Basic No NAT configuration 1

[waldadam]

I'm new to the PIX and need some help getting started.

I am on a university network and my subnet has all public IP addresses. I want to drop the pix in and leave everything else as is. I want to keep all my existing public IPs as they are.

I tried giving the internal and external interfaces an IP on the same subnet and it would not allow it.

Example: university subnet 132.30.x.x my subnet 132.30.50.x (all cliets) Pix external 132.30.50.10 255.255.255.0, Pix internal 132.20.50.11 255.255.255.0
No DHCP, no NAT

Thanks for any help for this newbee

 

[lgarner]

Pix doesn't bridge. Pix routes, and it always NATs.

You'll need to use another network on the private side, and employe either static NAT or PAT.

 

[ChrisAC]

The Pix doesn't always NAT. You can configure it not to.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[lgarner]

Pix always NATs, but you can use "nat 0", aka "identity nat", to translate addresses to themselves.

nat (inside) 0 <inside_ip> <inside_mask> <dest_ip> <dest_mask>

... will translate inside_ip to inside_ip where traffic is destined for dest_ip.

In this case, if waldadam doesn't want to use an actual private inside range, he could subnet his public range and use identity nat. A little cooperation would be needed from the university to get their router reconfigured, but I think that should be about it.

 

[waldadam]

lgarner, I think I am starting to grasp your suggestion. So basically if I subnet the public range, then I can use an IP from segment 1 for the internal IP and an IP from segment 2 for the external IP?

Then using "nat 0" 132.30.50.5 would be translated to 132.30.50.5, right?

What would be the best way to do this so that I can maximize my address space?

Thanks for your help

 

[lgarner]

Correct. But, if you need the maximum addresses I would use a private range and use public addresses on the public side.

First, it gives you all of your public addresses to use as such. No need to split the range between public and private.

Second, do you really need all 254 hosts to be visible from the Internet? Keep in mind that any number of hosts can still access the internet using PAT (or "dynamic nat"). The default action for the Pix is to allow all traffic out, and any replies back in.

If you use private addresses and only use static nat for thost which have to be publicly available, like www, mail, etc, security is increased and the access-lists are simplified.

You could split your range using a /25 mask (255.255.255.128) on each side. That would give you 126 hosts on each side. I'm not sure about more creative approaches, like 3 /26 private nets and 1 /26 public since I don't think the Pix supports multiple IP addresses on an interface.

 

[waldadam]

Luckily the university network manager is easy to work with, and this is what he suggested:

I’m thinking a much cleaner solution would be for me to assign a 132.30.52.0 /30 address (point to point kind of stuff) to the router interface facing your building. My router has one of the available addresses, your pix has the other on that interface. Then you retain all of 132.30.50.0 /24 for the other interface on your firewall and the remainder of your subnet. You don’t mess with client machines because they look at your PIX as the gateway and then you configure the PIX to default everything to the other end of the point to point. I in turn static all of 132.30.50.0 to your end of the point to point. That way nobody has to screw with NAT. What do you think?

 

[lgarner]

That's the best solution. Then just configure the pix:

nat (inside) 0 0 0

create the access-lists and you're set.

 

[waldadam]

So then the config should look like this?

nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 132.20.50.254 1

Thanks for your help

 

[lgarner]

That should do it. The static outside will be whatever the university net admin gives you. From the quote that you provided, it looks like it would be:

route outside 0.0.0.0 0.0.0.0 132.30.52.x 1

... and ...

ip address outside 132.30.52.x+1 255.255.255.252


Lee.

 

[waldadam]

THANKS!!!

I'll give it a shot and let you know how it goes.

 

[waldadam]

Should I be able to do this with a dummy setup?

I tried using my existing address space for the external interface 132.30.50.110, and then used 132.30.74.x 255.255.255.192 as my internal space (internal interface =132.30.74.65). While I know it isn't routed outside of the building, I figured I would still be able to ping my existing 132.30.50.x machines from the inside 132.30.74.x. I also couldn't ping the external interface from the PIX itself.

I wanted to try a dummy config before I brought the network down again. I'm sure you know how end users like having their connections interrupted .

Thanks.


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password xxxx encrypted
passwd xxxx encrypted
hostname pfmf
domain-name xxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 132.30.50.110 255.255.255.0
ip address inside 132.30.74.65 255.255.255.192
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location 132.30.50.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 dns 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 132.30.50.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 134.30.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum: xxxxx
: end
pfmf(config)#

 

[lgarner]

Looks like it should work. What routes do your "outside" computers use to get to your "inside" ones. If they only have the school's router as the default, you'll need to add static routes to them so they can see the inside ones.

Not being able to ping the outside Pix interface is normal. When you ping you can enable "debug icmp trace" on the Pix to see what's happening.

 

[waldadam]

I made an error in post above.

With the above config I can ping everything on my 132.30.50.x network (inluding the external interface) from the PIX itself, but I can't from my machine on the inside of the pix.

I think I am close, but there must be something I am overlooking.

Thanks

Adam

 

[waldadam]

So when I go to the live configuration and have all my 132.30.50.x network behind the firewall, will I need to worry about the static routes? Internally they will all look at the PIX for the gateway. We are going to have machines that need to be accessed from the internet.

Thanks for all your help. I really do appreciate it.

>> What routes do your "outside" computers use to get to your "inside" ones. If they only have the school's router as the default, you'll need to add static routes to them so they can see the inside ones.

 

[lgarner]

No. As I read your config, your test setup had some computers on the inside (132.30.74) network and some on the outside (132.30.50) of the Pix. In this case, your outside computers would have a default route of the school router and would need static routes back to your inside network.

In production, using the /30 mask that your administrator mentioned, there will be no computers between the Pix and the school router. Therefore you just need to set your computers' default route to be the Pix and the Pix's default route to be the school router. Your school admin will handle the routing back from the school router to your pix.

Lee.

 

[waldadam]

Works like a charm!! Thanks for all your help!

 

[lgarner]

Good deal. Thanks for letting us know.