Internet - PIX/ASA - Router - LAN Cisco Forum FAQ - dslreports.com

			Search:
	login · register

FAQs

	««		DSL Hurdles		Share Tool

how-to block ads

	Search for: in all FAQs
All FAQs » Cisco Forum FAQ » 50.3 Router-PIX Combo » 14241


Internet - PIX/ASA - Router - LAN (#14241)
Suggested prerequisite reading: »Cisco Forum FAQ »Router configuration to run server (with and without port forwarding) »Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding) Introduction Following the same concept of just having single Internet gateway, there is typically NAT/PAT consideration. As mentioned on the reading above, you must use Internet-routable (Public) IP address to go out to the Internet. Therefore there should be NAT/PAT process that translate Private IP address into Public IP address. Since in this case there are two devices (router and ASA or PIX firewall), you must choose to use one to do such NAT/PAT process. Typically you want to have the ASA or PIX firewall to do the NAT/PAT process, especially when you do have the ASA or PIX firewall facing the Internet (ISP) directly. In addition, there must be proper IP routing in place between devices and subnets. This way; the ISP, ASA or PIX firewall, router, and LAN users know how to reach each other and other subnets. For simple network, static routes as shown in the sample configuration should suffice. As noted, the above links are suggested prerequisite reading since this sample configuration presents the next chapter of the prerequisite reading. In addition, you must have a familiarity of both older PIX OS commands and newer PIX/ASA OS commands; or at least familiar enough with the older PIX OS commands to configure PIX/ASA running newer OS commands. If you are new to CLI specifically for router, PIX, and ASA; then check out the following FAQ for info. »Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI »Cisco Forum FAQ »Straight-forward way to configure Cisco PIX Firewall/ASA: Introduction to CLI Consideration Typical network environment that might utilize following sample PIX configuration is as follows * There is a modem in front of the PIX, which the modem connects to the ISP * ISP is providing Public IP address to the PIX statically * There is NAT/PAT in place on the PIX to translate internal IP addresses to the ISP-provided Public IP address * The router behind the PIX is directly connected physically to the PIX LAN (inside) interface using crossover patch cable * No devices (workstations, servers, switches, hubs) are sitting between the PIX and the router * All the switches, workstations, and servers are sitting behind the router * The router is acting as DHCP server, which provide dynamic IP info for hosts behind the router * The router is not able to provide stateful firewall protection; hence PIX is setup in front of the router before connecting to the ISP (the modem) to protect your LAN from unauthorized accesses This sample configuration assumes the followings: * You receive a static IP address from ISP as 1.1.1.2 * The ISP default gateway is 1.1.1.1 * You are running servers visible to the public * The servers are web, mail, and ftp * Your internal webserver IP address is 192.168.100.1 * Your internal ftp server IP address is 192.168.100.2 * Your internal mail server IP address is 192.168.100.3 * You have syslog server with IP address of 192.168.100.5 * You use 1.1.1.2 (the PIX outside interface IP address) to be your three server's public IP address (static PAT) * You permit only internal host of 192.168.100.4 to telnet and to pdm to the PIX * Internal hosts are receiving IP address automatically (as DHCP clients) from the router * Since the PIX inside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet PIX Configuration PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password *** encrypted passwd * encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 1.1.1.2 PUBLIC_IP_01 name 192.168.100.1 WEB_SERVER_01 name 192.168.100.2 FTP_SERVER_01 name 192.168.100.3 MAIL_SERVER_01 name 192.168.100.4 TERMINAL_SERVER_01 name 192.168.100.5 SYSLOG_SERVER_01 object-group icmp-type ICMP-INBOUND description Allowable inbound ICMP traffic icmp-object echo-reply icmp-object unreachable icmp-object time-exceeded object-group service PUBLIC_SERVER-TCP tcp description Allowable inbound TCP traffic port-object range ftp-data ftp port-object eq smtp port-object eq www access-list INBOUND permit icmp any host PUBLIC_IP_01 object-group ICMP-INBOUND access-list INBOUND permit tcp any host PUBLIC_IP_01 object-group PUBLIC_SERVER-TCP pager lines 24 logging on logging trap informational logging host inside SYSLOG_SERVER_01 mtu outside 1500 mtu inside 1500 ip address outside PUBLIC_IP_01 255.255.255.0 ip address inside 10.0.0.1 255.255.255.252 ip audit info action alarm ip audit attack action alarm pdm location TERMINAL_SERVER_01 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface www WEB_SERVER_01 www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp-data FTP_SERVER_01 ftp-data netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp FTP_SERVER_01 ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp MAIL_SERVER_01 smtp netmask 255.255.255.255 0 0 access-group INBOUND in interface outside route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 route inside 192.168.100.0 255.255.255.0 10.0.0.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http TERMINAL_SERVER_01 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet TERMINAL_SERVER_01 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Router Configuration service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable password 7 ** ! no aaa new-model ip subnet-zero ! ! ip name-server 68.87.64.196 ip name-server 68.87.66.196 ip dhcp excluded-address 192.168.100.1 192.168.100.5 ip dhcp excluded-address 192.168.100.254 ! ip dhcp pool INSIDE-LAN network 192.168.100.0 255.255.255.0 default-router 192.168.100.254 dns-server 68.87.64.196 68.87.66.196 ! no ip bootp server ip cef ! ! ! ! interface FastEthernet0 ip address 10.0.0.2 255.255.255.252 no ip redirects no ip proxy-arp speed auto duplex auto no cdp enable ! interface FastEthernet1 ip address 192.168.100.254 255.255.255.0 no ip redirects no ip proxy-arp speed 100 full-duplex no cdp enable hold-queue 100 out ! ip classless ip route 0.0.0.0 0.0.0.0 10.0.0.1 no ip http server ! logging history warnings logging 192.168.100.5 no cdp run ! line con 0 line aux 0 line vty 0 4 exec-timeout 120 0 password 7 ** login ! end Note:** * The PIX Firewall Inside and Router FastEthernet0 interfaces are within 10.0.0.0/30 network. This means there are no other devices within such network beside the PIX and the router. Sometimes there are other machines within this network where the PIX Inside and Router FastEthernet0 interfaces connect to a switch using straight-through cables. Other machines such as servers connect to the same switch. Since there are more devices, then typically the network is /24 size or larger (i.e. 10.0.0.0/24). When this is the case, make sure that all of those machines have default gateway of 10.0.0.2 (the Router FastEthernet0 interface IP address) and not the 10.0.0.1 (the PIX Firewall Inside interface IP address). This way all the machines have ability to reach both any machines within 192.168.100.0/24 (the Inside LAN) and the Internet. feedback form by aryoba last modified: 2009-07-27 13:24:43


Tuesday, 08-Dec 17:33:00	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole