Just installed A PIX 515with version7.0 WITH A SOHO 1

[sdang]

Can someone please look at these configurations? I am completely loss now since the fixup command and conduit comands are unavailable for the PIX.

From Router - I can Ping outside world
Pix- I can Ping Outside world
Computer- I can ping firewall, when i ping the router i get a response from the nat entry on the router 172.16.0.7- I can ping the outside world

ROUTER





User Access Verification



Password:

Password:

workx>en

Password:

workx#show run

Building configuration...



Current configuration : 2399 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname workx

!

logging queue-limit 100

enable secret 5 $1$gP63$VhbMiMVPvWOO8erFpvnnK1

enable password 7 09060B1F1017021F5A58557A

!

username CRWS_Ulags privilege 15 password 7 100A585D3246142A480B7B24170D2334734B

5440505204090803

ip subnet-zero

ip name-server 68.6.16.30

ip name-server 172.16.0.13

ip dhcp excluded-address 172.16.0.7

ip dhcp excluded-address 172.16.0.2

ip dhcp excluded-address 172.16.0.3

ip dhcp excluded-address 172.16.0.13

!

!

!

!

!

!

!

!

!

interface Ethernet0

ip address 172.16.0.250 255.255.255.0

ip nat inside

no ip mroute-cache

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

ip address X.167.112.184 255.255.255.192

ip nat outside

no ip mroute-cache

duplex auto

no cdp enable

!

ip nat inside source list 102 interface Ethernet1 overload

ip nat inside source static 172.16.0.7 interface Ethernet1

ip nat inside source static 172.16.0.13 X.167.112.183

ip nat inside source static 172.16.0.4 X.167.112.185

ip nat inside source static 172.16.0.3 X.167.112.187

ip classless

ip route 0.0.0.0 0.0.0.0 X.167.112.129

ip route 172.16.0.0 255.255.0.0 X.167.112.186

ip http server

no ip http secure-server

!

access-list 102 permit ip 172.16.0.0 0.0.0.255 any

no cdp run

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

password 7 15584E1A0D383E2979676472

login

length 0

!

scheduler max-task-time 5000

!

end







FIREWALL User Access Verification



Password:

Type help or '?' for a list of available commands.

workxresearch> en

Password: ***********

workxresearch# show config

: Saved

: Written by enable_15 at 20:11:23.901 UTC Sat Apr 14 2007

!

PIX Version 7.2(2)

!

hostname workxresearch

domain-name workxresearch.com

enable password 8fSmoHmo/c94H615 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address X.167.112.186 255.255.255.192

!

interface Ethernet1

nameif inside

security-level 100

ip address 172.16.0.251 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name workxresearch.com

access-list 101 extended permit tcp host 172.16.0.13 eq smtp any

access-list 101 extended permit tcp host 172.16.0.13 eq 444 any

access-list 101 extended permit tcp host 172.16.0.13 eq pptp any

access-list 101 extended permit tcp host 172.16.0.13 eq https any

access-list 101 extended permit tcp host 172.16.0.13 eq

http://www any

access-list 101 extended permit gre host 172.16.0.13 any

access-list 101 extended permit tcp host 172.16.0.8 eq

http://www any

access-list 101 extended permit tcp host 172.16.0.3 eq

http://www any

access-list 101 extended permit tcp host 172.16.0.13 eq 3109 any

access-list 101 extended permit tcp host 172.16.0.13 eq imap4 any

access-list 101 extended permit tcp host 172.16.0.13 eq 4125 any

access-list 101 extended permit tcp host 172.16.0.13 eq 81 any

access-list 101 extended permit tcp host 172.16.0.13 eq pop3 any

access-list 101 extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 172.16.0.0 255.255.0.0

static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.252.0

route outside 0.0.0.0 0.0.0.0 X.167.112.184 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp identity hostname

telnet 172.16.0.0 255.255.252.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map class_ftp

match port tcp eq 993

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

class class_ftp

inspect ftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:781bdcb94192bad96cae2313c592c2f6

workxresearch#

 

[sdang]

WHAT I MEANT ABOUT THE COMPUTER BEHIND THE FIREWALL CAN NOT PING THE OUTSIDE WORLD

 

[boymarty24]

thats not allowed, you need permit icmp requests. Here is a link i posted in another reply

http://www.cisco.com/en/US/products...oducts_tech_note09186a0080094e8a.shtml#topic3

 

[sdang]

here is my current configuration still can not access internet from computers behind fire wall.please help. willing to pay someone to help

Fire wall



User Access Verification

Password:
Type help or '?' for a list of available commands.
Workx> en
Password: ***********
Workx# show run
: Saved
:
PIX Version 7.2(2)
!
hostname Workx
domain-name workxresearch.com
enable password 8fSmoHmo/c94H615 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address x.0.167.112.186 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.251 255.255.255.0
!
passwd 8fSmoHmo/c94H615 encrypted
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name workxresearch.com
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq www
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq ftp-dat
a
access-list 101 extended permit tcp host 172.16.0.13 eq smtp any
access-list 101 extended permit tcp host 172.16.0.13 eq 444 any
access-list 101 extended permit tcp host 172.16.0.13 eq pptp any
access-list 101 extended permit tcp host 172.16.0.13 eq https any
access-list 101 extended permit tcp host 172.16.0.13 eq

http://www any

access-list 101 extended permit gre host 172.16.0.13 any
access-list 101 extended permit tcp host 172.16.0.8 eq

http://www any

access-list 101 extended permit tcp host 172.16.0.3 eq

http://www any

access-list 101 extended permit tcp host 172.16.0.13 eq 3109 any
access-list 101 extended permit tcp host 172.16.0.13 eq imap4 any
access-list 101 extended permit tcp host 172.16.0.13 eq 4125 any
access-list 101 extended permit tcp host 172.16.0.13 eq 81 any
access-list 101 extended permit tcp host 172.16.0.13 eq pop3 any
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 1 172.16.0.0 255.255.255.0
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.252.0
access-group 101 in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 x.167.112.184 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity hostname
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_ftp
match port tcp eq 993
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class class_ftp
inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7c499b8eeb9f807a398ca24e6d858f9a
: end

Router



User Access Verification

Password:
Password:
workx>en
Password:
workx#show run
Building configuration...

Current configuration : 2399 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname workx
!
logging queue-limit 100
enable secret 5 $1$gP63$VhbMiMVPvWOO8erFpvnnK1
enable password 7 09060B1F1017021F5A58557A
!
username CRWS_Ulags privilege 15 password 7 100A585D3246142A480B7B24170D2334734B
5440505204090803
ip subnet-zero
ip name-server 68.6.16.30
ip name-server 172.16.0.13
ip dhcp excluded-address 172.16.0.7
ip dhcp excluded-address 172.16.0.2
ip dhcp excluded-address 172.16.0.3
ip dhcp excluded-address 172.16.0.13
!
!
!
!
!
!
!
!
!
interface Ethernet0
ip address 172.16.0.250 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
ip address X.167.112.184 255.255.255.192
ip nat outside
no ip mroute-cache
duplex auto
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 172.16.0.13 81 interface Ethernet1 81
ip nat inside source static tcp 172.16.0.13 3389 interface Ethernet1 3389
ip nat inside source static tcp 172.16.0.13 4125 interface Ethernet1 4125
ip nat inside source static tcp 172.16.0.13 444 interface Ethernet1 444
ip nat inside source static tcp 172.16.0.13 143 interface Ethernet1 143
ip nat inside source static tcp 172.16.0.13 3109 interface Ethernet1 3109
ip nat inside source static tcp 172.16.0.13 443 interface Ethernet1 443
ip nat inside source static tcp 172.16.0.13 1723 interface Ethernet1 1723
ip nat inside source static tcp 172.16.0.13 110 interface Ethernet1 110
ip nat inside source static tcp 172.16.0.13 25 interface Ethernet1 25
ip nat inside source static tcp 172.16.0.7 80 interface Ethernet1 80
ip nat inside source static tcp 172.16.0.13 21 interface Ethernet1 21
ip nat inside source static 172.16.0.7 interface Ethernet1
ip nat inside source static 172.16.0.4 70.167.112.185
ip nat inside source static 172.16.0.3 70.167.112.187
ip classless
ip route 0.0.0.0 0.0.0.0 70.167.112.129
ip route 172.16.0.0 255.255.0.0 70.167.112.186
ip http server
no ip http secure-server
!
access-list 102 permit ip 172.16.0.0 0.0.0.255 any
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
password 7 15584E1A0D383E2979676472
login
length 0
!
scheduler max-task-time 5000
!
end

