dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads




50.3 Router-Firewall Combo

Suggested Pre-reading
»Cisco Forum FAQ »Basic Internet Firewall for Routers without IOS image Firewall feature

Which device should face the ISP?

You have a router and firewall in separate device. You review the possibility of setting the network as follows.

1st Setup: ISP -- Router -- Firewall -- LAN
2nd Setup: ISP -- Firewall -- Router -- LAN

When there is an external modem to connect to the ISP, the modem is probably giving an Ethernet hand off. With this in mind, then it is possible to have the 2nd setup.

Several situations that might prevent you to have the 2nd setup are following

* There is no external modem, and you have to use the integrated modem within the router
* Your ISP requires PPPoA which your firewall is unable to support
* Your ISP hands off non-Ethernet cable (i.e. T1/E1, DWDM)

When your situation falls within one of the above, then you have to have the 1st setup.

Scenario 1: You Have The 1st Setup And Firewall Needs To Receive Public IP Address

There are several possibilities to setup

* Set a static NAT/PAT between the router and the firewall
* Set the router to be a bridge/modem

Setting up a router as a bridge/modem might "downgrade" your router functionality. Whenever possible, you then should consider setting static NAT/PAT between the router and firewall.

Case Studies

The 1st Setup: Router in front of Firewall

1. Router with integrated T1 modem terminates T1 circuit

This is using the 1st setup where the router is terminating T1 circuit with the ISP. In this case, the router is Cisco with integrated T1 modem and the firewall is PIX Firewall. This case study assumes that you have /29 IP block from your ISP where you can use one IP address for the router and another IP address for the PIX Firewall.

Router Configuration

no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
!
clock timezone est -5
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain lookup
!
no ip bootp server
!
!
!
!
!
interface FastEthernet0/0
 description LAN Interface
 ip address 192.168.100.1 255.255.255.252
 ip nat inside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 speed 100
 full-duplex
!
interface Serial0/0
 description WAN Interface
 ip address 198.131.65.2 255.255.255.248
 ip nat outside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip load-sharing per-packet
 no ip mroute-cache
 fair-queue
 service-module t1 timeslots 1-24
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 198.131.65.1
ip route 192.168.101.0 255.255.255.0 192.168.100.2
!
ip nat inside source list 10 interface Serial0/0 overload
ip nat inside source static 192.168.100.2 198.131.65.3
!
!
no cdp run
!
line con 0
line aux 0
line vty 0
 login
line vty 0 4
 login
!
!
end
 

PIX Firewall Configuration

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside 192.168.100.2 255.255.255.252
ip address inside 192.168.101.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 
Description

* Public IP subnet is configured only on the router WAN side. The router LAN and PIX Firewall intefaces are using Private IP subnets
* There is static NAT on the router in place between available Public IP address and the PIX Firewall outside interface to set the Firewall of "receiving" Public IP address
* The LAN machines uses the router WAN interface to go out to the Internet

2. Router as PPPoA client to the ISP

This is using the 1st setup where the router is doing PPPoA as the ISP requirement to connect to the Internet. In this case, the router is Cisco with integrated DSL modem and the firewall is PIX Firewall. This case study assumes that you have /29 IP block from your ISP where you can use one IP address for the router and another IP address for the PIX Firewall.

Router Configuration

 
version 12.1 
!
service timestamps debug datetime msec 
service timestamps log datetime msec 
! 
hostname R1 
! 
ip subnet-zero 
! 
interface Ethernet0 
 ip address 198.131.65.2 255.255.255.248 
 no ip directed-broadcast 
 no ip mroute-cache 
! 
interface ATM0 
 no ip address 
 no ip directed-broadcast 
 no ip mroute-cache 
 no atm ilmi-keepalive 
 pvc 1/150 
  encapsulation aal5mux ppp dialer 
  dialer pool-member 1 
 ! 
 hold-queue 224 in 
! 
interface Dialer0 
 ip address unnumbered Ethernet0
 no ip directed-broadcast 
 encapsulation ppp 
 dialer pool 1 
 dialer-group 1 
 ppp authentication chap callin 
 ppp chap hostname username
 
 ppp chap password password
! 
ip classless 
!
ip route 0.0.0.0 0.0.0.0 Dialer0 
! 
dialer-list 1 protocol ip permit 
!
end
 

PIX Firewall Configuration

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 198.131.65.3 PUBLIC_IP_01
name 192.168.100.1 WEB_SERVER_01
name 192.168.100.2 FTP_SERVER_01
name 192.168.100.3 MAIL_SERVER_01
name 192.168.100.4 TERMINAL_SERVER_01
name 192.168.100.5 SYSLOG_SERVER_01
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any host PUBLIC_IP_01 object-group ICMP-INBOUND
access-list INBOUND permit tcp any host PUBLIC_IP_01 object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging trap informational
logging host inside SYSLOG_SERVER_01
mtu outside 1500
mtu inside 1500
ip address outside PUBLIC_IP_01 255.255.255.248
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location TERMINAL_SERVER_01 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www WEB_SERVER_01 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data FTP_SERVER_01 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp FTP_SERVER_01 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp MAIL_SERVER_01 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 198.131.65.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http TERMINAL_SERVER_01 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet TERMINAL_SERVER_01 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 
Description

