dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Suggested prerequisite reading:

»Cisco Forum FAQ »Router configuration to run server (with and without port forwarding)
»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)

Introduction

There is typically NAT/PAT consideration to access the Internet from private network using Private IP addresses. As mentioned on the reading above, you must use Internet-routable (Public) IP address to go out to the Internet. Therefore there should be NAT/PAT process that translate Private IP address into Public IP address.

Since in this case there are two devices (router and ASA or PIX firewall), you must choose one between the two devices to do such NAT/PAT process. When you decide to have the router to do the NAT/PAT, then Sample Configuration 1 is a good place to start. When you decide to have the ASA or PIX firewall to do the NAT/PAT, then Sample Configuration 2 and 3 are good places to start.

In addition, you also need to have proper IP routing in place to intercommunicate the Internet (ISP), router, firewall, and LAN users. As for any routing implementation, basically each device and subnet must know how to reach other device or other subnet. For simple network, static routes should do the job. For more complex network such as Sample Configuration 3, the router might need to run dynamic routing with ISP routers.

As noted, the above links are suggested prerequisite reading since this sample configuration presents the next chapter of the prerequisite reading. In addition, you must have a familiarity of both older PIX OS commands and newer PIX/ASA OS commands; or at least familiar enough with the older PIX OS commands to configure PIX/ASA running newer OS commands. If you are new to CLI specifically for router, PIX, and ASA; then check out the following FAQ for info.

»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI
»Cisco Forum FAQ »Straight-forward way to configure Cisco PIX Firewall/ASA: Introduction to CLI

1. One exit to ISP, Router performs NAT/PAT, PIX/ASA performs no NAT/PAT

This sample configuration assumes the followings:

* You have one ISP providing single path to your router
* You set the router to do the NAT/PAT and basic firewall, where you leave the PIX to do the stateful firewall.
* There is one ISP IP block you receive; the 1.1.0.0/30 where 1.1.0.1 is the default gateway and you use 1.1.0.2 (the only usable Public IP address for all servers and other machines in your LAN)
* You receive the ISP IP block statically (traditional static IP assignment, absolutely no PPP nor DHCP)
* You are running servers visible to the public
* The servers are web, mail, and ftp
* Your internal web server IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.1.0.2 to be your three server's public IP address (static PAT)
* You use a range of 10.10.11.30 to 10.10.11.254 to be your LAN workstations' public IP address (dynamic NAT and PAT)
* You permit only internal host of 10.10.11.5 to telnet and to pdm to the PIX
* Internal hosts are receiving IP address automatically (as DHCP clients) from the PIX
* Since the PIX outside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet

Router Configuration

version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
 ip address 10.10.10.1 255.255.255.252
 ip nat inside
 no cdp enable
!
!!!!!!!!!!!! This is to the ISP modem
interface Ethernet1
 ip address 1.1.0.2 255.255.255.252
 ip nat outside
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 10.10.11.0 255.255.255.0 10.10.10.2
no ip http server
!
ip nat inside source static tcp 10.10.11.2 80 1.1.0.2 80
ip nat inside source static tcp 10.10.11.2 443 1.1.0.2 443
ip nat inside source static tcp 10.10.11.3 20 1.1.0.2 20
ip nat inside source static tcp 10.10.11.3 21 1.1.0.2 21
ip nat inside source static tcp 10.10.11.4 25 1.1.0.2 25
ip nat inside source static tcp 10.10.11.4 110 1.1.0.2 110
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 remark Permit Only Inside Subnets
access-list 1 permit 10.10.8.0 0.0.3.255
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 access-class 1 in
 login local
 length 0
!
scheduler max-task-time 5000
end
 

PIX Firewall Configuration

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network WEB
network-object host 10.10.11.2
object-group network FTP
network-object host 10.10.11.3
object-group network MAIL
network-object host 10.10.11.4
object-group service MAIL_SERVICES tcp
port-object eq smtp
port-object eq pop3
object-group service WEB_SERVICES tcp
port-object eq www
port-object eq https
access-list INBOUND permit icmp any any
access-list INBOUND permit tcp any object-group WEB object-group WEB_SERVICES
access-list INBOUND permit tcp any object-group MAIL object-group MAIL_SERVICES
access-list INBOUND permit tcp any object-group FTP range ftp-data ftp
access-list nonat permit ip any any
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.11.30-10.10.11.254 inside
dhcpd dns 1.1.1.2 1.1.1.3
dhcpd enable inside
terminal width 80
 

2. Single exit to ISP, Router performs no NAT/PAT, PIX/ASA performs NAT/PAT and is as the IPSec VPN Concentrator

Scenario 2.1
There are two ISP IP blocks you receive

This sample configuration assumes the followings:

* You have one ISP providing single path to your router
* You set the PIX/ASA to do the NAT/PAT, the stateful firewall, and IPSec VPN Concentrator
* There are two ISP IP blocks you receive. One is the 1.1.0.0/30 where 1.1.0.1 is the default gateway and you use 1.1.0.2 as your router WAN interface IP address. The second IP block is 1.0.1.0/24 where IP address within this subnet will be the server Public IP addresses, router LAN interface IP address, and PIX Outside interface IP address
* You receive the ISP IP blocks statically (traditional static IP assignment, absolutely no PPP nor DHCP)
* You are running servers visible to the public
* The servers are web, mail, and ftp
* Your internal web server IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.0.1.3 to be the web server's public IP address (static NAT)
* You use 1.0.1.4 to be the ftp server's public IP address (static NAT)
* You use 1.0.1.5 to be the mail server's public IP address (static NAT)
* You use 1.0.1.254 to be your LAN workstations' public IP address (dynamic PAT)
* You permit only internal hosts of 10.10.8.0/24 to telnet and to pdm to the PIX and router
* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is Admin as the Group Name and is ******** as the Group Password as indicated on the vpngroup Admin password ******** command
* The VPN users log in as Admin receive IP address within the admin range from 192.168.0.1 to 192.168.0.254.
* No external AAA (Authentication, Authorization, and Accounting) server as the TACACS+/RADIUS server
* Telnet attempt to the PIX/ASA itself is not authenticated

Router Configuration

version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
 ip address 1.0.1.1 255.255.255.0
 no cdp enable
!
!!!!!!!!!!!! This is to the ISP modem
interface Serial0
 ip address 1.1.0.2 255.255.255.252
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 10.0.0.0 255.0.0.0 1.0.1.2
no ip http server
!
!
access-list 1 remark Permit Only Inside Subnets
access-list 1 permit 10.10.8.0 0.0.0.255
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 access-class 1 in
 login local
 length 0
!
scheduler max-task-time 5000
end
 

PIX Firewall Configuration

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
domain-name yournetwork.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network Public_Web
description Public Web Server IP address
network-object host 1.0.1.3
object-group network Public_FTP
description Public FTP Server IP address
network-object host 1.0.1.4
object-group network Public_Mail
description Public Mail Server IP address
network-object host 1.0.1.5
object-group network PUBLIC_SERVER
description All Public Servers available
group-object Public_Web
group-object Public_FTP
group-object Public_Mail
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service Public_Web-TCP tcp
description Allowable inbound TCP traffic
port-object eq www
port-object eq https
object-group service Public_FTP-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
object-group service Public_Mail-TCP tcp
description Allowable inbound TCP traffic
port-object eq smtp
port-object eq pop3
access-list INBOUND permit icmp any object-group PUBLIC_SERVER object-group ICMP-INBOUND
access-list INBOUND permit tcp any object-group Public_Web object-group Public_Web-TCP
access-list INBOUND permit tcp any object-group Public_FTP object-group Public_FTP-TCP
access-list INBOUND permit tcp any object-group Public_Mail object-group Public_Mail-TCP
object-group network VPN-Admin
network-object 192.168.0.0 255.255.255.0
object-group network Admin-Network
network-object 10.10.8.0 255.255.252.0
object-group network Outside-Devices
network-object host 1.0.1.1
network-object host 1.1.0.2
access-list 10 remark Split Tunnel for VPN Admin
access-list 10 permit ip any object-group VPN-Admin
access-list nonat remark No NAT within VPN tunnel and to access Outside Devices
access-list nonat permit ip object-group Admin-Network object-group Outside-Devices
access-list nonat permit ip any object-group VPN-Admin
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.0.1.2 255.255.255.0
ip address inside 10.10.8.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool admin 192.168.0.1-192.168.0.254
pdm history enable
arp timeout 14400
global (outside) 1 1.0.1.254
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.0.1.3 10.10.11.2 netmask 255.255.255.255 0 0
static (inside,outside) 1.0.1.4 10.10.11.3 netmask 255.255.255.255 0 0
static (inside,outside) 1.0.1.5 10.10.11.4 netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.0.1.1 1
route inside 10.0.0.0 255.0.0.0 10.10.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup Admin address-pool admin
vpngroup Admin dns-server 10.10.9.2
vpngroup Admin wins-server 10.10.9.3
vpngroup Admin default-domain yournetwork.com
vpngroup Admin split-tunnel 10
vpngroup Admin idle-time 1800
vpngroup Admin password ********
telnet 10.10.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 

