• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

PIX 515E Configuration Problem

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
friendspu
Just Arrived
Just Arrived


Joined: 31 Mar 2007
Posts: 0
Location: Lahore, Pakistan

Offline

PostPosted: Mon Jul 12, 2010 11:47 am    Post subject: PIX 515E Configuration Problem Reply with quote

Dear All,

I am facing problem regarding Pix 515e configuration. My internet behind firewall with private IP is working, but its not working with Public IP behind firewall. As I have some servers like exchange, office communication, share point and web servers etc. All server are configured with public IP address.
With this command my internet on workstation with Private is working
global (outside) 1 interface
but when I give a range of Public IP pool then no internet on private address as well as Public IP address behind Firewall.
global (outside) 1 *.*.*.214- *.*.*.225 net mask 255.255.255.240
I want to route a Public IP pool for these services (exchange, office communication, share point and web servers etc) and internet for private ip address.
Also my PDM is not accessible on internet explorer.

Please help me in this regards.
The configuration is give below
Scenario
Internet Modem (*.*.*.213)
|
Public IP (*.*.*.226)
PIX Firewall 515E
Private IP (192.168.0.100)
|
LAN Switch 192.168.0.0


pixfirewall# sh conf

: Written by enable_15 at 12:21:48.710 UTC Mon Jul 12 2010
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname pixfirewall
domain-name *******
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*226 255.255.255.240
ip address inside 192.168.0.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 *.*.*.214- *.*.*.225 net mask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 *.*.*.213 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
******************
Back to top
View user's profile Send private message
Weaver
Trusted SF Member
Trusted SF Member


Joined: 04 Jan 2003
Posts: 0
Location: WI, USA

Offline

PostPosted: Sun Aug 08, 2010 8:39 am    Post subject: Reply with quote

First the recommendations:

Upgrade your PIX OS if you can. PIX 6.3.3 is ancient and a PITA to work with. If your 515e can run 7.x it will make your life a lot easier. 8.x is even nicer.

Next is the command reference from Cisco:

Cisco PIX Firewall COmmand Reference, Version 6.3

Next is your objective:

friendspu wrote:
I want to route a Public IP pool for these services (exchange, office communication, share point and web servers etc) and internet for private ip address.


As I understand it you have a handful of public static IP's and a few hosts inside that you want accessible from the Internet.

The first problem is below (with problematic part highlighted).

friendspu wrote:

but when I give a range of Public IP pool then no internet on private address as well as Public IP address behind Firewall.


The two problems here can be summarized with a mis-understanding of PIX/Firewall standard deployment paradigms in using public IP's behind the firewall (more on that in a moment) and an incorrect NAT configuration.

Using public addresses provided to you by your upstream provider "behind" your PIX is doable, but it is more than likely not what you want to do. I'll spare the technical reasons why you do not want to do it and instead focus on what you want to do.

Ideally, you should create yourself a third PIX interface known as the DMZ and keep your Internet accessible services off your "inside" in a "DMZ." The DMZ is an area that is "behind" your firewall but not on your "main LAN" or "inside" interface.

If a DMZ is not in your future, then the quickest way to get this up and running is to keep the Internet accessible services on the inside with IP's on the "inside" subnet, in your case 192.168.0.0/24.

I will assume the following -- Assign your servers the following addresses, using the inside interface of the PIX (192.168.0.100, an odd choice) as their default gateway (assuming nothing else funny going on.)


  • Exchange Server IP: 192.168.0.10/24
  • Office Communicator IP: 192.168.0.11/24
  • Web Server IP: 192.168.0.12


Their public IP's will be below (change to your liking). Do not assign these addresses on the servers themselves, these IP's will be entered into the PIX later.


  • Exchange Server IP: *.*.*.214
  • Office Communicator IP: *.*.*.215
  • Web Server IP: *.*.*.216


The following is the existing NAT configuration from your PIX

Code:
global (outside) 1 interface
global (outside) 1 *.*.*.214- *.*.*.225 net mask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0


This configuration yields the following:

Inside addresses going out to the Internet will first use the Dynamic NAT addresses of *.*.*.214 - *.*.*.225, each internal IP being dynamically assigned a NAT'd IP of .214 - .225 until those IP's are used up. Ten inside IP's connecting to the Internet would use up this pool.

At which point the 11th IP would connect outside and hit the "global (outside) 1 interface" Dynamic Port Address Translation (PAT) address. Additional inside IP's connecting outbound would also use this PAT address and be port address translated.

What I believe you want to do to have your NAT configuration look like below.

Code:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) *.*.*.214 192.168.0.10 netmask 255.255.255.255
static (inside,outside) *.*.*.215 192.168.0.11 netmask 255.255.255.255
static (inside,outside) *.*.*.216 192.168.0.12 netmask 255.255.255.255


You will need an access-list configured as well to allow outbound access in to the inside.

Code:
access-list outside_access_in extended permit tcp any host *.*.*.214 eq 25
access-list outside_access_in extended permit tcp any host *.*.*.215 eq 443
access-list outside_access_in extended permit tcp any host *.*.*.216 eq 80
access-list outside_access_in extended permit tcp any host *.*.*.216 eq 443


And then bind the access-list to the outside interface in the "in" direction.

Code:
access-group outside_access_in in interface outside


This will result in the following


  • Static NAT for Exchange 192.168.0.10 <-> *.*.*.214
  • Static NAT for Office Communicator 192.168.0.11 <-> *.*.*.215
  • Static NAT for Web Server 192.168.0.12 <-> *.*.*.216
  • Dynamic PAT on PIX Outside Interface IP for remaining Inside hosts
  • TCP/25 open on Outside for Exchange
  • TCP/443 open on Outside for Office Communicator (you will more than likely need more than this)
  • TCP/80 and TCP/443 open on Outside for Web Server


As I mentioned earlier, training is your friend on these devices. A solid understanding of network fundamentals and some specifics on the PIX and ASA's will go a long way.

-Weaver

EDIT: Updated access-list code to use port numbers instead of friendly names.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register