| Author |
Message |
jsandlin0803
Guest
|
 Posted:
Sun Dec 11, 2005 12:03 am Post subject:
PIX 515E Configuration Help... |
|
|
Hey
I need help setting up my PIX 515E. I have installed asdm and can get
into the config. I need help with either routing oor nat, or both.
I have 2 Lan's and a Cisco Router connected. I need to know how to pass
all internet traffic from each lan to the router for internet access. I
have not set any nat pools, or static routes, because i am unsure on
how to do this.
The lan and wan specs are below
lan1: 192.168.0.0/24
lan2: 192.168.1.0/24
internet nic: 162.40.148.2 (cisco router is 162.40.148.1)
Please help on getting these on the Internet. Also, i will have remote
users, but the wizard should take care of that.
Thanks in advance
Jason S. |
|
| Back to top |
|
 |
DoubleD4
Guest
|
| Posted:
Sun Dec 11, 2005 3:21 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
I'm assuming that you're setup looks something like the following.
Correct me if it does not. Bear in mind that the PIX will not route
traffic back out the same interface that it came in on like other
devices will.
192.168.1.1 162.40.148.2 -----> Router 162.40.148.1
e1 e0
| |
192.168.0.1 e0--Router PIX
| |
| e1
Switch --------------- 192.168.0.5
If so, you'll want to do this on your router that is connecting the two
internal networks:
ip route 0.0.0.0 0.0.0.0 192.168.0.5
Then on the PIX you'll want to do the following:
ip address inside 192.168.0.5 255.255.255.0
ip address outside 162.40.148.2 255.255.255.248 (or whatever the
external mask is)
route outside 0.0.0.0 0.0.0.0 162.40.148.1
route inside 192.168.1.0 255.255.255.0 192.168.0.1
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted:
Sun Dec 11, 2005 5:09 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
In article <1134237812.029014.6540@g43g2000cwa.googlegroups.com>,
jsandlin0803 <jason.sandlin@wymtnews.com> wrote:
| Quote: | I need help setting up my PIX 515E. I have installed asdm and can get
into the config. I need help with either routing oor nat, or both.
I have 2 Lan's and a Cisco Router connected. I need to know how to pass
all internet traffic from each lan to the router for internet access. I
have not set any nat pools, or static routes, because i am unsure on
how to do this.
The lan and wan specs are below
lan1: 192.168.0.0/24
lan2: 192.168.1.0/24
internet nic: 162.40.148.2 (cisco router is 162.40.148.1)
|
Your reference to asdm indicates you have PIX 7.0. I have not
studied the 7.0 syntax, so I can't give you the exact commands.
In PIX 6.x, what you want would be quite simple:
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface
That would be all there would be to it for your configuration
that you set out in your discussion with DV.
This configuration would send all traffic, from both lans, out
through the same single IP address, 162.40.148.2 . If you want
the traffic seperated, say with the second lan mapping to 162.40.148.3
then you would use
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 2 192.168.1.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 162.40.148.2
This would PAT both lans, but with different IPs.
If you happened to want the inside traffic to use one-to-one nat
as long as IPs were available, and you wanted the traffic seperate,
then you could use, for example:
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 2 192.168.1.0 255.255.255.0
global (outside) 1 162.40.148.3-162.40.148.205
global (outside) 1 162.40.148.206
global (outside) 2 162.40.148.207-162.40.148.253
global (outside) 2 192.40.148.254
You would not need to add any route commands or static commands or any
access-lists for what you indicated.
If, though, you want to restrict lan1 from being able to talk to
lan2, then you would add (PIX 6.x syntax)
access-list in2out deny ip any 192.168.1.0 255.255.255.0
access-list in2out permit ip 192.168.0.0 255.255.255.0 any
access-group in2out in interface inside
You would not need to do anything to prevent lan2 from talking to lan1.
If you do want lan2 to be able to talk to lan1, then you would
need additional configuration, the details of which would depend
on whether you want wide access or just access to specific hosts.
If you want the outside world to be able to connect to servers
on either of the lans (except through the VPNs) then you would
have additional configuration work.
--
Prototypes are supertypes of their clones. -- maplesoft |
|
| Back to top |
|
|
jsandlin0803
Guest
|
| Posted:
Sun Dec 11, 2005 8:18 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
the diagram is a little confusing. I have 2 switches. On the first is
the 192.168.0.0/24 subnet. That one is connected to e0 (192.168.0.1).
The second switch is the 192.168.1.1/24 subnet connected to e1
(192.168.1.1). The Cisco Router is connected to e3 (162.40.148.2), and
has the routers address is 162.40.148.1. I need to get internet access
for both networks of the PIX. Both networks are in the same building,
just 2 different businesses.
