Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Configuration / HELP!!!

Status
Not open for further replies.
AXISPNOC

AXISPNOC

IS-IT--Management
Jun 11, 2003
22
0
0
Hello all.

I would like to get your advise about the following PIX configuration.

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname pixfirewall
domain-name yourdomain.com

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol skinny 2000
no fixup protocol rtsp 554
names
access-list from-outside-coming-in permit tcp host XXX.160.124.15 host XXX.172.10.2 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.15 host XXX.172.10.2 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.15 host XXX.172.10.3 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.15 host XXX.172.10.3 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.16 host XXX.172.10.2 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.16 host XXX.172.10.2 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.16 host XXX.172.10.3 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.16 host XXX.172.10.3 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.17 host XXX.172.10.2 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.17 host XXX.172.10.2 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.17 host XXX.172.10.3 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.17 host XXX.172.10.3 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.18 host XXX.172.10.2 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.18 host XXX.172.10.2 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.18 host XXX.172.10.3 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.18 host XXX.172.10.3 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.19 host XXX.172.10.2 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.19 host XXX.172.10.2 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.19 host XXX.172.10.3 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.19 host XXX.172.10.3 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.20 host XXX.172.10.2 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.20 host XXX.172.10.2 eq 1646
access-list from-outside-coming-in permit tcp host XXX.160.124.20 host XXX.172.10.3 eq 1645
access-list from-outside-coming-in permit tcp host XXX.160.124.20 host XXX.172.10.3 eq 1646
access-list from-outside-coming-in permit tcp host XXX.63.124.11 host XXX.172.10.2
access-list from-outside-coming-in permit tcp host XXX.63.124.11 host XXX.172.10.3
access-list from-outside-coming-in permit tcp any host XXX.172.10.2 eq 56
access-list from-outside-coming-in permit tcp any host XXX.172.10.3 eq 56
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside XXX.160.124.254 255.255.255.0
ip address inside XXX.172.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 XXX.172.10.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) XXX.172.10.0 XXX.172.10.0 netmask 255.255.255.0 0 0
access-group from-outside-coming-in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.172.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 500
Cryptochecksum:6c32407d407f8f4a1ff10f0fda7d2f91
: end
[OK]

I would like to know if it will work or any suggestions before I put it in place.

Mike
 
Sort by date Sort by votes
Definite problem with your route statement using a host address on your inside network for the next hop, it needs to be an address on the outside network.

Are you trying to use Identity NAT so that the inside addresses all appear untranslated from the outside? If not then your access list/static/global statements are not correct.

Version 6.2 has an object group command that lets you group all the devices and protocols separately so that your access list commands becomes very easy to read and manage.

 
Upvote 0 Downvote
Thanks for the reply 308win. However, this is the first time that I have ever tried to configure a cisco firewall. Most of the configuration above is bits and pieces from different configuration examples. So to be honest I am not quite sure what it all means.

I want to protect the computers on the inside from the outside, however there are a couple of computers on the outside that need to be able to talk to the ones on the inside. That is what that long list of access-lists is supposed to do. I think. Maybe.

You wrote:
"Definite problem with your route statement using a host address on your inside network for the next hop, it needs to be an address on the outside network."

What exactly are you refering to? Again this is my first time so please bare with me.

You wrote:
"Are you trying to use Identity NAT so that the inside addresses all appear untranslated from the outside?"

The answer is yes. I do not want the inside addresses translated to a different IP on the outside.

Again thank you for your reply.

Mike
 
Upvote 0 Downvote
For no translation, dump the NAT, GLOBAL and STATIC statements. What you want is:
nat (inside) 0 xxx.172.xxx.xxx 255.255.255.0

"nat 0" means "do not translate". (Actually, it's "translate these inside addresses to the same addresses on the outside", but the point's the same.).

Your default route statement needs to point to the outside next hop, not the inside:
route outside 0 0 xxx.160.24.xxx

If there are other networks on the inside, you need other static routes, or enable RIP.

Try these and let us know.

 
Upvote 0 Downvote
OK I have dumped the NAT, GLOBAL and Static commands. Also added the NAT 0 and changed the route statement to the outside.

So if that is it I will implement them and let you know if it works.

Thanks for your help,
Mike
 
Upvote 0 Downvote
I guess it worked?

trying to get my CCSP
have MCSE,CCNA,A+,NET+,SECURITY+
 
Upvote 0 Downvote
Mike has been off for the last couple of days. We will not be implementing the new Firewall settings till the weekend. Thanks to all for the help, we will definitely let you know how it turns out.

Jim
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
141
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
157
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
45
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
56
PauS0n
PauS0n
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
35
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top