Step 1: Basic Router Configuration

* Do not setup router LAN or PIX Firewall outside interfaces yet; just the router Dialer interface
* If you can setup the Dialer interface with static IP address without using the "ip negotiated", you can skip this Step 1. If you have to use the "ip negotiated", keep reading
* Set the Dialer interface with the proper public IP address and the gateway using "ip negotiated" and "ip route" pointing to Dialer interface. Use the ipcp command to set the default gateway when possible
* Do "show ip route" to find out the Dialer public IP address and gateway (the ISP equipment IP address)

Step 2: Configure LAN interfaces

* Move the Dialer public IP address to the Ethernet interface and set the Dialer as "ip unnumbered Ethernet"
* Configure the PIX Firewall outside interface using the next available public IP address
* Set the default gateway pointing to the ISP equipment IP address

Supplemental Sample Configurations
»Cisco Forum FAQ »Setting Up Network With ISP WAN and Public IP Block subnets running NAT

Discussions
»[Config] Configuration 867VAE-K9 PPPoA CenturyLink

by aryoba See Profile
last modified: 2014-05-20 13:57:00

Suggested prerequisite reading:

»Cisco Forum FAQ »Router configuration to run server (with and without port forwarding)
»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)

Introduction

There is typically NAT/PAT consideration to access the Internet from private network using Private IP addresses. As mentioned on the reading above, you must use Internet-routable (Public) IP address to go out to the Internet. Therefore there should be NAT/PAT process that translate Private IP address into Public IP address.

Since in this case there are two devices (router and ASA or PIX firewall), you must choose one between the two devices to do such NAT/PAT process. When you decide to have the router to do the NAT/PAT, then Sample Configuration 1 is a good place to start. When you decide to have the ASA or PIX firewall to do the NAT/PAT, then Sample Configuration 2 and 3 are good places to start.

In addition, you also need to have proper IP routing in place to intercommunicate the Internet (ISP), router, firewall, and LAN users. As for any routing implementation, basically each device and subnet must know how to reach other device or other subnet. For simple network, static routes should do the job. For more complex network such as Sample Configuration 3, the router might need to run dynamic routing with ISP routers.

As noted, the above links are suggested prerequisite reading since this sample configuration presents the next chapter of the prerequisite reading. In addition, you must have a familiarity of both older PIX OS commands and newer PIX/ASA OS commands; or at least familiar enough with the older PIX OS commands to configure PIX/ASA running newer OS commands. If you are new to CLI specifically for router, PIX, and ASA; then check out the following FAQ for info.

»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI
»Cisco Forum FAQ »Straight-forward way to configure Cisco PIX Firewall/ASA: Introduction to CLI

1. One exit to ISP, Router performs NAT/PAT, PIX/ASA performs no NAT/PAT

This sample configuration assumes the followings:

* You have one ISP providing single path to your router
* You set the router to do the NAT/PAT and basic firewall, where you leave the PIX to do the stateful firewall.
* There is one ISP IP block you receive; the 1.1.0.0/30 where 1.1.0.1 is the default gateway and you use 1.1.0.2 (the only usable Public IP address for all servers and other machines in your LAN)
* You receive the ISP IP block statically (traditional static IP assignment, absolutely no PPP nor DHCP)
* You are running servers visible to the public
* The servers are web, mail, and ftp
* Your internal web server IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.1.0.2 to be your three server's public IP address (static PAT)
* You use a range of 10.10.11.30 to 10.10.11.254 to be your LAN workstations' public IP address (dynamic NAT and PAT)
* You permit only internal host of 10.10.11.5 to telnet and to pdm to the PIX
* Internal hosts are receiving IP address automatically (as DHCP clients) from the PIX
* Since the PIX outside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet

Router Configuration

version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
 ip address 10.10.10.1 255.255.255.252
 ip nat inside
 no cdp enable
!
!!!!!!!!!!!! This is to the ISP modem
interface Ethernet1
 ip address 1.1.0.2 255.255.255.252
 ip nat outside
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 10.10.11.0 255.255.255.0 10.10.10.2
no ip http server
!
ip nat inside source static tcp 10.10.11.2 80 1.1.0.2 80
ip nat inside source static tcp 10.10.11.2 443 1.1.0.2 443
ip nat inside source static tcp 10.10.11.3 20 1.1.0.2 20
ip nat inside source static tcp 10.10.11.3 21 1.1.0.2 21
ip nat inside source static tcp 10.10.11.4 25 1.1.0.2 25
ip nat inside source static tcp 10.10.11.4 110 1.1.0.2 110
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 remark Permit Only Inside Subnets
access-list 1 permit 10.10.8.0 0.0.3.255
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 access-class 1 in
 login local
 length 0
!
scheduler max-task-time 5000
end
 

PIX Firewall Configuration

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network WEB
network-object host 10.10.11.2
object-group network FTP
network-object host 10.10.11.3
object-group network MAIL
network-object host 10.10.11.4
object-group service MAIL_SERVICES tcp
port-object eq smtp
port-object eq pop3
object-group service WEB_SERVICES tcp
port-object eq www
port-object eq https
access-list INBOUND permit icmp any any
access-list INBOUND permit tcp any object-group WEB object-group WEB_SERVICES
access-list INBOUND permit tcp any object-group MAIL object-group MAIL_SERVICES
access-list INBOUND permit tcp any object-group FTP range ftp-data ftp
access-list nonat permit ip any any
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.11.30-10.10.11.254 inside
dhcpd dns 1.1.1.2 1.1.1.3
dhcpd enable inside
terminal width 80
 