 

[boymarty24]

on your pix add global (outside) 1 interface
Do a clear xlate and try again

 

[Supergrrover]

Delete these lines
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.252.0
access-group outbound in interface inside
***this access list won't allow DNS resolution. By default everything is allowed out so unless you need to restrict it don't.

Your 101 ACL is backwards try this one instead -
access-list outside-in extended permit tcp any host x.0.167.112.186 eq smtp
access-list outside-in extended permit tcp any host x.0.167.112.186 eq 444
access-list outside-in extended permit tcp any host x.0.167.112.186 eq pptp
access-list outside-in extended permit tcp any host x.0.167.112.186 eq https
access-list outside-in extended permit tcp any host x.0.167.112.186 eq www
access-list outside-in extended permit gre any host x.0.167.112.186
access-list outside-in extended permit tcp any host x.0.167.112.186 eq www
access-list outside-in extended permit tcp any host x.0.167.112.186 eq 3109
access-list outside-in extended permit tcp any host x.0.167.112.186 eq imap4
access-list outside-in extended permit tcp any host x.0.167.112.186 eq 4125
access-list outside-in extended permit tcp any host x.0.167.112.186 eq 81
access-list outside-in extended permit tcp any host x.0.167.112.186 eq pop3
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any echo-reply
access-group outside-in in interface outside

Now you will need a static for each service that you want to host on the inside -
static (inside,outside) tcp x.0.167.112.186 [port#] 172.16.0.Y [port#] netmask 255.255.255.0

Now for icmp messages and error inspection -
policy-map global_policy
class inspection_default
inspect icmp error



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[sdang]

ok, Here is an Update to my configuration. Can someone take a look at it and tell me if it should work. I am able to get internet access going out now pointing to the firewall. I just want to make sure incoming traffic will be ok before i change the DNS entrys.



ROUTER

Password:
workx>en
Password:
workx#show config
Using 2352 out of 131072 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname workx
!
logging queue-limit 100
enable secret 5 $1$gP63$VhbMiMVPvWOO8erFpvnnK1
enable password 7 09060B1F1017021F5A58557A
!
username CRWS_Ulags privilege 15 password 7 100A585D3246142A480B7B24170D2334734B
5440505204090803
ip subnet-zero
ip name-server 68.6.16.30
ip name-server 172.16.0.13
ip dhcp excluded-address 172.16.0.7
ip dhcp excluded-address 172.16.0.2
ip dhcp excluded-address 172.16.0.3
ip dhcp excluded-address 172.16.0.13
!
!
interface Ethernet0
ip address 172.16.0.250 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
ip address X.167.112.184 255.255.255.192
ip nat outside
no ip mroute-cache
duplex auto
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static 172.16.0.7 interface Ethernet1
ip nat inside source static 172.16.0.4 X.167.112.185
ip nat inside source static 172.16.0.3 X.167.112.187
ip nat inside source static 172.16.0.13 X.167.112.183
ip classless
ip route 0.0.0.0 0.0.0.0 X.167.112.129
ip http server
no ip http secure-server
!
access-list 102 permit ip 172.16.0.0 0.0.0.255 any
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
password 7 15584E1A0D383E2979676472
login
length 0
!
scheduler max-task-time 5000
!
end


