Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 515 routing

Status
Not open for further replies.
paul000

paul000

Technical User
Oct 13, 2004
22
LT
Hello
There are two networks A (172.22.1.0) and B(172.20.0.0) whose are connected throught MPLS VPN.
The A network have Internet but the B have not Internet .
The A network could use services of the B network Internet when firewall was linux router , but
his disks were fired :( . At the moment in network B I have only two enviroinments Cisco3550(172.20.100.150) and pix 515 ( 172.20.1.83)
Pix configuration and Cisco 3550 I send tou YOU
I am sure that MPLS is correct because MPLS service provider switched routes froom linusx server to 172.20.100.150
HELP

:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security20
enable password itbXTRwSFw95LSqL encrypted
passwd itbXTRwSFw95LSqL encrypted
hostname pixfirewall
domain-name std.lt
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol http 83
names
name 172.21.1.83 pix_inside
name 193.219.11.41 pix_outside
name 193.219.11.62 defgw
access-list 201 deny tcp any any eq 135
pager lines 24
logging on
logging timestamp
logging standby
logging monitor debugging
logging buffered notifications
logging trap debugging
logging history warnings
logging host dmz1 172.20.1.85
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
icmp permit any outside
icmp permit any inside
icmp permit any dmz1
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
ip address outside 255.255.255.128
ip address inside pix_inside 255.255.0.0
ip address dmz1 172.20.1.83 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz1
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0

arp timeout 14400
global (outside) 201 netmask 255.255.255.255
global (outside) 101 netmask 255.255.255.255
global (dmz1) 101 172.20.254.254 netmask 255.255.255.255
global (dmz1) 202 172.22.1.0
nat (inside) 101 172.21.0.0 255.255.0.0 0 0
nat (dmz1) 202 172.22.1.0 255.255.255.0 0 0
nat (dmz1) 201 172.20.0.0 255.255.0.0 0 0
static (inside,dmz1) 172.20.4.26 172.21.4.26 netmask 255.255.255.255 0 0
static (inside,dmz1) 172.20.22.90 172.21.1.90 netmask 255.255.255.255 0 0
static (inside,dmz1) 172.20.33.33 172.21.33.33 netmask 255.255.255.255 0 0
static (inside,outside) 172.21.33.33 netmask 255.255.255.255 0 0
static (inside,dmz1) 172.20.22.55 172.21.1.55 netmask 255.255.255.255 0 0
static (inside,dmz1) 172.20.22.101 172.21.1.109 netmask 255.255.255.255 0 0
static (inside,dmz1) 172.20.22.40 172.21.1.40 netmask 255.255.255.255 0 0
static (inside,dmz1) 172.20.22.98 172.20.16.98 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp 172.20.0.0 255.255.0.0 172.22.0.0 255.255.0.0
conduit permit udp 172.20.0.0 255.255.0.0 172.22.0.0 255.255.0.0
conduit permit udp host 172.21.1.55 172.20.0.0 255.255.0.0
conduit permit tcp host 172.21.1.55 172.20.0.0 255.255.0.0
conduit permit tcp host 172.21.1.59 172.20.0.0 255.255.0.0
conduit permit udp host 172.21.1.59 172.20.0.0 255.255.0.0
conduit permit udp host 172.21.1.56 172.20.0.0 255.255.0.0
conduit permit tcp host 172.21.1.56 172.20.0.0 255.255.0.0
conduit permit tcp host 172.20.22.55 172.22.0.0 255.255.0.0
conduit permit tcp host 172.20.1.50 172.20.0.0 255.255.0.0
conduit permit udp host 172.20.33.33 eq domain 172.20.0.0 255.255.0.0
conduit permit tcp host 172.20.33.33 eq domain 172.20.0.0 255.255.0.0
conduit permit tcp host 172.20.33.33 eq 255.255.0.0
conduit permit tcp host 172.20.22.55 eq smtp 172.20.0.0 255.255.0.0
conduit permit tcp host 172.20.1.20 172.20.0.0 255.255.0.0
conduit permit tcp host 172.20.22.40 eq sqlnet 172.22.0.0 255.255.0.0
conduit permit udp host 172.20.22.90 eq domain 172.22.0.0 255.255.0.0
conduit permit tcp host 172.20.22.90 eq domain 172.22.0.0 255.255.0.0
conduit permit tcp host 172.20.27.17 eq 8888 172.20.0.0 255.255.0.0
conduit permit tcp host 172.20.33.33 eq ftp 172.20.0.0 255.255.0.0
conduit permit tcp host 172.21.2.1 range 1 65535 host 172.20.1.49
conduit permit tcp
conduit permit tcp host 172.20.1.48 eq 172.22.0.0
conduit permit tcp host 172.20.1.48 eq ftp host 172.22.1.1
conduit permit tcp host 172.20.1.48 eq ftp host 172.22.0.0
conduit permit tcp host 172.20.1.90 172.22.0.0 255.255.0.0
conduit permit tcp host 172.20.1.39 eq sqlnet any
conduit permit tcp host 172.20.22.40 172.22.0.0 255.255.0.0
conduit permit tcp host 172.21.1.40 172.20.0.0 255.255.0.0
conduit permit tcp host 172.20.22.40 eq sqlnet 172.20.0.0 255.255.0.0
conduit permit udp host 172.21.1.40 172.20.0.0 255.255.0.0
conduit permit tcp host 172.20.1.224 eq ftp any

outbound 101 permit 172.21.0.0 255.255.0.0 0 icmp
outbound 101 permit 172.21.0.0 255.255.0.0 21 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 22 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 25 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 53 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 53 udp
outbound 101 permit 172.21.0.0 255.255.0.0 80 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 443 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 139 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 445 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 119 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 1024-65535 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 23 tcp
outbound 101 permit 172.21.0.0 255.255.0.0 110 tcp
outbound 201 deny 172.20.0.0 255.255.0.0 0 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 0 icmp
outbound 201 permit 172.20.0.0 255.255.0.0 21 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 22 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 25 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 53 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 53 udp
outbound 201 permit 172.20.0.0 255.255.0.0 80 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 137 udp
outbound 201 permit 172.20.0.0 255.255.0.0 443 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 512 udp
outbound 201 permit 172.20.0.0 255.255.0.0 512 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 1024-65535 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 119 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 110 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 109 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 23 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 264 tcp
outbound 201 permit 172.20.0.0 255.255.0.0 8765 tcp
outbound 201 deny 172.20.0.0 255.255.0.0 135 tcp
outbound 201 deny 172.20.0.0 255.255.0.0 135 udp
outbound 201 deny 172.20.0.0 255.255.0.0 69 udp
outbound 201 deny 172.20.0.0 255.255.0.0 4444 tcp
outbound 201 permit 193.219.10.18 255.255.255.255 0 ip
outbound 201 permit 195.182.67.141 255.255.255.255 500 udp
outbound 202 permit 172.22.1.0 255.255.255.0 0 tcp
outbound 202 permit 172.22.1.0 255.255.255.0 80 tcp
outbound 202 permit 172.22.1.0 255.255.255.0 1024-65535 tcp
outbound 202 permit 172.22.1.0 255.255.255.0 53 ip
apply (inside) 101 outgoing_src
apply (dmz1) 202 outgoing_src
apply (dmz1) 201 outgoing_src
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 213.190.43.129 1
route dmz1 172.22.1.0 255.255.255.0 172.20.1.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.21.2.1 255.255.255.255 inside
http 172.20.1.111 255.255.255.255 dmz1
http 172.20.1.227 255.255.255.255 dmz1
snmp-server host outside 195.12.164.61
snmp-server host outside 195.12.164.62
no snmp-server location
snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt route dnat
auth-prompt prompt session
telnet 172.21.77.78 255.255.255.255 inside
telnet 172.21.2.1 255.255.255.255 inside
telnet 255.255.255.255 inside
telnet 172.20.77.77 255.255.255.255 dmz1
telnet 172.20.1.111 255.255.255.255 dmz1
telnet 172.20.1.223 255.255.255.255 dmz1
telnet 255.255.255.255 dmz1
telnet 172.20.1.226 255.255.255.255 dmz1
telnet timeout 20
ssh 172.20.1.226 255.255.255.255 dmz1
ssh timeout 5
terminal width 80
Cryptochecksum:4909c68f4f3eebe87162a046c5c5ebf2
pixfirewall(config)# show ip route
System IP Addresses:
ip address outside 255.255.255.128
ip address inside pix_inside 255.255.0.0
ip address dmz1 172.20.1.83 255.255.0.0
Current IP Addresses:

ip address inside pix_inside 255.255.0.0
ip address dmz1 172.20.1.83 255.255.0.0
pixfirewall(config)# show route
outside 0.0.0.0 0.0.0.0 213.190.43.129 1 OTHER static
dmz1 172.20.0.0 255.255.0.0 172.20.1.83 1 CONNECT static
inside 172.21.0.0 255.255.0.0 pix_inside 1 CONNECT static
dmz1 172.22.1.0 255.255.255.0 172.20.1.89 1 OTHER static
THANK YOU VERY MUCH FOR PATIENCE
 
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
95
xwray
xwray
Modem80
  • Locked
  • Question
Novice SonicOS user, need routing help
Replies
2
Views
126
Modem80
Modem80
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
119
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
184
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
74
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top