2. Single exit to ISP, Router performs no NAT/PAT, PIX/ASA performs NAT/PAT and is as the IPSec VPN Concentrator

Scenario 2.1
There are two ISP IP blocks you receive

This sample configuration assumes the followings:

* You have one ISP providing single path to your router
* You set the PIX/ASA to do the NAT/PAT, the stateful firewall, and IPSec VPN Concentrator
* There are two ISP IP blocks you receive. One is the 1.1.0.0/30 where 1.1.0.1 is the default gateway and you use 1.1.0.2 as your router WAN interface IP address. The second IP block is 1.0.1.0/24 where IP address within this subnet will be the server Public IP addresses, router LAN interface IP address, and PIX Outside interface IP address
* You receive the ISP IP blocks statically (traditional static IP assignment, absolutely no PPP nor DHCP)
* You are running servers visible to the public
* The servers are web, mail, and ftp
* Your internal web server IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.0.1.3 to be the web server's public IP address (static NAT)
* You use 1.0.1.4 to be the ftp server's public IP address (static NAT)
* You use 1.0.1.5 to be the mail server's public IP address (static NAT)
* You use 1.0.1.254 to be your LAN workstations' public IP address (dynamic PAT)
* You permit only internal hosts of 10.10.8.0/24 to telnet and to pdm to the PIX and router
* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is Admin as the Group Name and is ******** as the Group Password as indicated on the vpngroup Admin password ******** command
* The VPN users log in as Admin receive IP address within the admin range from 192.168.0.1 to 192.168.0.254.
* No external AAA (Authentication, Authorization, and Accounting) server as the TACACS+/RADIUS server
* Telnet attempt to the PIX/ASA itself is not authenticated

Router Configuration

version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
 ip address 1.0.1.1 255.255.255.0
 no cdp enable
!
!!!!!!!!!!!! This is to the ISP modem
interface Serial0
 ip address 1.1.0.2 255.255.255.252
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 10.0.0.0 255.0.0.0 1.0.1.2
no ip http server
!
!
access-list 1 remark Permit Only Inside Subnets
access-list 1 permit 10.10.8.0 0.0.0.255
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 access-class 1 in
 login local
 length 0
!
scheduler max-task-time 5000
end
 

PIX Firewall Configuration

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
domain-name yournetwork.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network Public_Web
description Public Web Server IP address
network-object host 1.0.1.3
object-group network Public_FTP
description Public FTP Server IP address
network-object host 1.0.1.4
object-group network Public_Mail
description Public Mail Server IP address
network-object host 1.0.1.5
object-group network PUBLIC_SERVER
description All Public Servers available
group-object Public_Web
group-object Public_FTP
group-object Public_Mail
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service Public_Web-TCP tcp
description Allowable inbound TCP traffic
port-object eq www
port-object eq https
object-group service Public_FTP-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
object-group service Public_Mail-TCP tcp
description Allowable inbound TCP traffic
port-object eq smtp
port-object eq pop3
access-list INBOUND permit icmp any object-group PUBLIC_SERVER object-group ICMP-INBOUND
access-list INBOUND permit tcp any object-group Public_Web object-group Public_Web-TCP
access-list INBOUND permit tcp any object-group Public_FTP object-group Public_FTP-TCP
access-list INBOUND permit tcp any object-group Public_Mail object-group Public_Mail-TCP
object-group network VPN-Admin
network-object 192.168.0.0 255.255.255.0
object-group network Admin-Network
network-object 10.10.8.0 255.255.252.0
object-group network Outside-Devices
network-object host 1.0.1.1
network-object host 1.1.0.2
access-list 10 remark Split Tunnel for VPN Admin
access-list 10 permit ip any object-group VPN-Admin
access-list nonat remark No NAT within VPN tunnel and to access Outside Devices
access-list nonat permit ip object-group Admin-Network object-group Outside-Devices
access-list nonat permit ip any object-group VPN-Admin
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.0.1.2 255.255.255.0
ip address inside 10.10.8.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool admin 192.168.0.1-192.168.0.254
pdm history enable
arp timeout 14400
global (outside) 1 1.0.1.254
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.0.1.3 10.10.11.2 netmask 255.255.255.255 0 0
static (inside,outside) 1.0.1.4 10.10.11.3 netmask 255.255.255.255 0 0
static (inside,outside) 1.0.1.5 10.10.11.4 netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.0.1.1 1
route inside 10.0.0.0 255.0.0.0 10.10.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup Admin address-pool admin
vpngroup Admin dns-server 10.10.9.2
vpngroup Admin wins-server 10.10.9.3
vpngroup Admin default-domain yournetwork.com
vpngroup Admin split-tunnel 10
vpngroup Admin idle-time 1800
vpngroup Admin password ********
telnet 10.10.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 

More Sample Configurations of Setting Up ASA/PIX Firewall as Internet Firewall and IPSec VPN Concentrator
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

Some discussions:
»[Config] ASA5505 setup
»[HELP] Please Help with Cisco 1841 T1 Config

Scenario 2.2
There is only one ISP IP block you receive

* You have one ISP providing single path to your router
* There is one ISP IP block you receive, which is 1.0.1.0/29 via PPPoE negotiation on the router
* By implementing IRB (Integrated Routing Bridging), router interfaces and PIX/ASA Outside interface are within the same broadcast domain, hence enabling the PIX/ASA to do the NAT/PAT and the stateful firewall with just one ISP IP block while the router keep its routing capability
* The router has 1.0.1.1 IP address and you assign 1.0.1.2 IP address for the PIX/ASA Outside interface
* The router receives default gateway to reach the Internet as 1.0.1.6 via PPPoE negotiation on the router
* The 1.0.1.3 IP address is used as NAT/PAT-ed IP address to host your Public servers of ftp, mail, and web
* You use 10.0.0.0/24 Private subnet as your internal subnet

Router

no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
bridge irb
!
no ip dhcp-client network-discovery
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
!
!
!!!!!! This is the Outside network
interface Ethernet0
 no ip address
 bridge-group 1
 hold-queue 32 in
!
!!!!!! This is facing the modem (ISP)
interface Ethernet1
 no ip address
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
!!!!!! The ISP's given IP address will be configured via d1
interface Dialer1
 ip address negotiated
!!!!!!
 ip mtu 1492
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *********
 ppp chap password 7 *******
 ppp pap sent-username ******** password 7 *******
 ppp ipcp route default
 bridge-group 1
!
interface BVI1
 no ip address
!
ip classless
no ip http server
!
!
dialer-list 1 protocol ip permit
bridge 1 protocol ieee 
 bridge 1 route ip 
! 
no cdp run
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
!
scheduler max-task-time 5000
end
 

PIX Firewall Configuration

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
access-list INBOUND permit tcp any any object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 1.0.1.2 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.0.1.3 www 10.0.0.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.1.3 ftp-data 10.0.0.3 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.1.3 ftp 10.0.0.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.1.3 smtp 10.0.0.4 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.0.1.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.100-10.0.0.254 inside
dhcpd dns 1.1.1.2 1.1.1.3
dhcpd enable inside
terminal width 80
 

3. Multiple exit to ISP (Failover Routing), Router performs no NAT/PAT, PIX/ASA performs NAT/PAT

This sample configuration assumes the followings:

* You have one ISP providing multiple path to your router
* There is SLA between you and ISP in providing failover routing mechanism
* You set the PIX to do the NAT/PAT and to provide stateful firewall features, where you leave the router to do the failover routing (source routing).
* There are two ISP IP blocks you receive for LAN machines, which are the 1.0.0.0/24 and the 1.0.1.0/24
* There are two more ISP IP blocks you receive for WAN connectivity, which are 1.1.0.0/30 and 1.1.0.4/30
* The ISP path #1 subnet is 1.1.0.0/30 where the 1.1.0.2 is on your side
* The ISP path #2 subnet is 1.1.0.4/30 where the 1.1.0.6 is on your side
* You receive all of these ISP IP blocks statically (traditional static IP assignment, absolutely no PPP nor DHCP)
* Both 1.1.0.1 and 1.1.0.5 are on the ISP router that serve as your default gateway to the Internet
* ISP router is set to use path #1 primary to reach the 1.0.0.0/24; and to use path #2 as alternate
* Likewise, the ISP router is set to use path #2 primary to reach the 1.0.1.0/24; and to use path #1 as alternate
* The network visible to your ISP are only the ones that they assign to you, which are the 1.1.0.0/29 and the 1.0.0.0/23. Other IP addresses or subnets are internal and are only visible to your network
* You are running servers visible to the public
* The servers are using 1.0.0.0/24 block and the workstations are using 1.0.1.0/24 block
* The servers are web, mail, and ftp
* Your internal web server IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.0.0.3 to be your three server's public IP address (static PAT)
* You use a range of 1.0.1.1 to 1.0.1.254 to be your LAN workstations' public IP address (dynamic NAT and PAT)
* You permit only internal host of 10.10.11.5 to telnet and to pdm to the PIX
* Internal hosts are receiving IP address automatically (as DHCP clients) from the PIX
* Since the PIX outside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet

Router Configuration

version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
 ip address 10.10.10.1 255.255.255.252
 no cdp enable
 ip policy route-map SourceRouting
!
!!!!!!!!!!!! This is the ISP path #1
interface Ethernet1
 ip address 1.1.0.2 255.255.255.252
 no cdp enable
!
!!!!!!!!!!!! This is the ISP path #2
interface Ethernet2
 ip address 1.1.0.6 255.255.255.252
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 0.0.0.0 0.0.0.0 1.1.0.5
ip route 1.0.0.0 255.255.254.0 10.10.10.2
no ip http server
!
access-list 101 remark Primary Route to ISP #1
access-list 101 permit ip host 1.0.0.3 any
access-list 102 remark Primary Route to ISP #2
access-list 102 permit ip 1.0.1.0 0.0.0.255 any
no cdp run
!
route-map SourceRouting permit 10
 match ip address 101
 set ip next-hop 1.1.0.1
 set interface Ethernet2
!
route-map SourceRouting permit 20
 match ip address 102
 set ip next-hop 1.1.0.5
 set interface Ethernet1
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
!
scheduler max-task-time 5000
end
 

PIX Firewall Configuration

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
access-list INBOUND permit tcp any any object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 1.0.1.1-1.0.1.253 netmask 255.255.255.0
global (outside) 1 1.0.1.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.0.0.3 www 10.10.11.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 ftp-data 10.10.11.3 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 ftp 10.10.11.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 smtp 10.10.11.4 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.11.30-10.10.11.254 inside
dhcpd dns 1.1.1.2 1.1.1.3
dhcpd enable inside
terminal width 80
 

Note:
This is just a sample configuration and not intended as working configuration on any network design. Your actual failover routing mechanism might be different than is suggested here due to the SLA between you and your ISP.

