 2621 router config

Using 2414 out of 29688 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname internet
!
enable password ###########
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface FastEthernet0/0
ip address 10.100.0.254 255.255.0.0
ip access-group 1 in
ip access-group 1 out
no ip directed-broadcast
ip nat inside
speed auto
full-duplex
!
interface Serial0/0
ip address x4.xx.xx.138 255.255.255.xxx
ip access-group 1 in
ip access-group 1 out
no ip directed-broadcast
ip nat outside
no ip mroute-cache
no fair-queue
!
interface FastEthernet0/1
ip address x4.xx.xx.129 255.255.255.xxx
ip access-group 101 in
ip access-group 1 out
no ip directed-broadcast
speed auto
full-duplex
!
ip default-gateway x4.xx.xx.137
ip nat inside source list 7 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x4.xx.xx.137
ip route xxx.16.1.0 255.255.255.0 10.100.23.150
ip route xxx.168.1.0 255.255.255.0 10.100.0.111
ip route xxx.168.10.0 255.255.255.0 10.100.0.111
ip route xxx.168.20.0 255.255.255.0 10.100.0.111
ip route xxx.168.30.0 255.255.255.0 10.100.0.111
ip route xxx.168.40.0 255.255.255.0 10.100.10.2
ip route xxx.153.216.0 255.255.255.0 10.100.0.250
ip route xxx.166.193.100 255.255.255.255 10.100.0.250
no ip http server
!
access-list 1 permit any
access-list 2 permit x4.xx.xx.28
access-list 2 permit 10.100.0.0 0.0.255.255
access-list 7 permit 10.100.0.0 0.0.255.255
access-list 7 permit xxx.168.40.0 0.0.0.255
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq smtp
access-list 101 permit udp any any eq domain
access-list 101 permit udp any any eq tftp
access-list 101 permit tcp 10.100.0.0 0.0.255.255 any eq telnet
access-list 101 permit tcp host x4.xx.xx.28 host x4.xx.xx.129 eq telnet
access-list 101 permit udp host x4.xx.xx.28 host x4.xx.xx.129 eq tftp
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq pop3
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
snmp-server engineID local #####################
snmp-server community ####################
!
line con 0
transport input none
line aux 0
line vty 0 4
access-class 2 in
password ###########
login
!
no scheduler allocate
end

 

[yizhar]

HI.

Some general tips:
You will need to reconfigure both the router and the pix.
The design should be simple, with no loops, like this:

ISP
|
2621 router
|
PIX - extranet router - extranet
|
Internal LAN

You will need to remove all NAT configuration from the router and reconfigure it with standard simple ip routing.

You will need to remove access rules from the router (you can later add some basic anti-spoof rules but in general the pix should be the only or the main device applying network policy).

> static (inside,extra) ...
Instead of all those static lines, you can use this instead:
accesss-list nonatinside permit ip 10.100.0.0 255.255.0.0 xx4.xxx.0.0 255.255.0.0
nat (inside) 0 access-list nonatinside
* OR this instead:
static (inside,extra) 10.100.0.0 10.100.0.0 netmask 255.255.255.0

> route extra xx4.xxx.156.14 ...
Instead of multiple route commands, you can use:
route extra xx4.xxx.0.0 ...



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[backupbob]

Thank you for info that helps out alot. I had one more question, all the computers on the network point to

interface FastEthernet0/0
ip address 10.100.0.254 255.255.0.0

on the router. Would I set the pix inside address with this ip, so I would not have to change the end nodes.

Thanks

 

[yizhar]

HI.

> Would I set the pix inside address with this ip, so I would not have to change the end nodes.

Yes, I guess you've already done that.



Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar