Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515E Config - Will this work as expected? 2

Status
Not open for further replies.
enacht

enacht

Technical User
Jun 3, 2003
19
CH
Hello Experts

the following is my PIX 515E configuration,
as I had problems before getting the pix to work when I wanted to put it in place and lost many work hours through that, i'm kindly asking you to take a look at the config, and tell me if this will work the way expected, or if i'm far of from the right solution.

DMZ to Outside I don't want NAT/PAT, but i want to use public IPs on the DMZ.
The Accesslists currently permit any host to access HTTP (port 80) and SSH (port22) on any host on the DMZ.

The Outside network is a /30 transfernetwork, xxx.xxx.222.184/30

The DMZ network:
xxx.xxx.222.226/27

The INSIDE Network:
192.168.0.0/24

Thanks in advance for your time and your valued input.

Emanuel
emanuel@xconnect.ch

Code: 
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
hostname pix
domain-name test.org
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name xxx.xxx.222.229 jabber.test
name xxx.xxx.222.228 rodan.test
name xxx.xxx.222.227 ftp.test
name xxx.xxx.222.239 musik.cust
name xxx.xxx.222.238 teleboy.test
name xxx.xxx.222.237 tv.test
name xxx.xxx.222.236 media.test
name xxx.xxx.222.235 gateway.test
name xxx.xxx.222.234 backoffice
name xxx.xxx.222.233 test.org
name xxx.xxx.222.232 jabber.dnc
name xxx.xxx.222.231 platon.clubgirl
name xxx.xxx.222.230 grendel.test
name xxx.xxx.222.246 wap1.machine.ch
name xxx.xxx.222.245 platon2.test
name xxx.xxx.222.244 platon.test
name xxx.xxx.222.243 cine.cust
name xxx.xxx.222.242 tv.cust
name xxx.xxx.222.241 kino.cust
name xxx.xxx.222.240 games.cust
name xxx.xxx.222.252 floating
name xxx.xxx.222.251 grendel2.test
name xxx.xxx.222.250 src.kino
name xxx.xxx.222.249 src.machine
name xxx.xxx.222.248 mate.test.ch
name xxx.xxx.222.247 wap.machine
name xxx.xxx.222.253 floating2
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq 22
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside xxx.xxx.222.186 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip address DMZ xxx.xxx.222.226 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.3 255.255.255.255 inside
pdm location ftp.test 255.255.255.255 DMZ
pdm location rodan.test 255.255.255.255 DMZ
pdm location jabber.test 255.255.255.255 DMZ
pdm location grendel.test 255.255.255.255 DMZ
pdm location platon.clubgirl 255.255.255.255 DMZ
pdm location jabber.dnc 255.255.255.255 DMZ
pdm location test.ch 255.255.255.255 DMZ
pdm location backoffice 255.255.255.255 DMZ
pdm location gateway.test 255.255.255.255 DMZ
pdm location media.test 255.255.255.255 DMZ
pdm location tv.test 255.255.255.255 DMZ
pdm location teleboy.test 255.255.255.255 DMZ
pdm location musik.cust 255.255.255.255 DMZ
pdm location games.cust 255.255.255.255 DMZ
pdm location kino.cust 255.255.255.255 DMZ
pdm location tv.cust 255.255.255.255 DMZ
pdm location cine.cust 255.255.255.255 DMZ
pdm location platon.test 255.255.255.255 DMZ
pdm location platon2.test 255.255.255.255 DMZ
pdm location wap1.machine.ch 255.255.255.255 DMZ
pdm location wap.cinemachine 255.255.255.255 DMZ
pdm location mate.test.ch 255.255.255.255 DMZ
pdm location src.machine 255.255.255.255 DMZ
pdm location src.kino 255.255.255.255 DMZ
pdm location grendel2.test 255.255.255.255 DMZ
pdm location floating 255.255.255.255 DMZ
pdm location floating2 255.255.255.255 DMZ
pdm history enable
arp timeout 14400
global (DMZ) 1 ftp.test-floating2
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.222.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
 
Sort by date Sort by votes
You will need make some changes before this will work:

1) Since you are using private IPs on the inside of your firewall (192.168.0.0), your nat 0 statement will not work (nat 0 disables NAT) for Internet access. Change it to the following:
nat 1 (inside) 0 0

2) In addition to the NAT command, you also need to use a global command to allow inside traffic to access the Internet. Here's the command, using the firewall's IP address as the "public" IP:
global (outside) 1 interface

3) For access to the DMZ hosts from the OUTSIDE, you must have static statements as well as access-lists. Since you are using publicly routable IPs, you effectively don't use NAT, but must still have the static for each host. Here is an example:
static (DMZ,outside) ftp.test ftp.test netmask 255.255.255.255 0 0

4) Your outside_access_in access-list is not applied to any interface. You need to apply it to the outside interface with the following command:
access-group outside_access_in in interface outside

5) Your statement reading "global (DMZ) 1 ftp.test-floating2" should be OK as long as that address isn't assigned to a host in the DMZ. I don't think it is, but was just checking.

