Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

external mapping for pix 1

Status
Not open for further replies.

Hungster

IS-IT--Management
Joined
Mar 6, 2001
Messages
830
Location
CA
here is the scenario

current there is a box running clark connect 3.1 cipe vpn to other 2 sites, also acts as firewall and mail server

i am replacing it with 3 pix-506E, how should assign the mail server a new external ip, since it has a external ip now, and internal ip
pix is a firewall and can not do a straight mapping
and is this dmz come in place ?

thx
 
i thought 506E with only two ethernet port can't do dmz

 
506E can with VLANS. Do it, Love it and Believe it.
 
Well NetworkGhost,

i believe you are an expert on setting up pix vpn and so on,
and i don't have much experience doing it, i would love if you can help me out, but not allow to give out e-mail address here

anyway ?
all i need is to setup 3 sites vpn, the main office has a mail server current using the static ip which i will use for outside ethernet 0 on the pix

 
I will definitly help. A mail server setup is simple. The link Kiscokid gave you should suffice. As far as the site to site VPN setups that should be simple also. I have a "cookie cutter config" for that.

How will your setups go? T1's with a IP range? DSL?

Give an example of your internal network ranges for each site

Also if you a have a global address range give examples of that and if you will have any static translations setup for mail, web etc...

If you want a DMZ setup give a range for those addresses also.


 
here it is, hope i won't confuse you

3 sites has hsa dsl, which is full rate we call here, direct connect, no pppoe
isp gave us 1 ip, subnet mask and gateway for each location
then each site get 16 ip range

so we use 3 clark connect box cipe vpn, two remote to the main office, main office cc box uses that 1 ip as router/firewall/pptp server/ftp server/webmail/pop/smtp (mail server), essentially it has two nic of course, one external for that 1 ip, say call it 10.100.100.1 and internal is say 192.168.10.1

and the rest info is
remote office1 10.100.101.1
internal ip office1 192.168.12.0

remote office2 10.100.102.1
internal ip office2 192.168.13.0

remote office will be straight forward cuz nothing depends on it like mail server and so on


 
You say at the manin office you currently use your 1 IP address to portforward everything. You also now have a IP range of 16 addresses. Will you be sing the range for the mal, ftp, services?
 
i was wondering which way is best
if i do move the server to one of the 16 ips, which my friend told me i can not do that with the pix like router, if i do dmz, i have to get other pix with more than two ethernet port, which you mentioned vlan thing

if i do that, then there will be more work for me, i have to change my dns server to reflect to the new ip, which has to be done on a friday night or saturday night

if i can get away just port forwarding, then it will be easier, less hassle, what do you suggest ?
 
i wonder where NetworkGhost went,
still waiting for your answer if you could help me on this

i was told the most tricky part is the access-list
how should do this

thanks
 
As long as your IP range is getting routed to the Pix I dont see the problem of putting the device in the range of the 16 IPs. You can do portforwarding which is easy also. just dont put to waste you IP range :)


If you have any questions please ask. THe following are examples. Read over before implementing.



static (inside,outside) tcp interface 80 192.168.0.15 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 25 192.168.0.15 25 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 110 192.168.0.15 110 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 443 192.168.0.15 443 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.0.15 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.0.15 ftp-data netmask 255.255.255.255 0 0

access-list acl_outside permit tcp any interface outside eq 80
access-list acl_outside permit tcp any interface outside eq 443
access-list acl_outside permit tcp any interface outside eq ftp
access-list acl_outside permit tcp any interface outside eq ftp-data
access-list acl_outside permit tcp any interface outside eq 25
access-list acl_outside permit tcp any interface outside eq 110


****************************************************************************************
For Site to Site VPN Tunnel


Pix A
access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list 110 permit ip 192.168.10.0 255.255.255.0 192.168.102.0 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-pptp
crypto ipsec transform-set cryptomapts1 esp-3des esp-md5-hmac
crypto map cryptomap1 10 ipsec-isakmp
crypto map cryptomap1 10 match address 110
crypto map cryptomap1 10 set peer x.x.x.x
crypto map cryptomap1 10 set transform-set cryptomapts1
crypto map IntellonOcalamap interface outside
isakmp enable outside
isakmp key sharedkey address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp keepalive 3600 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

xxx.xxx.xxx.xxx = Remote Pix IP. For more than 1 tunnel add another cryptomap instance.

access-list 111 permit ip 192.168.10.0 255.255.255.0 192.168.103.0 255.255.255.0

crypto map cryptomap1 11 ipsec-isakmp
crypto map cryptomap1 11 match address 111
crypto map cryptomap1 11 set peer x.x.x.x
crypto map cryptomap1 11 set transform-set cryptomapts1
isakmp key sharedkey address x.x.x.x netmask 255.255.255.255

Pix B
access-list 110 permit ip 192.168.102.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.102.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-pptp
crypto ipsec transform-set cryptomapts1 esp-3des esp-md5-hmac
crypto map cryptomap1 10 ipsec-isakmp
crypto map cryptomap1 10 match address 110
crypto map cryptomap1 10 set peer x.x.x.x
crypto map cryptomap1 10 set transform-set cryptomapts1
crypto map IntellonOcalamap interface outside
isakmp enable outside
isakmp key sharedkey address x.x.x.x netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp keepalive 3600 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

 
Assuming that 192.168.0.15 is the static internal ip that we are port forwarding from outside (eth0)
and need to reflect it in the accesslist, at the same time i have to do a (fixup protocol ftp 21) as well ?
also does pix understand port pptp as 1723 or do i have to tell it ? and ssh port to the linux box

static (inside,outside) tcp interface 80 192.168.0.15 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 25 192.168.0.15 25 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 110 192.168.0.15 110 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 443 192.168.0.15 443 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.0.15 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.0.15 ftp-data netmask 255.255.255.255 0 0

access-list acl_outside permit tcp any interface outside eq 80
access-list acl_outside permit tcp any interface outside eq 443
access-list acl_outside permit tcp any interface outside eq ftp
access-list acl_outside permit tcp any interface outside eq ftp-data
access-list acl_outside permit tcp any interface outside eq 25
access-list acl_outside permit tcp any interface outside eq 110
 
Tell it 1723. I believe it will recognize it if not it will just give an error. The Fixup will depend on what type of FTP you are using (active or passive). It is enabled by default. I think there may be problems with the fixup and portforwards. Not 100% sure I tried it last night on my home Pix and had issues. Havent had the time to look at the traffic. ssh will be the same as the others just make sure you define tcp port 22.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top