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

FIREWALL


Workx# show config
: Saved
: Written by enable_15 at 09:33:28.274 PST Mon Apr 16 2007
!
PIX Version 7.2(2)
!
hostname Workx
domain-name workxresearch.com
enable password 8fSmoHmo/c94H615 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address X.167.112.186 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.251 255.255.255.0
!
passwd 8fSmoHmo/c94H615 encrypted
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name workxresearch.com
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq www
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq ftp-dat
a
access-list 101 extended permit tcp host 172.16.0.13 eq smtp any
access-list 101 extended permit tcp host 172.16.0.13 eq 444 any
access-list 101 extended permit tcp host 172.16.0.13 eq pptp any
access-list 101 extended permit tcp host 172.16.0.13 eq https any
access-list 101 extended permit tcp host 172.16.0.13 eq

http://www any

access-list 101 extended permit gre host 172.16.0.13 any
access-list 101 extended permit tcp host 172.16.0.8 eq

http://www any

access-list 101 extended permit tcp host 172.16.0.3 eq

http://www any

access-list 101 extended permit tcp host 172.16.0.13 eq 3109 any
access-list 101 extended permit tcp host 172.16.0.13 eq imap4 any
access-list 101 extended permit tcp host 172.16.0.13 eq 4125 any
access-list 101 extended permit tcp host 172.16.0.13 eq 81 any
access-list 101 extended permit tcp host 172.16.0.13 eq pop3 any
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 X.167.112.184 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity hostname
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_ftp
match port tcp eq 993
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class class_ftp
inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:975eb4f88a46d97c93636c90ad18de32

 

[Supergrrover]

Inbound traffic to services inside the pix will not work due to your ACL and missing statics. You will need to allow the service to enter the pix's outside interface with the ACL and then have it natted to the proper inside server with the statics.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[sdang]

Could you please provide an Example of what my firewall and ROUTER should look like. This would be really appreciated. I am not use to the ACL. I am use to Conduit command but since they change it in 7.0 . I am confused.

Thanks

 

[Supergrrover]

access-list outside-in extended permit tcp any host x.0.167.112.186 eq smtp
access-list outside-in extended permit tcp any host x.0.167.112.186 eq 444
access-list outside-in extended permit tcp any host x.0.167.112.186 eq pptp
access-list outside-in extended permit tcp any host x.0.167.112.186 eq https
access-list outside-in extended permit tcp any host x.0.167.112.186 eq www
access-list outside-in extended permit gre any host x.0.167.112.186
access-list outside-in extended permit tcp any host x.0.167.112.186 eq www
access-list outside-in extended permit tcp any host x.0.167.112.186 eq 3109
access-list outside-in extended permit tcp any host x.0.167.112.186 eq imap4
access-list outside-in extended permit tcp any host x.0.167.112.186 eq 4125
access-list outside-in extended permit tcp any host x.0.167.112.186 eq 81
access-list outside-in extended permit tcp any host x.0.167.112.186 eq pop3
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any echo-reply
access-group outside-in in interface outside

static (inside,outside) tcp x.0.167.112.186 smtp 172.16.0.Y smtp netmask 255.255.255.0
static (inside,outside) tcp x.0.167.112.186 444 172.16.0.Y 444 netmask 255.255.255.0
static (inside,outside) tcp x.0.167.112.186 pptp 172.16.0.Y pptp netmask 255.255.255.0
static (inside,outside) tcp x.0.167.112.186 https 172.16.0.Y https netmask 255.255.255.0
static (inside,outside) tcp x.0.167.112.186

http://www 172.16.0.Y

http://www netmask

255.255.255.0
static (inside,outside) tcp x.0.167.112.186 3109 172.16.0.Y 3109 netmask 255.255.255.0
static (inside,outside) tcp x.0.167.112.186 imap4 172.16.0.Y imap4 netmask 255.255.255.0
static (inside,outside) tcp x.0.167.112.186 4125 172.16.0.Y 4125 netmask 255.255.255.0
static (inside,outside) tcp x.0.167.112.186 81 172.16.0.Y 81 netmask 255.255.255.0
static (inside,outside) tcp x.0.167.112.186 pop3 172.16.0.Y pop3 netmask 255.255.255.0

where Y is the internal server address


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[sdang]

I am confused now. So do i not need my Router to do my nat entrys. I currently have these Nat entrys in my Router or am i just by passing the router all together.

ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static 172.16.0.7 interface Ethernet1
ip nat inside source static 172.16.0.4 X.167.112.185
ip nat inside source static 172.16.0.3 X.167.112.187
ip nat inside source static 172.16.0.13 X.167.112.183

I was assuming this is how it worked .
Example
ip nat inside source static 172.16.0.13 X.167.112.183

Everything that comes from X.167.112.183 will translate to 172.16.0.13 going to firewall which on 172.16.0.13 i would set which ports are open.

Am i wrong . I see that you create nat entrys for everything to go into X.167.112.186

 

[Supergrrover]

Your pix is the outer edge device. I assumed that it was because it has the public IP. What is your topology? What services is the router providing (can the pix do those functions)?



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[sdang]

Ok we have a cisco soho 91 that was doing mostly everything we needed. We decided to purchase a pix 515. So we would like to put it behind the SOHO 91. We want the Soho router to do the NAT stuff with the 5 external IP's we have.

Current Setup with out the PIX
The cable modem is plugged into a switch. One of the switch port is plugged into the outside interface of the CISCO SOHO. The Second interface of the Cisco was plugged into the LAN.
E1- X.X.X.184 (outside IP)
E0- 172.16.0.250 (internal IP)

Now we would like to add the PIX 515 firewall behind the router. The PIX 515 has 2 interfaces

E0 – X.X.X.186
E1- 172.16.0.251




Our IP’s
External IP's are X.X.X.183 - 187

External- Router IP is X.X.X.184

Firewall IP- X.X.X.186



IP’s That need to be natted to internal address

external(X.X.X.183)internal(172.16.0.13) want to open ports smtp,444,pptp,https,

http://www,gre,3109,imap4,4125,80,pop3

External(X.X.X.187) internal(172.16.0.3) want top open

http://www only

External(X.X.X.185) internal(172.16.0.4)



Current CISCO SOHO CONFIGURATION
interface Ethernet0
ip address 172.16.0.250 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
ip address X.X.X.184 255.255.255.192
ip nat outside
no ip mroute-cache
duplex auto
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static 172.16.0.7 interface Ethernet1
ip nat inside source static 172.16.0.4 X.X.X.185
ip nat inside source static 172.16.0.3 X.X.X.187
ip nat inside source static 172.16.0.13 X.X.X.183
ip classless
ip route 0.0.0.0 0.0.0.0 X.167.112.129
ip http server
no ip http secure-server
!
access-list 102 permit ip 172.16.0.0 0.0.0.255 any
no cdp run





XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

PIX Firewall With out THE ACL

interface Ethernet0
nameif outside
security-level 0
ip address 70.167.112.186 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.0.251 255.255.255.0
!
passwd 8fSmoHmo/c94H615 encrypted
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name workxresearch.com
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq www
access-list outbound extended permit tcp 172.16.0.0 255.255.255.0 any eq ftp-dat
a
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 70.167.112.184 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity hostname
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_ftp
match port tcp eq 993
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class class_ftp
inspect ftp
!
service-policy global_policy global
prompt hostname context

 

[Supergrrover]

OK, so your router really will not have any functions. Just replace it with the pix.

route outside 0.0.0.0 0.0.0.0 X.167.112.129
access-list outside-in extended permit tcp any host x.0.167.112.183 eq smtp
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 444
access-list outside-in extended permit tcp any host x.0.167.112.183 eq pptp
access-list outside-in extended permit tcp any host x.0.167.112.183 eq https
access-list outside-in extended permit tcp any host x.0.167.112.183 eq www
access-list outside-in extended permit gre any host x.0.167.112.183
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 3109
access-list outside-in extended permit tcp any host x.0.167.112.183 eq imap4
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 4125
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 81
access-list outside-in extended permit tcp any host x.0.167.112.183 eq pop3
access-list outside-in extended permit tcp any host x.0.167.112.187 eq www
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any echo-reply
access-group outside-in in interface outside

static (inside,outside) x.0.167.112.183 172.16.0.13 netmask 255.255.255.255
static (inside,outside) x.0.167.112.187 172.16.0.3 netmask 255.255.255.255

That should do it.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[sdang]

Thank you very much i am going to try to test the configuration tonight. COuld you tell me how i can enable ssh or telnet for the outside interface?