Thanks
Jason S. |
|
| Back to top |
|
|
DoubleD4
Guest
|
| Posted:
Sun Dec 11, 2005 8:33 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
I agree, I suppose the diagram did not work out like I had hoped. So
when you are referencing e0, e1, and e3, are you talking about the
interfaces on the PIX itself? How many routers do you have, 1 or 2? I
assume that the Cisco Router you are talking about is the internet
router attached to the external interface of the PIX, correct? And
what is acting as the default gateway assigned to the client computers,
the PIX, or a router behind the PIX?
Sorry for so many questions, just trying to get a mental picture of
your setup. |
|
| Back to top |
|
|
DoubleD4
Guest
|
| Posted:
Sun Dec 11, 2005 9:21 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
In that case, it will get a little hairy as far as how the PIX does
security on its interfaces. I think (I may be wrong) that if the PIX
has more than two interfaces, it will treat the third as a DMZ
interface by default. Would it be possible for you to post the
configuration "sh run" of your PIX? If I looked at the config, I
should be able to point you in the right direction fairly quickly. |
|
| Back to top |
|
|
jsandlin0803
Guest
|
| Posted:
Sun Dec 11, 2005 9:21 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
Is there a specific ethernet port for the internet router? i have only
one router for the internet. It is in ethernet 3 of the PIX. I am
refering to the PIX interfaces when i say e0,e1, and e3. The default
gateway is the ip address of the associated PIX interface. For Lan1,
the gateway is 192.168.0.1 and Lan2 is 192.168.1.1.
Thanks for your help.
Jason |
|
| Back to top |
|
|
jsandlin0803
Guest
|
| Posted:
Mon Dec 12, 2005 4:12 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
I have done what you said, and i still cannot get internet access.
I added
nat (inside) 1 192.168.0.0 255.255.255.0
nat (inside2) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface
I still cannot connect. I also tried using the startup wizard to start
fresh, but i still cant connect. All that i have done, is run the
startup wizard, used PAT for the outside interface (e0), and have lan1
in e1 and lan2 in e2.
I may add that the lan2 is not a dmz, but a network like lan1, except a
different subnet.
Please help. I need to get connected asap.
Thanks
Jason |
|
| Back to top |
|
|
DoubleD4
Guest
|
| Posted:
Mon Dec 12, 2005 5:05 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
Did you add the "route outside 0.0.0.0 0.0.0.0 162.40.148.1" command?
Do all your interfaces have the correct IPs assigned to them? Would it
be possible to post your config? |
|
| Back to top |
|
|
jsandlin0803
Guest
|
| Posted:
Mon Dec 12, 2005 5:54 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
i know how to capture the text correctly on a router, but not sure on
the PIX. when i use terminal length 0, it is not a valid entry.
I need the command so that it will not say <more>.
Thanks
Jason |
|
| Back to top |
|
|
DoubleD4
Guest
|
| Posted:
Mon Dec 12, 2005 6:03 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
Can't you just hit space bar all the way to the end and then copy all
the text? |
|
| Back to top |
|
|
jsandlin0803
Guest
|
| Posted:
Mon Dec 12, 2005 6:13 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
i added the command you said, and here is my running config. I cannot
try and see if it connects right now, but see if this look right.
Thanks
Jason
pixfirewall# sh run
: Saved
:
PIX Version 7.0(4)
!
hostname pixfirewall
domain-name default.domain
enable password /r9ayOm.CUP8NGkt encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 162.40.148.2 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif inside2
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
!
http-map test
strict-http action allow log
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside2 1500
no failover
asdm image flash:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
nat (inside2) 2 192.168.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 162.40.148.1 1
route inside2 192.168.0.0 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:b81536603c19f6ff29ccbd845352592e
: end |
|
| Back to top |
|
|
DoubleD4
Guest
|
| Posted:
Mon Dec 12, 2005 7:01 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
Delete all these commands:
global (outside) 10 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
nat (inside2) 2 192.168.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 162.40.148.1 1
route inside2 192.168.0.0 255.255.255.0 192.168.0.1 1
and enter them like this:
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside2) 1 192.168.0.0 255.255.255.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 162.40.148.1
It should work after you do that. |
|
| Back to top |
|
|
jsandlin0803
Guest
|
| Posted:
Mon Dec 12, 2005 7:15 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
Thanks for all of your help. I will put these in and try it out when i
get back to work. I will let you guys know if it works or not.
Thanks again
Jason |
|
| Back to top |
|
|
jsandlin0803
Guest
|
| Posted:
Tue Dec 13, 2005 3:17 am Post subject:
Re: PIX 515E Configuration Help... |
|
|
While we are at it, can you suggest a way to set up vpn users to access
the 192.168.0.0/24 network? I will use the wizard. Which interface do i
choose and all that? Can i use the microsoft vpn connection software?
What will i need to do to enable remote desktop to this network?
Thanks
Jason |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in