More Sample Configurations of Setting Up ASA/PIX Firewall as Internet Firewall and IPSec VPN Concentrator
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

Some discussions:
»[Config] ASA5505 setup
»[HELP] Please Help with Cisco 1841 T1 Config

Scenario 2.2
There is only one ISP IP block you receive

* You have one ISP providing single path to your router
* There is one ISP IP block you receive, which is 1.0.1.0/29 via PPPoE negotiation on the router
* By implementing IRB (Integrated Routing Bridging), router interfaces and PIX/ASA Outside interface are within the same broadcast domain, hence enabling the PIX/ASA to do the NAT/PAT and the stateful firewall with just one ISP IP block while the router keep its routing capability
* The router has 1.0.1.1 IP address and you assign 1.0.1.2 IP address for the PIX/ASA Outside interface
* The router receives default gateway to reach the Internet as 1.0.1.6 via PPPoE negotiation on the router
* The 1.0.1.3 IP address is used as NAT/PAT-ed IP address to host your Public servers of ftp, mail, and web
* You use 10.0.0.0/24 Private subnet as your internal subnet

Router

no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
bridge irb
!
no ip dhcp-client network-discovery
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
!!!!!! This is the Outside network
interface Ethernet0
 no ip address
 bridge-group 1
 hold-queue 32 in
!
!!!!!! This is facing the modem (ISP)
interface Ethernet1
 no ip address
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
!!!!!! The ISP's given IP address will be configured via d1
interface Dialer1
 ip address negotiated
!!!!!!
 ip mtu 1492
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *********
 ppp chap password 7 *******
 ppp pap sent-username ******** password 7 *******
 ppp ipcp route default
 bridge-group 1
!
interface BVI1
 no ip address
!
ip classless
no ip http server
!
!
dialer-list 1 protocol ip permit
bridge 1 protocol ieee 
 bridge 1 route ip 
! 
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
!
scheduler max-task-time 5000
end
 

PIX Firewall Configuration

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
access-list INBOUND permit tcp any any object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 1.0.1.2 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.0.1.3 www 10.0.0.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.1.3 ftp-data 10.0.0.3 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.1.3 ftp 10.0.0.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.1.3 smtp 10.0.0.4 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.0.1.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.100-10.0.0.254 inside
dhcpd dns 1.1.1.2 1.1.1.3
dhcpd enable inside
terminal width 80
 

3. Multiple exit to ISP (Failover Routing), Router performs no NAT/PAT, PIX/ASA performs NAT/PAT

This sample configuration assumes the followings:

* You have one ISP providing multiple path to your router
* There is SLA between you and ISP in providing failover routing mechanism
* You set the PIX to do the NAT/PAT and to provide stateful firewall features, where you leave the router to do the failover routing (source routing).
* There are two ISP IP blocks you receive for LAN machines, which are the 1.0.0.0/24 and the 1.0.1.0/24
* There are two more ISP IP blocks you receive for WAN connectivity, which are 1.1.0.0/30 and 1.1.0.4/30
* The ISP path #1 subnet is 1.1.0.0/30 where the 1.1.0.2 is on your side
* The ISP path #2 subnet is 1.1.0.4/30 where the 1.1.0.6 is on your side
* You receive all of these ISP IP blocks statically (traditional static IP assignment, absolutely no PPP nor DHCP)
* Both 1.1.0.1 and 1.1.0.5 are on the ISP router that serve as your default gateway to the Internet
* ISP router is set to use path #1 primary to reach the 1.0.0.0/24; and to use path #2 as alternate
* Likewise, the ISP router is set to use path #2 primary to reach the 1.0.1.0/24; and to use path #1 as alternate
* The network visible to your ISP are only the ones that they assign to you, which are the 1.1.0.0/29 and the 1.0.0.0/23. Other IP addresses or subnets are internal and are only visible to your network
* You are running servers visible to the public
* The servers are using 1.0.0.0/24 block and the workstations are using 1.0.1.0/24 block
* The servers are web, mail, and ftp
* Your internal web server IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.0.0.3 to be your three server's public IP address (static PAT)
* You use a range of 1.0.1.1 to 1.0.1.254 to be your LAN workstations' public IP address (dynamic NAT and PAT)
* You permit only internal host of 10.10.11.5 to telnet and to pdm to the PIX
* Internal hosts are receiving IP address automatically (as DHCP clients) from the PIX
* Since the PIX outside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet

Router Configuration

version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
 ip address 10.10.10.1 255.255.255.252
 no cdp enable
 ip policy route-map SourceRouting
!
!!!!!!!!!!!! This is the ISP path #1
interface Ethernet1
 ip address 1.1.0.2 255.255.255.252
 no cdp enable
!
!!!!!!!!!!!! This is the ISP path #2
interface Ethernet2
 ip address 1.1.0.6 255.255.255.252
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 0.0.0.0 0.0.0.0 1.1.0.5
ip route 1.0.0.0 255.255.254.0 10.10.10.2
no ip http server
!
access-list 101 remark Primary Route to ISP #1
access-list 101 permit ip host 1.0.0.3 any
access-list 102 remark Primary Route to ISP #2
access-list 102 permit ip 1.0.1.0 0.0.0.255 any
no cdp run
!
route-map SourceRouting permit 10
 match ip address 101
 set ip next-hop 1.1.0.1
 set interface Ethernet2
!
route-map SourceRouting permit 20
 match ip address 102
 set ip next-hop 1.1.0.5
 set interface Ethernet1
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
!
scheduler max-task-time 5000
end
 

PIX Firewall Configuration

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
access-list INBOUND permit tcp any any object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 1.0.1.1-1.0.1.253 netmask 255.255.255.0
global (outside) 1 1.0.1.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.0.0.3 www 10.10.11.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 ftp-data 10.10.11.3 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 ftp 10.10.11.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 smtp 10.10.11.4 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.11.30-10.10.11.254 inside
dhcpd dns 1.1.1.2 1.1.1.3
dhcpd enable inside
terminal width 80
 

Note:
This is just a sample configuration and not intended as working configuration on any network design. Your actual failover routing mechanism might be different than is suggested here due to the SLA between you and your ISP.

4. Single exit to ISP, dual PIX/ASA performs Active/Active or Active/Standby

PIX/ASA: Active/Active Failover Configuration Example
PIX/ASA: Active/Standby Failover Configuration Example

Supplemental Sample Configurations
»Cisco Forum FAQ »Setting Up Network With ISP WAN and Public IP Block subnets running NAT

Some Discussions

»[Config] Asa 5505 possible NAT issue

Feedback received on this FAQ entry:
  • thnx for ur useful document. I wonder if we could use "IP unnumbered" in scenario 2.2 ? or we have to give the solution just by IRB ?

    2010-03-31 00:41:48



Expand got feedback?

by aryoba See Profile
last modified: 2014-02-07 15:21:34