6) Since you are using publicly routable IPs on your DMZ, the "nat (DMZ) 0 0.0.0.0 0.0.0.0" statement will work, but keep in mind that any statics you define will take precedence over this statement

That's at least a start.
 
Upvote 0 Downvote
thanks alot tbisset for your valued answer.

please allow me to add some comments to your proposed changes:

1 - I think the correct command (or at least the command that the pix accepted) is:
nat (inside) 1 0 0 - it didn't accept nat 1 (inside) 0 0

2 - I've done that, but it gave me a warning which reads:
Warning: Start and End addresses overlap with broadcast address.
what exactly does this mean in this situation, and what kind of problems arise through this?

3 - all static entries added according to your example

4 - added aswell

5 - since all addresses from ftp.test-floating2 where ips used on the DMZ interface, I have removed this statement from the config.

6 - I've used all available IPs on the DMZ interface, thus the "nat (DMZ) 0 0.0.0.0 0.0.0.0" has been removed from the config aswell, to make sure no redundant statements are in the config


I hope the config will now work as expected (allow traffic from outside-any to DMZ-any for HTTP and SSH for now, and from DMZ-any to outside-any).

Thank you very much again for your help on this topic!

Code: 
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
hostname pix
domain-name test.ch
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name xxx.xxx.222.229 jabber.test
name xxx.xxx.222.228 rodan.test
name xxx.xxx.222.227 ftp.test
name xxx.xxx.222.239 musik.cust
name xxx.xxx.222.238 teleboy.test
name xxx.xxx.222.237 tv.test
name xxx.xxx.222.236 media.test
name xxx.xxx.222.235 gateway.test
name xxx.xxx.222.234 backoffice
name xxx.xxx.222.233 test.ch
name xxx.xxx.222.232 jabber.dnc
name xxx.xxx.222.231 platon.clubgirl
name xxx.xxx.222.230 grendel.test
name xxx.xxx.222.246 wap1.machine.ch
name xxx.xxx.222.245 platon2.test
name xxx.xxx.222.244 platon.test
name xxx.xxx.222.243 cine.cust
name xxx.xxx.222.242 tv.cust
name xxx.xxx.222.241 kino.cust
name xxx.xxx.222.240 games.cust
name xxx.xxx.222.252 floating
name xxx.xxx.222.251 grendel2.test
name xxx.xxx.222.250 src.kino
name xxx.xxx.222.249 src.machine
name xxx.xxx.222.248 mate.test.ch
name xxx.xxx.222.247 wap.cinemachine
name xxx.xxx.222.253 floating2
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq 22
access-list DMZ_access_in permit tcp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside xxx.xxx.222.186 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip address DMZ xxx.xxx.222.226 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.3 255.255.255.255 inside
pdm location ftp.test 255.255.255.255 DMZ
pdm location rodan.test 255.255.255.255 DMZ
pdm location jabber.test 255.255.255.255 DMZ
pdm location grendel.test 255.255.255.255 DMZ
pdm location platon.clubgirl 255.255.255.255 DMZ
pdm location jabber.dnc 255.255.255.255 DMZ
pdm location test.ch 255.255.255.255 DMZ
pdm location backoffice 255.255.255.255 DMZ
pdm location gateway.test 255.255.255.255 DMZ
pdm location media.test 255.255.255.255 DMZ
pdm location tv.test 255.255.255.255 DMZ
pdm location teleboy.test 255.255.255.255 DMZ
pdm location musik.cust 255.255.255.255 DMZ
pdm location games.cust 255.255.255.255 DMZ
pdm location kino.cust 255.255.255.255 DMZ
pdm location tv.cust 255.255.255.255 DMZ
pdm location cine.cust 255.255.255.255 DMZ
pdm location platon.test 255.255.255.255 DMZ
pdm location platon2.test 255.255.255.255 DMZ
pdm location wap1.machine.ch 255.255.255.255 DMZ
pdm location wap.cinemachine 255.255.255.255 DMZ
pdm location mate.test.ch 255.255.255.255 DMZ
pdm location src.machine 255.255.255.255 DMZ
pdm location src.kino 255.255.255.255 DMZ
pdm location grendel2.test 255.255.255.255 DMZ
pdm location floating 255.255.255.255 DMZ
pdm location floating2 255.255.255.255 DMZ
pdm location office2 255.255.255.255 outside
pdm location office 255.255.255.255 outside
pdm location office3 255.255.255.255 outside
pdm location office4 255.255.255.255 outside
pdm location office5 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) jabber.test jabber.test netmask 255.255.255.255 0 0
static (DMZ,outside) rodan.test rodan.test netmask 255.255.255.255 0 0
static (DMZ,outside) ftp.test ftp.test netmask 255.255.255.255 0 0
static (DMZ,outside) musik.cust musik.cust netmask 255.255.255.255 0 0
static (DMZ,outside) teleboy.test teleboy.test netmask 255.255.255.255 0 0
static (DMZ,outside) tv.test tv.test netmask 255.255.255.255 0 0
static (DMZ,outside) media.test media.test netmask 255.255.255.255 0 0
static (DMZ,outside) gateway.test gateway.test netmask 255.255.255.255 0 0
static (DMZ,outside) backoffice backoffice netmask 255.255.255.255 0 0
static (DMZ,outside) test.ch test.ch netmask 255.255.255.255 0 0
static (DMZ,outside) jabber.dnc jabber.dnc netmask 255.255.255.255 0 0
static (DMZ,outside) platon.clubgirl platon.clubgirl netmask 255.255.255.255 0 0
static (DMZ,outside) grendel.test grendel.test netmask 255.255.255.255 0 0
static (DMZ,outside) wap1.machine.ch wap1.machine.ch netmask 255.255.255.255 0 0
static (DMZ,outside) platon2.test platon2.test netmask 255.255.255.255 0 0
static (DMZ,outside) platon.test platon.test netmask 255.255.255.255 0 0
static (DMZ,outside) cine.cust cine.cust netmask 255.255.255.255 0 0
static (DMZ,outside) tv.cust tv.cust netmask 255.255.255.255 0 0
static (DMZ,outside) kino.cust kino.cust netmask 255.255.255.255 0 0
static (DMZ,outside) games.cust games.cust netmask 255.255.255.255 0 0
static (DMZ,outside) floating floating netmask 255.255.255.255 0 0
static (DMZ,outside) grendel2.test grendel2.test netmask 255.255.255.255 0 0
static (DMZ,outside) src.kino src.kino netmask 255.255.255.255 0 0
static (DMZ,outside) src.machine src.machine netmask 255.255.255.255 0 0
static (DMZ,outside) mate.test.ch mate.test.ch netmask 255.255.255.255 0 0
static (DMZ,outside) wap.cinemachine wap.cinemachine netmask 255.255.255.255 0 0
static (DMZ,outside) floating2 floating2 netmask 255.255.255.255 0 0
static (inside,outside) interface 192.168.0.2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.222.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5