4. Single exit to ISP, dual PIX/ASA performs Active/Active or Active/Standby

PIX/ASA: Active/Active Failover Configuration Example
PIX/ASA: Active/Standby Failover Configuration Example

Supplemental Sample Configurations
»Cisco Forum FAQ »Setting Up Network With ISP WAN and Public IP Block subnets running NAT

Some Discussions

»[Config] Asa 5505 possible NAT issue

Feedback received on this FAQ entry:
  • thnx for ur useful document. I wonder if we could use "IP unnumbered" in scenario 2.2 ? or we have to give the solution just by IRB ?

    2010-03-31 00:41:48



by aryoba See Profile
last modified: 2014-02-07 15:21:34

Suggested pre-reading:

»Cisco Forum FAQ »Router configuration to run server (with and without port forwarding)
»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)

Introduction

There is typically NAT/PAT consideration to access the Internet from private network using Private IP addresses. As mentioned on the reading above, you must use Internet-routable (Public) IP address to go out to the Internet. Therefore there should be NAT/PAT process that translate Private IP address into Public IP address.

Since in this case there are two devices (router and ASA or PIX firewall), you must choose to use one to do such NAT/PAT process. Typically you want to have the ASA or PIX firewall to do the NAT/PAT process, especially when you do have the ASA or PIX firewall facing the Internet (ISP) directly.

In addition, there must be proper IP routing in place between devices and subnets. This way; the ISP, ASA or PIX firewall, router, and LAN users know how to reach each other and other subnets. For simple network, static routes as shown in the sample configuration should suffice.

As noted, the above links are suggested prerequisite reading since this sample configuration presents the next chapter of the prerequisite reading. In addition, you must have a familiarity of both older PIX OS commands and newer PIX/ASA OS commands; or at least familiar enough with the older PIX OS commands to configure PIX/ASA running newer OS commands. If you are new to CLI specifically for router, PIX, and ASA; then check out the following FAQ for info.

»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI
»Cisco Forum FAQ »Straight-forward way to configure Cisco PIX Firewall/ASA: Introduction to CLI

Consideration

Typical network environment that might utilize following sample PIX configuration is as follows

* There is a modem in front of the PIX, which the modem connects to the ISP
* ISP is providing Public IP address to the PIX statically
* There is NAT/PAT in place on the PIX to translate internal IP addresses to the ISP-provided Public IP address
* The router behind the PIX is directly connected physically to the PIX LAN (inside) interface using crossover patch cable
* No devices (workstations, servers, switches, hubs) are sitting between the PIX and the router
* All the switches, workstations, and servers are sitting behind the router
* The router is acting as DHCP server, which provide dynamic IP info for hosts behind the router
* The router is not able to provide stateful firewall protection; hence PIX is setup in front of the router before connecting to the ISP (the modem) to protect your LAN from unauthorized accesses

This sample configuration assumes the followings:

* You receive a static IP address from ISP as 1.1.1.2
* The ISP default gateway is 1.1.1.1
* You are running servers visible to the public
* The servers are web, mail, and ftp
* Your internal webserver IP address is 192.168.100.1
* Your internal ftp server IP address is 192.168.100.2
* Your internal mail server IP address is 192.168.100.3
* You have syslog server with IP address of 192.168.100.5
* You use 1.1.1.2 (the PIX outside interface IP address) to be your three server's public IP address (static PAT)
* You permit only internal host of 192.168.100.4 to telnet and to pdm to the PIX
* Internal hosts are receiving IP address automatically (as DHCP clients) from the router
* Since the PIX inside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet

PIX Configuration

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 1.1.1.2 PUBLIC_IP_01
name 192.168.100.1 WEB_SERVER_01
name 192.168.100.2 FTP_SERVER_01
name 192.168.100.3 MAIL_SERVER_01
name 192.168.100.4 TERMINAL_SERVER_01
name 192.168.100.5 SYSLOG_SERVER_01
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any host PUBLIC_IP_01 object-group ICMP-INBOUND
access-list INBOUND permit tcp any host PUBLIC_IP_01 object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging trap informational
logging host inside SYSLOG_SERVER_01
mtu outside 1500
mtu inside 1500
ip address outside PUBLIC_IP_01 255.255.255.0
ip address inside 10.0.0.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
pdm location TERMINAL_SERVER_01 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www WEB_SERVER_01 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data FTP_SERVER_01 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp FTP_SERVER_01 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp MAIL_SERVER_01 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 192.168.100.0 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http TERMINAL_SERVER_01 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet TERMINAL_SERVER_01 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 

Router Configuration

service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password 7 ******
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 68.87.64.196
ip name-server 68.87.66.196
ip dhcp excluded-address 192.168.100.1 192.168.100.5
ip dhcp excluded-address 192.168.100.254
!
ip dhcp pool INSIDE-LAN
network 192.168.100.0 255.255.255.0
default-router 192.168.100.254
dns-server 68.87.64.196 68.87.66.196
!
no ip bootp server
ip cef
!
!
!
!
interface FastEthernet0
ip address 10.0.0.2 255.255.255.252
no ip redirects
no ip proxy-arp
speed auto
duplex auto
no cdp enable
!
interface FastEthernet1
ip address 192.168.100.254 255.255.255.0
no ip redirects
no ip proxy-arp
speed 100
full-duplex
no cdp enable
hold-queue 100 out
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
no ip http server
!
logging history warnings
logging 192.168.100.5
no cdp run
!
line con 0
line aux 0
line vty 0 4
exec-timeout 120 0
password 7 ******
login
!
end
 

Note:

* The PIX Firewall Inside and Router FastEthernet0 interfaces are within 10.0.0.0/30 network. This means there are no other devices within such network beside the PIX and the router. Sometimes there are other machines within this network where the PIX Inside and Router FastEthernet0 interfaces connect to a switch using straight-through cables. Other machines such as servers connect to the same switch. Since there are more devices, then typically the network is /24 size or larger (i.e. 10.0.0.0/24).

When this is the case, make sure that all of those machines have default gateway of 10.0.0.2 (the Router FastEthernet0 interface IP address) and not the 10.0.0.1 (the PIX Firewall Inside interface IP address). This way all the machines have ability to reach both any machines within 192.168.100.0/24 (the Inside LAN) and the Internet.

Some Discussions

»Port forward Cisco Router

More Sample Configurations

ASA 5505
ASA Version 8.4(7) 
!
hostname ciscoasa
domain-name bvn.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 12
!
interface Ethernet0/5
!             
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif Management
 security-level 100
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group DIALER-GROUP
 ip address pppoe setroute 
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.252 
!
interface Vlan12
 nameif DMZ
 security-level 50
 no ip address
!
boot system disk0:/asa847-k8.bin
ftp mode passive
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name bvn.local
 
object network obj-Inside-Network
 subnet 192.168.0.0 255.255.0.0
 
pager lines 24
logging asdm informational
mtu Management 1500
mtu outside 1492
mtu inside 1500
mtu DMZ 1500
mtu test 1500 
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
 
object network obj-Inside-Network
 nat (inside,outside) dynamic interface
 
route inside 192.168.0.0 255.255.0.0 192.168.0.2 1
 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group DIALER-GROUP request dialout pppoe
vpdn group DIALER-GROUP localname xxxxx
vpdn group DIALER-GROUP ppp authentication pap
vpdn username xxxxx password ***** store-local
 
dhcpd auto_config outside
!
!
tls-proxy maximum-session 24
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn        
 anyconnect-essentials
username admin password J.TJIa8ig6Y7fCBj encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:7473f9d7099ca0380fac148a144c7030
: end
 

