Cisco 506 Pix

Static

Heyas,
Anybody ever configured this? Or similar Pix ?

wintermute

Yes, I used to play with PIXes a fair bit. The PIX uses a command line interface similar but not the same as IOS.

It depends what you want to do with it, I think that the latest PIX FW (6.x) jumps into an automatic configuration mode on first boot.

You may see a HTTP based configuration tool advertised in the docs, please stay away from it as it has caused me many sleepless nights in the past. Use the terminal interface to configure it.

Post up what you want to do (NAT etc.) - I may have a sample config somewhere.

Static

Okay, here goes..

At the moment, there's one NT machine to be
protected by the pix. Seems like a really expensive solution, but
I didn't choose it The initial policy is that only ports 21, 80 and 443
(ftp, http and https) will be externally accessible on the machine, with full outgoing
access for the machine.

Details supplied by ISP (this was going in a webfarm)
Given 2 IP addresses :
155.140.200.143/4
Default Gateway is 155.140.200.1
Subnet Mask is 255.255.255.0


So, what I did was give the NT machine IP 10.0.0.4 with default gateway 10.0.0.100/255.255.255.0
Then, I gave the PIX's internal interface IP 10.0.0.100/255.255.255.0,
and the external interface 155.140.200.143/255.255.255.0
I then mapped 155.140.200.144 to 10.0.0.4, and granted relevant privileges.

Installed the hardware in the webfarm, all seemed happy, except that the machine didn't
seem to be able to make external connections, however, the allowed ports were reachable
on 155.140.200.144, so I left it for then, to come back to it later, if we needed the
outgoing unblocked. So, everything was happy, and the machine was accessible.

However, a couple of days later, the ISP informed me that "the pix was taking the
ip address of the default gateway, 155.140.200.1, and when other customers on the subnet
arp-cache refreshed they saw the mac address of your ethernet card on the pix as the default
gateway, and obviously could not route traffic off the lan". Needless to say,
I'm kinda stumped. I'm a complete newbie to this, and while I've read numerous pages of
the manual (which why I've got this far), and could it have anything to do with RIP?
(of which I know very little)

Any help you could give me would be really appreciated.

-Barry,
(the progammer, who strangely gets assigned these jobs every now and again)


Configuration I have so far is

---

nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address inside 10.0.0.100 255.255.255.0
ip address outside 155.140.200.143 255.255.255.0
interface ethernet0 10baset
interface ethernet1 10base

nat(inside) 1 0 0
global(outside) 1 155.140.200.1 netmask 255.255.255.0
global(outside) 1 155.140.200.144

route outside 0 0 155.140.200.1

static(inside,outside) 155.140.200.144 10.0.0.4 netmask 255.255.255.255

access-list acl_ping deny icmp any any
access-group acl_ping in interface inside
access-group acl_ping in interface outside

access-list acl_out permit tcp any host 155.140.200.144 eq www
access-list acl_out permit tcp any host 155.140.200.144 eq ftp
access-list acl_out permit tcp any host 155.140.200.144 eq 443
access-group acl_out in interface outside

access-list acl_in permit ip any any
access-group acl_in in interface inside

wintermute

I think your problem is that you've defined the IP address of the default external route as a NAT pool.

global(outside) 1 155.140.200.1 netmask 255.255.255.0

Your PIX is thus answering ARP requests that it shouldn't be.

This may fix outbound access too but you may also need a "nat" command similar to this one

nat (inside) 1 10.0.0.0

I can't find my PIX manuals so this info should be treated as "from memory"

See does that make any difference, then post back the results.

Static

Excellent, makes sense. Thanks for the pointers.
I'll let you know how I get on.


Barry.