router-to-firewall config

[Jpeanut]

Does anyone have a sample config for a Cisco front-end router connecting through to a firewall? I have a 2514 connected to the Internet and a PIX behind it, like this:
e0(24.x.y.z)->e1(192.168.2.1)->PIXexternal(192.168.2.2)->PIXinternal(192.168.0.1) Any help would be great. Thanks.

 

[fmonteiro]

Here is an example:
Example 2-2 Two Interfaces with NAT
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 10baset
interface ethernet1 10baset
ip address outside 209.165.201.3 255.255.255.224
ip address inside 192.168.3.0 255.255.255.0
hostname pixfirewall
arp timeout 14400
no failover
names
pager lines 24
logging buffered debugging
nat (inside) 1 0 0
global (outside) 1 209.165.201.10-209.165.201.30
global (outside) 1 209.165.201.8
route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
access-list acl_out permit icmp any any
access-group acl_out in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00
udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
mtu outside 1500
mtu inside 1500

Full documentation for this example, including network diagram,coule be found at the following link:

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00800eb71e.html

 

[Jpeanut]

Actually, I have the PIX config, but what I need is the router config. I'm just confused on what commands I need to allow all traffic to reach my firewall so that it can then manage the traffic. Thanks for responding.

 

[tschouten]

Looks like you would beed to be performing nat on the router, unless your ISP gave you a bunch of IP addresses. Then you could use one of the addresses on eth1 and have the pix perform all the nat'ing you need.
in you example you need to perform NAT:

here
e0(24.x.y.z)->e1(192.168.2.1)->PIXexternal(192.168.2.2)->PIXinternal(192.168.0.1)

Or you could change some addresses and perform NAT:

Here
e0(24.x.y.z)->e1(24.x.y.z)->PIXexternal(192.168.2.1)->PIXinternal(192.168.0.1)

 

[tschouten]

There are a couple of other ways to do that you don't need to change the addresses was just trying to keep things simple.

 

[sharkyj72]

jpeanut,

all you need on the router is a static route to the internal network on the firewall,

eg

ip route 192.168.0.0 255.255.255.0 192.168.2.2.

on your firewall you'll also need a route back to the 24 address

eg

ip route 24.0.0.0 255.0.0.0 192.168.2.1

That sorts out the routing. If your going to allow traffic out to the internet from hosts on your private network as stated above you'll need to setup NAT on the router.

 

[Jpeanut]

What about passing port traffic (eg. web-server, ftp server, etc) through to the firewall?

 

[sharkyj72]

Im not sure I understand what you mean.

Youre router passes all IP traffic, regardless of port using the routing table. If your NAT'ing the general rule of thumb is this,

Incoming traffic (outside to inside) - check for nat rule then pass to routing table.

Outgoing traffic - check routing table then pass to nat rule table.

If you have a connection to the internet from the router, all you should really be doing is routing to your firewall. However your config is slighty unusual. Normally I would recommend a public address range on the external pix ethernet interface eg,


router e0 (public) -> pix external (public) -> pix internal (private)

Then you would nat on the firewall and life would be a lot simpler.

However you seem to have,

router e1 (public) -> router e0 (private) -> pix external (private) -> pix internal (private)

therefore if you are going to route to your private address you must have a route entry on the route telling it how to get to 192.168 etc etc.

if you are going to pass tcp traffic to hosts on the private network you must also have a translation from your public range to your private range. eg if your web server sits on a 192.168 address, you need to statically map a free public address to it.

Suppose your isp assign you a public address block of 205.x.x.x /248

You could setup a static nat rule on the pix to map a 205 address to your web servers 192.168 address.

You would also require a route entry on the router to tell it where to find 205.x.x.x. Essentially this is on the firewall so you would route 205.x.x.x.x via your firewall interface 192.168.2.2.