 

[Supergrrover]

You can't enable telnet to an outside interface but you can so do SSH.

crypto key generate rsa modulus 2048
ssh version 2
ssh 0.0.0.0 0.0.0.0 outside
ssh [INTERNAL_IP] [INTERNAL_SUBNET] inside
passwd [TELNET/SSH_PASSWORD]
wri mem


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[sdang]

Thanks,

I am able to get the prompt login as. which i leave blank and type in the password but getting access denied.

Any recomendations?

 

[Supergrrover]

It is -
login user: pix
password: telnet/ssh password


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[sdang]

OK

I replaced the router with the PIX 515 last night but had issues.

Our external IP's were not pingable from the outside world or no one was able to get to our websites. We were tp get put fine on the internet. It also seemed e-mail was flowing fine.

Outside IP's
x.0.167.112.183
x.0.167.112.184
x.0.167.112.187

Any Suggestions?



route outside 0.0.0.0 0.0.0.0 X.167.112.129
access-list outside-in extended permit tcp any host x.0.167.112.183 eq smtp
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 444
access-list outside-in extended permit tcp any host x.0.167.112.183 eq pptp
access-list outside-in extended permit tcp any host x.0.167.112.183 eq https
access-list outside-in extended permit tcp any host x.0.167.112.183 eq www
access-list outside-in extended permit gre any host x.0.167.112.183
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 3109
access-list outside-in extended permit tcp any host x.0.167.112.183 eq imap4
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 4125
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 81
access-list outside-in extended permit tcp any host x.0.167.112.183 eq pop3
access-list outside-in extended permit tcp any host x.0.167.112.187 eq www
access-list outside-in extended permit tcp any host x.0.167.112.184 eq www
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any echo-reply
access-group outside-in in interface outside

static (inside,outside) x.0.167.112.183 172.16.0.13 netmask 255.255.255.255
static (inside,outside) x.0.167.112.187 172.16.0.3 netmask 255.255.255.255
static (inside,outside) x.0.167.112.184 172.16.0.8 netmask 255.255.255.255

 

[sdang]

CAN SOMEONE TELL ME IF I HAVE SOMETHING BACKWARDS
OK

I replaced the router with the PIX 515 last night but had issues.

Our external IP's were not pingable from the outside world or no one was able to get to our websites. We were tp get put fine on the internet. It also seemed e-mail was flowing fine.

Outside IP's
x.0.167.112.183
x.0.167.112.184
x.0.167.112.187

Inside IP's
172.16.0.X

Any Suggestions?



route outside 0.0.0.0 0.0.0.0 X.167.112.129
access-list outside-in extended permit tcp any host x.0.167.112.183 eq smtp
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 444
access-list outside-in extended permit tcp any host x.0.167.112.183 eq pptp
access-list outside-in extended permit tcp any host x.0.167.112.183 eq https
access-list outside-in extended permit tcp any host x.0.167.112.183 eq www
access-list outside-in extended permit gre any host x.0.167.112.183
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 3109
access-list outside-in extended permit tcp any host x.0.167.112.183 eq imap4
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 4125
access-list outside-in extended permit tcp any host x.0.167.112.183 eq 81
access-list outside-in extended permit tcp any host x.0.167.112.183 eq pop3
access-list outside-in extended permit tcp any host x.0.167.112.187 eq www
access-list outside-in extended permit tcp any host x.0.167.112.184 eq www
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any echo-reply
access-group outside-in in interface outside

static (inside,outside) x.0.167.112.183 172.16.0.13 netmask 255.255.255.255
static (inside,outside) x.0.167.112.187 172.16.0.3 netmask 255.255.255.255
static (inside,outside) x.0.167.112.184 172.16.0.8 netmask 255.255.255.255