50.3 Router-PIX Combo Cisco Forum FAQ50.3 Router-PIX Combo
·Setting Up Network With Router and Firewall
·Internet - Router - PIX - LAN
·Internet - PIX - Router - LAN
»Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature
Which should face the ISP?
You have a router and firewall in separate device. You review the possibility of setting the network:
1st Setup: ISP -- Router -- Firewall -- LAN
2nd Setup: ISP -- Firewall -- Router -- LAN
When there is an external modem to connect to the ISP, the modem is probably giving an Ethernet hand off. With this in mind, then it is possible to have the 2nd setup.
Several situations that might prevent you to have the 2nd setup are
* There is no external modem, and you have to use the integrated modem within the router
* Your ISP requires PPPoA which your firewall is unable to support
When your situation falls within one of the above, then you have to have the 1st setup.
You Have The 1st Setup And Firewall Needs To Receive Public IP Address
There are several possibilities to setup
* Set a static NAT/PAT between the router and the firewall
* Set the router to be a bridge/modem
Setting up a router as a bridge/modem might "downgrade" your router. Whenever possible, you then should consider setting static NAT/PAT between the router and firewall.
Case Studies
The 1st Setup: Router in front of Firewall
1. Router with integrated T1 modem terminates T1 circuit
This is using the 1st setup where the router is terminating T1 circuit with the ISP. In this case, the router is Cisco with integrated T1 modem and the firewall is PIX Firewall. This case study assumes that you have /29 IP block from your ISP where you can use one IP address for the router and another IP address for the PIX Firewall.
Router Configuration
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
!
clock timezone est -5
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain lookup
!
no ip bootp server
!
!
!
!
!
interface FastEthernet0/0
description LAN Interface
ip address 192.168.100.1 255.255.255.252
ip nat inside
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
speed 100
full-duplex
!
interface Serial0/0
description WAN Interface
ip address 198.131.65.2 255.255.255.248
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
ip load-sharing per-packet
no ip mroute-cache
fair-queue
service-module t1 timeslots 1-24
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 198.131.65.1
ip route 192.168.101.0 255.255.255.0 192.168.100.2
!
ip nat inside source list 10 interface Serial0/0 overload
ip nat inside source static 192.168.100.2 198.131.65.3
!
!
no cdp run
!
line con 0
line aux 0
line vty 0
login
line vty 0 4
login
!
!
end
PIX Firewall Configuration
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside 192.168.100.2 255.255.255.252
ip address inside 192.168.101.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Description
- •Public IP subnet is configured only on the router WAN side. The router LAN and PIX Firewall intefaces are using Private IP subnets
•There is static NAT on the router in place between available Public IP address and the PIX Firewall outside interface to set the Firewall of "receiving" Public IP address
•The LAN machines uses the router WAN interface to go out to the Internet
2. Router as PPPoA client to the ISP
This is using the 1st setup where the router is doing PPPoA as the ISP requirement to connect to the Internet. In this case, the router is Cisco with integrated DSL modem and the firewall is PIX Firewall. This case study assumes that you have /29 IP block from your ISP where you can use one IP address for the router and another IP address for the PIX Firewall.
Router Configuration
version 12.1
!
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
ip subnet-zero
!
interface Ethernet0
ip address 198.131.65.2 255.255.255.248
no ip directed-broadcast
no ip mroute-cache
!
interface ATM0
no ip address
no ip directed-broadcast
no ip mroute-cache
no atm ilmi-keepalive
pvc 1/150
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
hold-queue 224 in
!
interface Dialer0
ip address unnumbered Ethernet0
no ip directed-broadcast
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname username
ppp chap password password
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
dialer-list 1 protocol ip permit
!