Emanuel
emanuel@xconnect.ch

--
the router thought it was a printer
 
Upvote 0 Downvote
Oops! Sorry about the transposed NAT (inside) command. The one you typed in is correct.

As for the "Warning: Start and End addresses overlap with broadcast address" message, I've gotten that in the past as well (though admittedly, I'm not entirely sure why). The addresses you have set are fine and legal, so I wouldn't expect any issues.
 
Upvote 0 Downvote
Those kind of mistakes happen to the best of the best :)


I'm wondering about one thing, the configuration as it is right now, will it allow communication between each hosts on the DMZ or will this be blocked by the firewall?

It's most probably a silly question which only the current 30°C in the office make me ask.

Emanuel

--
the router thought it was a printer
 
Upvote 0 Downvote
If you mena communication between from one DMZ host to another DMZ host, that will work fine. This is because that traffic would never be destined for the firewall in the first place, being it is local within that segment.

One other thing: For the INSIDe hosts to access the DMZ hosts, you will need to add a global:
global (DMZ) 1 interface
 
Upvote 0 Downvote
Yup, that's what I thought (about communication between two DMZ hosts). But the AC in the office died today so i couldn't think straight anymore for the moment :)

Thanks for the remark about INSIDE<->DMZ, was scratching my head about it :)

tomorrow i'll get the lab-setup ready to test those things out.

Thanks again for your time, I really appreciate it!

Emanuel


--
the router thought it was a printer
 
Upvote 0 Downvote
Just to let you know,

thanks to your help and tips, the firewall is working flawlessly int he Laboratory set up. Next thing to do is to get it into the production environement.

Emanel


--
the router thought it was a printer
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
642
Johnkite
Johnkite
tjbradford
  • Locked
  • Question
ASAX 5508 - basic config - packet loss
Replies
0
Views
179
tjbradford
tjbradford
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
222
hairlessupportmonkey
hairlessupportmonkey
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
276
acabezas2014
acabezas2014
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
119
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top