Please, 506 LAN 2 LAN config needed

[marsmann]

Hi all,

PIX 506E w/6.22

Here's the scenario:

lan 1 - 10.1.1.1 (training room)
lan 2 - 10.2.1.1 (real company lan)

Need to setup PIX sort of as a router segmenting the training room LAN from the real LAN so students can't cause mischief from inside the training center onto the company's real network. Will be using access lists to control what services can & can't get out (i.e. www, telnet, smtp, network logins, dhcp, etc.)

Can anyone assist? Thanks to everyone in advance.

 

[gbiello]

Sorry, you'll need a real router for this. Probably the most cost-effective way is with a W2K server with 3 NIC's. One for each of your two subnets, and third to connect to the PIX.

-gbiello

 

[marsmann]

?

gbiello, thanks for the prompt reply, however, firewalls route packets to and from source and destinations. Why don't you think this would work?

If clients on one side (10.1.1.1) request something not on their local segment it by default will go to the default gateway (PIX). The PIX will then examine the packet and based on ACL permissions and it's route to the next hop, forward the packet on to the other side.

 

[gbiello]

Ah, now I see what you want to do:

Internet
|
another (PIX?) firewall
|
10.2.1.x (real company lan)
|
PIX
|
10.1.1.x (training room)

yes?


Something like this would prevent access to the company LAN (10.2.1.x) from anything on the inside interface, while allowing anything else.

access-list fromtrain deny ip any 10.2.1.0 255.255.255.0
access-list fromtrain permit ip any any
access-group fromtrain in interface outside

You used host addresses instead of ranges for the networks, so I'll give my examples as class C. You can easily scale them to a class B.

Next, I assume you'll want to allow web access. Since you won't be translating IP addresses here, you use the "nat 0" statement:

nat (inside) 0 10.1.1.0 255.255.255.0 norandomseq

The 'norandomdeq' at the end is needed to stop the PIX from randomizing the TCP/IP sequence numbers. You need this if your Internet firewall does the same thing by default. If your Internet firewall is non-PIX and does not randomize sequence numbers, don't include this option, as it opens a security hole.

hope this helps,
-gbiello

 

[marsmann]

Yes!

That's exactly what I want to do. Sorry about the typo, you just made me realize I specified specific hosts instead of .0 or .x, I just typed it too fast....

I actually got it working right now, but it
's doing double NAT since I had given it a NAT 1 statement with a global outside statement for the 10.1.x.x.

I am getting

http://www and

dns through even though this firewall is NAT'ing behind another firewall but I will make those changes you suggested. I forgot about the NAT 0 statement which is what I need not to NAT the 10.1.1.x users....

just so I'm clear, your acl lists do the following:

"access-list fromtrain deny ip any 10.2.1.0 255.255.255.0"

^this one above disallows anyone from the training center access in to the company lan


"access-list fromtrain permit ip any any"

^this one above will permit anything else from training out

what if i want to allow M$ network logon ability from the training room out into company lan, but want to disallow telnet, ftp, and anything else into the 10.2.x.x? We don't want the students to do anything else that they need to, & believe me they can be crafty.... but the director wants them to be able to log into the real LAN.

I'd have to remove the "fromtrain deny ip any 10.2.1.0 255.255.255.0" since this disables all access to 10.2.x.x and substitute with something like:

access-list fromtrain permit tcp any 10.2.1.0 eq 139 (or whatever SMB's & M$ services are classified as in PIX)

for each service then, right? or is there a simpler way?

Again, thanks in advance!

 

[yizhar]

HI.

> I'd have to remove the "fromtrain deny ip any 10.2.1.0 255.255.255.0" ...
You need to place this line after the ports you want to allow, but before the "permit ip any any" line, for example:

access-list fromtrain permit tcp any host SERVER eq PORTNUMBER1
access-list fromtrain permit tcp any host SERVER eq PORTNUMBER2
access-list fromtrain deny ip any 10.2.1.0 255.255.255.0
access-list fromtrain permit ip any any


> if i want to allow M$ network logon ability ... & believe me they can be crafty ... but the director wants them to be able to log into the real LAN ...
Allowing logon to the MS server will give the users acceess to many options like MS file sharing.
For this scneario the main anti-student protection will be hardening the MS server, rather then sepcifing ports on the pix.
So:
1) you can go with that - let them access the MS server and make sure that OS configuration suites your needs.
2) Tell your director that such a configuration is not recommended or practical if it is important to protect the server.
3) When the director tells you that you should find a solution no matter what, you can put another server at the training room for their use.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[marsmann]

Awesome.

thanks guys. I think I have the basics of what I need. I'm sure I can figure out the rest from here as there are a few other minor things I need to add in addition to what I mentioned...

 

[marsmann]

well, I guess I'm still not done. It doesn't work.

I can only get it to work with the illegal double nat setup I had before where I did a nat (inside) 1 and a global statement.

I could still use your help if you're still around and willing... here's my config. What am I missing? It won't pass anything through.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname training-gw
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list academy-out permit tcp any host 10.11.1.6
access-list academy-out permit tcp any host 10.11.1.7
access-list academy-out permit tcp any host 10.11.1.8 eq www
access-list academy-out permit tcp any host 10.11.1.18 eq www
access-list academy-out permit tcp any host 10.11.2.200
access-list academy-out deny ip any 10.11.0.0 255.255.0.0
access-list academy-out permit ip any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 10.11.2.230 255.255.0.0
ip address inside 10.12.44.231 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 10.12.44.0 255.255.255.0 0 0 norandomseq
route outside 0.0.0.0 0.0.0.0 10.11.2.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00

sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 10.12.44.100-10.12.44.200 inside
dhcpd dns 65.163.152.3
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain academy.wilson.com
dhcpd enable inside
terminal width 80
Cryptochecksum:8188e511ec5ffcf5872562d4bdd05c77

thanks guys.

 

[marsmann]

the access-group statement is in, but it didn't get pasted into the config.

my access group statement for the above acl's is:

access-group academy-out in interface inside

it should be inside, not outside I believe as I saw in a previous post.

 

[gbiello]

I can't see anything wrong with it immediately. Have you rebooted the firewall? Sometimes a simple 'clear xlate' or a restart will fix things that won't work that should.

I thought you might have been missing a route to it on the 10.11.2.254 device, but after looking at your post again, "I can only get it to work with the illegal double nat setup", I doubt that's the case.

-gbiello