A 2811 router
hostname R2811
!
boot-start-marker
boot system flash:/c2800nm-advipservicesk9-mz.124-15.T17.bin
boot-end-marker
!
logging buffered 4096
no logging console
no logging monitor
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated 
aaa authorization network default group radius local if-authenticated 
!
!
aaa session-id common
clock timezone gmt 7
dot11 syslog
!
!
ip cef
ip dhcp database flash:/dhcp_binding write-delay 60 timeout 10
ip dhcp database tftp://192.168.30.200/dhcp_binding write-delay 60 timeout 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.200 192.168.10.254
ip dhcp excluded-address 192.168.20.200 192.168.20.254
ip dhcp excluded-address 192.168.30.200 192.168.30.254
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp excluded-address 192.168.10.1 192.168.10.100
ip dhcp excluded-address 192.168.30.1 192.168.30.100
!
ip dhcp pool VLAN30
   network 192.168.30.0 255.255.255.0
   default-router 192.168.30.1 
   dns-server 8.8.8.8 
!
ip dhcp pool default
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1 
   dns-server 8.8.8.8 
!
ip dhcp pool VLAN20
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1 
   dns-server 8.8.8.8 
!
ip dhcp pool VLAN50
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1 
   dns-server 8.8.8.8 
!
!
ip domain name bvn.local
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint my-trustpoint
 enrollment selfsigned
 subject-name O=IT,CN=www.bvn.local
 revocation-check crl
 rsakeypair my-rsa-keys
!
!
crypto pki certificate chain my-trustpoint
 certificate self-signed 02
  3082026F 308201D8 A0030201 02020102 300D0609 2A864886 F70D0101 04050030 
  45311630 14060355 0403130D 7777772E 62766E2E 6C6F6361 6C310B30 09060355 
  040A1302 4954311E 301C0609 2A864886 F70D0109 02160F52 32383131 2E62766E 
  2E6C6F63 616C301E 170D3133 31313137 30343535 34345A17 0D323030 31303130 
  30303030 305A3045 31163014 06035504 03130D77 77772E62 766E2E6C 6F63616C 
  310B3009 06035504 0A130249 54311E30 1C06092A 864886F7 0D010902 160F5232 
  3831312E 62766E2E 6C6F6361 6C30819F 300D0609 2A864886 F70D0101 01050003 
  818D0030 81890281 81008C50 B07554E2 256C1E2D F4DBA9B1 45CCE4CD 7A469780 
  A4A50706 50A24300 CD1CA5A7 B9388ACD AE9A1D66 1EA5FEA6 A26E48DC 7D06E733 
  E554146D 64E22EB5 30750CEB 67C0286A 12FBEFE5 BEF2BEBC E6849354 C31AF749 
  729BFA77 F081A88E E2420DC9 0BB0E827 CF6B885C 6DA8BEB8 002BBE30 76E134FB 
  BB5DADA7 455687AE 4B4F0203 010001A3 6F306D30 0F060355 1D130101 FF040530 
  030101FF 301A0603 551D1104 13301182 0F523238 31312E62 766E2E6C 6F63616C 
  301F0603 551D2304 18301680 14ECF478 D7A73A3C 3DB4A58F 072FD138 72A95737 
  9F301D06 03551D0E 04160414 ECF478D7 A73A3C3D B4A58F07 2FD13872 A957379F 
  300D0609 2A864886 F70D0101 04050003 8181002B 810C5936 F1C79ABE F58C6ACE 
  5CA04136 AF768927 CB2DC3F8 CBFA1A68 87054270 3557400C 47B0BB99 42A98A57 
  43202C33 89E06619 F527CDD4 029AA76B A8631AE7 65059A62 BDD1289D C1B83FFD 
  02432B90 E5671FBB ABE3F5E1 39D4B707 D8580226 E6C60148 2D22A5C4 40FA7809 
  151D66D3 497CE907 E62FA8CC A59A2645 D3D7CD
        quit
!
interface Loopback1
 no ip address
!
interface FastEthernet0/0
 description CONNECT to ASA
 ip address 192.168.0.2 255.255.255.252
 ip virtual-reassembly
 duplex full
 speed auto
!
interface FastEthernet0/1
 description LAN
 no ip address
 duplex full
 speed auto
 no cdp enable
!
interface FastEthernet0/1.1
 description DEFAULT
 encapsulation dot1Q 1 native
 ip virtual-reassembly
!
interface FastEthernet0/1.2
 description FINANCE_DEPT
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip virtual-reassembly
!
interface FastEthernet0/1.3
 description IT_DEPT
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip virtual-reassembly
!
interface FastEthernet0/1.4
 description HR_DEPT
 encapsulation dot1Q 40
 ip address 192.168.40.1 255.255.255.0
 ip virtual-reassembly
!
interface FastEthernet0/1.5
 encapsulation dot1Q 50
 ip address 192.168.50.1 255.255.255.0
 ip virtual-reassembly
!
!
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
 
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
ip http server
ip http authentication local
ip http secure-server
 
=================================
 

Some Discussion
»[HELP] Configuring My Cisco 1st Time

by aryoba See Profile
last modified: 2014-05-20 13:58:18

Background

* PIX1/ASA1 establishes site-to-site IPSec VPN tunnels over ISP2 with PIX2/ASA2 and PIX3/ASA3
* Internet traffic goes through Router
* Catalyst 3560 Switch is a Layer-3 capable Switch
* There are a couple of Layer-2 Catalyst 2950 switches as access switches
* Only Router, PIX/ASA, and access switches connect to Catalyst 3560 Switch
* All hosts (servers, PC, printers, etc.) connect to access switches
* There is VLAN 7 as Network Management VLAN to deal with Router and PIX/ASA management (10.1.0.0/24)
* There is a separate VLAN 11 as Production VLAN for hosts (10.1.1.0/24)
* Router management IP address is 10.1.0.7 and PIX/ASA management IP address is 10.1.0.5
* Similarly, Remote Site 2 IP subnets are 10.2.0.0/24 as Network Management VLAN and 10.2.1.0/24 as Production VLAN
* Remote Site 3 IP subnets are 10.3.0.0/24 as Network Management VLAN and 10.3.1.0/24 as Production VLAN

Objective

* Traffic between local network behind the 3560 switch and remote sites go through PIX1/ASA1, PIX2/ASA2, and PIX3/ASA3 (via the IPSec VPN tunnel)
* Internet traffic go through Router
* Catalyst 3560 Switch is to be a Core Switch, controling Layer-2 and Layer-3 network management of VLAN 7 and VLAN 11
* From Layer-2 perspective, only VLAN 11 exists at access switches. VLAN 7 as Network Management VLAN exists at Core and access switches
* From Layer-3 perspective, both VLAN 7 and 11 interfaces exist at Core switch to do the routing and Layer-3 switching (as internal router)

Network Diagram

== IPSec VPN ==
ISP1 ---- Router ---- Catalyst 3560 Switch ---- PIX1/ASA1 ---- ISP2 ----- PIX2/ASA2
| | | | |
Trunks | | | | Trunks |
Catalyst Catalyst |
2950 2950 PIX3/ASA3
Switch 1 Switch 2

Network Design

The 3560 Switch
* Set the 3560 switch as Core Switch running both Layer-2 and Layer-3 functionality
* There will be trunks between the Layer-2 switches and this 3560
* The 3560 will be doing routing (the Layer-3 functionality) and act as internal router
* As internal router, the 3560 will be default gateway of all local machines
* As internal router, the 3560 also will decide if traffic should go to the router, PIX/ASA, or just local
* For all Internet traffic, the 3560 should point the traffic to the router. You can set this up by creating static route pointing to .7 to reach 0.0.0.0/0
* For all VPN connection to the remote site, the 3560 should point the traffic to the PIX/ASA. You can set this up by creating static route pointing to .5 to reach the remote site subnets.

The Router
* Setup proper NAT/PAT on the router to make sure all local machines can use the router Public IP address to go out to the Internet
* There should be static route pointing to the 3560 to reach all local machines
* There should be static route pointing to the PIX/ASA to reach the remote site via VPN

The PIX/ASA
* No NAT is necessary since the PIX/ASA is only as VPN Concentrator
* There should be static route pointing to the 3560 to reach all local machines
* There should be static route pointing to the router for Internet traffic

Sample Configurations

Router Configuration

service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
!
!
!
!
interface Ethernet0
description Facing the ISP (the WAN)
ip address 182.53.4.54 255.255.255.0
ip nat outside
!
interface Ethernet1
description Facing LAN 1
ip address 10.1.0.7 255.255.255.0
ip nat inside
!
!-- Static Route for Internet traffic, which 182.53.4.1 is usually ISP1 router or equipment
ip route 0.0.0.0 0.0.0.0 182.53.4.1
!-- Static Route to reach local subnets
ip route 10.1.0.0 255.255.0.0 10.1.0.2
!-- Static Route to reach remaining subnets within 10.0.0.0/8 (which includes PIX2 and PIX3 subnets)
ip route 10.0.0.0 255.0.0.0 10.1.0.5
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
no ip http server
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
!
line con 0
exec-timeout 0 0
logging synchronous
login
transport input none
line aux 0
login
line vty 0 4
login
!
end
 

PIX1/ASA1 Configuration

PIX Version 6.3(2)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd **** encrypted
hostname PIX1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
!
!--- Defining object groups to be used in the rest of configuration
object-group network PIX1-Subnet
network-object 10.1.0.0 255.255.0.0
object-group network PIX2-Subnet
network-object 10.2.0.0 255.255.0.0
object-group network PIX3-Subnet
network-object 10.3.0.0 255.255.0.0
!
!--- The IPSec VPN tunnel between PIX 1 and PIX 2:
!--- The 10.1.0.0/16 is local subnet range to this PIX 1 VPN device as the source subnet
!--- The 10.2.0.0/16 is remote subnet range reside at the PIX 2 remote VPN device as the destination subnet
access-list PIX1-PIX2 permit ip object-group PIX1-Subnet object-group PIX2-Subnet 
!
!--- The IPSec VPN tunnel between PIX 1 and PIX 3:
!--- The 10.1.0.0/16 is local subnet range to this PIX 1 VPN device as the source subnet
!--- The 10.3.0.0/16 is remote subnet range reside at the PIX 3 remote VPN device as the destination subnet
access-list PIX1-PIX3 permit ip object-group PIX1-Subnet object-group PIX3-Subnet 
!
!--- No NAT in place for traffic to other PIX Firewall private networks
!--- This access list associates with the nat 0 (inside) command
access-list nonat permit ip object-group PIX1-Subnet object-group PIX2-Subnet 
access-list nonat permit ip object-group PIX1-Subnet object-group PIX3-Subnet 
!
pager lines 24
logging on
logging facility 20
logging queue 512
mtu outside 1500
mtu inside 1500
ip address outside 182.18.124.153 255.255.255.0
ip address inside 10.1.0.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
nat (inside) 0 access-list nonat
!
!-- Static Route to reach remaing subnets within 10.0.0.0/8 (which includes PIX2 and PIX3 subnets)
!-- Note that 182.18.124.1 is PIX1 default gateway, which is typically ISP2 router or equipment
route outside 10.0.0.0 255.0.0.0 182.18.124.1 1
!
!-- Static Route to reach the Internet
route inside 0.0.0.0 0.0.0.0 10.1.0.7 1
route inside 10.1.0.0 255.255.0.0 10.1.0.2 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
timeout h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address PIX1-PIX2
crypto map newmap 20 set peer 182.18.124.154 
crypto map newmap 20 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address PIX1-PIX3
crypto map newmap 30 set peer 182.18.124.157 
crypto map newmap 30 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 182.18.124.154 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp key ******** address 182.18.124.157 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
!
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:436c96500052d0276324b9ef33221b2d
: end
 

Catalyst 3560 Switch

vlan 1,7,11,100
!
ip routing
!
interface FastEthernet0/1
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/7
description Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/8
description Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/9
description Layer-2 Switch 1 
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/10
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/11
description To Router
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/12
description To PIX1/ASA1
switchport access vlan 7
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan7
description Management
ip address 10.1.0.2 255.255.255.0
!
interface Vlan11
description Servers (Production)
ip address 10.1.1.2 255.255.255.0
!
interface Vlan100
description Users (Production)
ip address 10.1.100.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.0.7
ip route 10.0.0.0 255.0.0.0 10.1.0.5
 

Discussion:
»Design concept

by aryoba See Profile
last modified: 2012-05-18 12:48:19