I am having some problems with my network. It worked one day, but when I came back the next day nothing worked. The config wasn't changed.
Anyhow here is what I am trying to do.
I have one line coming in from the outside and I have 5 external addresses. I want only certain internal ips to go out certain external IPs.
Example: 192.168.1.2 goes out 1.1.1.1
192.168.1.3 goes out 2.2.2.2
Here is my current router config:
ip dhcp excluded-address 172.16.4.99 172.16.4.127
ip dhcp excluded-address 172.16.4.65
!
ip dhcp pool wireless
network 172.16.4.64 255.255.255.192
default-router 172.16.4.65
!
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.16.4.17 255.255.255.240
!
interface FastEthernet0/0
ip address 172.16.4.33 255.255.255.240
ip access-group LAN in
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 172.16.4.65 255.255.255.192
ip access-group Wireless in
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip classless
ip http server
(summary of accesses lists)
ip access-list extended LAN
permit ip host 172.16.5.15 host 1.1.1.1
permit ip host 172.16.5.16 host 1.1.1.1
permit ip host 172.16.5.17 host 1.1.1.1
permit ip host 172.16.5.18 host 1.1.1.1
permit ip host 172.16.5.19 host 1.1.1.1
permit ip host 172.16.5.20 host 1.1.1.1
permit ip host 172.16.5.21 host 1.1.1.1
permit ip host 172.16.5.22 host 1.1.1.1
permit ip host 172.16.5.23 host 1.1.1.1
permit ip host 172.16.5.24 host 1.1.1.1
permit ip host 172.16.5.33 host 2.2.2.2
permit ip host 172.16.5.34 host 2.2.2.2
permit ip host 172.16.5.35 host 2.2.2.2
permit ip host 172.16.5.36 host 2.2.2.2
permit ip host 172.16.5.37 host 2.2.2.2
permit ip host 172.16.5.38 host 2.2.2.2
ip access-list extended Wireless
permit udp any any eq bootps
permit udp any any eq bootpc
permit ip host 172.16.4.66 host 1.1.1.1
permit ip host 172.16.4.67 host 1.1.1.1
permit ip host 172.16.4.68 host 1.1.1.1
permit ip host 172.16.4.69 host 1.1.1.1
permit ip host 172.16.4.70 host 1.1.1.1
permit ip host 172.16.4.71 host 1.1.1.1
permit ip host 172.16.4.72 host 1.1.1.1
permit ip host 172.16.4.100 host 2.2.2.2
permit ip host 172.16.4.101 host 2.2.2.2
permit ip host 172.16.4.102 host 2.2.2.2
permit ip host 172.16.4.103 host 2.2.2.2
permit ip host 172.16.4.104 host 2.2.2.2
dial-peer cor custom
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
end
The loopback is there only for testing purposes. When the network gets installed it will be changed to the s0/0 port which is actually a Wan port. The router is a Cisco 2621.
Here is the firewall config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 prinetwork security10
nameif ethernet3 servers security20
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 1 permit ip 172.16.4.128 255.255.255.192 172.16.5.0 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
mtu prinetwork 1500
mtu servers 1500
ip address outside 172.16.4.146 255.255.255.192
ip address inside 172.16.4.193 255.255.255.192
ip address prinetwork 172.16.5.1 255.255.255.192
ip address servers 172.16.4.1 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address prinetwork
no failover ip address servers
pdm history enable
arp timeout 14400
static (prinetwork,outside) 172.16.5.0 172.16.4.128 netmask 255.255.255.192 0 0
access-group 1 in interface outside
conduit permit ip host 172.168.5.5 any
conduit permit tcp host 172.168.5.5 any
conduit permit udp host 172.168.5.5 any
conduit permit icmp host 172.168.5.5 any
rip outside passive version 1
rip outside default version 1
rip prinetwork passive version 1
rip prinetwork default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.5.3-172.16.5.32 prinetwork
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable prinetwork
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
One switch is managable. I can ping the firewall port though from both the switch and a host, but I cant access anything on the router or the other networks connected to the firewall.
Here is a diagram of what I am looking to do:
------------
Router
------------
| |
------- | | ----------
Wireless --- ----- Firewall ----Vpn Server
------- ---------- network 2
network 1 | |
| |
LAN#1 LAN#2
network 3 network 4
network1: just for wireless, no access to network 3
network2: needs to be accessed from the outside
network3: needs access to everything within the network
network4: needs access to only wireless and network 2
Any help would be welcome, I am currently lost.
Anyhow here is what I am trying to do.
I have one line coming in from the outside and I have 5 external addresses. I want only certain internal ips to go out certain external IPs.
Example: 192.168.1.2 goes out 1.1.1.1
192.168.1.3 goes out 2.2.2.2
Here is my current router config:
ip dhcp excluded-address 172.16.4.99 172.16.4.127
ip dhcp excluded-address 172.16.4.65
!
ip dhcp pool wireless
network 172.16.4.64 255.255.255.192
default-router 172.16.4.65
!
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.16.4.17 255.255.255.240
!
interface FastEthernet0/0
ip address 172.16.4.33 255.255.255.240
ip access-group LAN in
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 172.16.4.65 255.255.255.192
ip access-group Wireless in
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip classless
ip http server
(summary of accesses lists)
ip access-list extended LAN
permit ip host 172.16.5.15 host 1.1.1.1
permit ip host 172.16.5.16 host 1.1.1.1
permit ip host 172.16.5.17 host 1.1.1.1
permit ip host 172.16.5.18 host 1.1.1.1
permit ip host 172.16.5.19 host 1.1.1.1
permit ip host 172.16.5.20 host 1.1.1.1
permit ip host 172.16.5.21 host 1.1.1.1
permit ip host 172.16.5.22 host 1.1.1.1
permit ip host 172.16.5.23 host 1.1.1.1
permit ip host 172.16.5.24 host 1.1.1.1
permit ip host 172.16.5.33 host 2.2.2.2
permit ip host 172.16.5.34 host 2.2.2.2
permit ip host 172.16.5.35 host 2.2.2.2
permit ip host 172.16.5.36 host 2.2.2.2
permit ip host 172.16.5.37 host 2.2.2.2
permit ip host 172.16.5.38 host 2.2.2.2
ip access-list extended Wireless
permit udp any any eq bootps
permit udp any any eq bootpc
permit ip host 172.16.4.66 host 1.1.1.1
permit ip host 172.16.4.67 host 1.1.1.1
permit ip host 172.16.4.68 host 1.1.1.1
permit ip host 172.16.4.69 host 1.1.1.1
permit ip host 172.16.4.70 host 1.1.1.1
permit ip host 172.16.4.71 host 1.1.1.1
permit ip host 172.16.4.72 host 1.1.1.1
permit ip host 172.16.4.100 host 2.2.2.2
permit ip host 172.16.4.101 host 2.2.2.2
permit ip host 172.16.4.102 host 2.2.2.2
permit ip host 172.16.4.103 host 2.2.2.2
permit ip host 172.16.4.104 host 2.2.2.2
dial-peer cor custom
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
end
The loopback is there only for testing purposes. When the network gets installed it will be changed to the s0/0 port which is actually a Wan port. The router is a Cisco 2621.
Here is the firewall config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 prinetwork security10
nameif ethernet3 servers security20
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 1 permit ip 172.16.4.128 255.255.255.192 172.16.5.0 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
mtu prinetwork 1500
mtu servers 1500
ip address outside 172.16.4.146 255.255.255.192
ip address inside 172.16.4.193 255.255.255.192
ip address prinetwork 172.16.5.1 255.255.255.192
ip address servers 172.16.4.1 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address prinetwork
no failover ip address servers
pdm history enable
arp timeout 14400
static (prinetwork,outside) 172.16.5.0 172.16.4.128 netmask 255.255.255.192 0 0
access-group 1 in interface outside
conduit permit ip host 172.168.5.5 any
conduit permit tcp host 172.168.5.5 any
conduit permit udp host 172.168.5.5 any
conduit permit icmp host 172.168.5.5 any
rip outside passive version 1
rip outside default version 1
rip prinetwork passive version 1
rip prinetwork default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.5.3-172.16.5.32 prinetwork
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable prinetwork
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
One switch is managable. I can ping the firewall port though from both the switch and a host, but I cant access anything on the router or the other networks connected to the firewall.
Here is a diagram of what I am looking to do:
------------
Router
------------
| |
------- | | ----------
Wireless --- ----- Firewall ----Vpn Server
------- ---------- network 2
network 1 | |
| |
LAN#1 LAN#2
network 3 network 4
network1: just for wireless, no access to network 3
network2: needs to be accessed from the outside
network3: needs access to everything within the network
network4: needs access to only wireless and network 2
Any help would be welcome, I am currently lost.