end
PIX Firewall Configuration
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 198.131.65.3 PUBLIC_IP_01
name 192.168.100.1 WEB_SERVER_01
name 192.168.100.2 FTP_SERVER_01
name 192.168.100.3 MAIL_SERVER_01
name 192.168.100.4 TERMINAL_SERVER_01
name 192.168.100.5 SYSLOG_SERVER_01
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any host PUBLIC_IP_01 object-group ICMP-INBOUND
access-list INBOUND permit tcp any host PUBLIC_IP_01 object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging trap informational
logging host inside SYSLOG_SERVER_01
mtu outside 1500
mtu inside 1500
ip address outside PUBLIC_IP_01 255.255.255.248
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location TERMINAL_SERVER_01 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www WEB_SERVER_01 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data FTP_SERVER_01 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp FTP_SERVER_01 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp MAIL_SERVER_01 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 198.131.65.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http TERMINAL_SERVER_01 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet TERMINAL_SERVER_01 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Description:
Step 1: Basic Router Configuration
- • Do not setup router LAN or PIX Firewall outside interfaces yet; just the router Dialer interface
• If you can setup the Dialer interface with static IP address without using the "ip negotiated", you can skip this Step 1. If you have to use the "ip negotiated", keep reading
• Set the Dialer interface with the proper public IP address and the gateway using "ip negotiated" and "ip route" pointing to Dialer interface. Use the ipcp command to set the default gateway when possible
• Do "show ip route" to find out the Dialer public IP address and gateway (the ISP equipment IP address)
Step 2: Configure LAN interfaces
- • Move the Dialer public IP address to the Ethernet interface and set the Dialer as "ip unnumbered Ethernet"
• Configure the PIX Firewall outside interface using the next available public IP address
• Set the default gateway pointing to the ISP equipment IP address
feedback form
by aryoba
last modified: 2008-08-12 15:34:49
Internet - Router - PIX - LAN (#14242)
»Cisco Forum FAQ »Redundant Internet Link Graceful Load Balance/Failover
»Cisco Forum FAQ »Things to expect when setup network for home or small business
1. One exit to ISP, Router performs NAT/PAT, PIX/ASA performs no NAT/PAT
This sample configuration assumes the followings:
* You have one ISP providing single path to your router
* You set the router to do the NAT/PAT and basic firewall, where you leave the PIX to do the stateful firewall.
* There is one ISP IP blocks you receive; the 1.1.0.0/30 where 1.1.0.1 is the default gateway and you use 1.1.0.2 (the only usable Public IP address for all servers and other machines in your LAN)
* You are running servers visible to the public
* The servers are web, mail, and ftp
* Your internal webserver IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.1.0.2 to be your three server's public IP address (static PAT)
* You use a range of 1.0.1.30 to 1.0.1.254 to be your LAN workstations' public IP address (dynamic NAT and PAT)
* You permit only internal host of 10.10.11.5 to telnet and to pdm to the PIX
* Internal hosts are receiving IP address automatically (as DHCP clients) from the PIX
* Since the PIX outside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet
Router Configuration
!
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
ip address 10.10.10.1 255.255.255.252
ip nat inside
no cdp enable
!
!!!!!!!!!!!! This is to the ISP modem
interface Ethernet1
ip address 1.1.0.2 255.255.255.252
ip nat outside
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 10.10.11.0 255.255.255.0 10.10.10.2
no ip http server
!
ip nat inside source static tcp 10.10.11.2 80 1.1.0.2 80
ip nat inside source static tcp 10.10.11.2 443 1.1.0.2 443
ip nat inside source static tcp 10.10.11.3 20 1.1.0.2 20
ip nat inside source static tcp 10.10.11.3 21 1.1.0.2 21
ip nat inside source static tcp 10.10.11.4 25 1.1.0.2 25
ip nat inside source static tcp 10.10.11.4 110 1.1.0.2 110
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 remark Permit Only Inside Subnets
access-list 1 permit 10.10.8.0 0.0.3.255
no cdp run
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
access-class 1 in
login local
length 0
!
scheduler max-task-time 5000
end
PIX Firewall Configuration
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network WEB
network-object host 10.10.11.2
object-group network FTP
network-object host 10.10.11.3
object-group network MAIL
network-object host 10.10.11.4
object-group service MAIL_SERVICES tcp
port-object eq smtp
port-object eq pop3
object-group service WEB_SERVICES tcp
port-object eq www
port-object eq https
access-list INBOUND permit icmp any any
access-list INBOUND permit tcp any object-group WEB object-group WEB_SERVICES
access-list INBOUND permit tcp any object-group MAIL object-group MAIL_SERVICES
access-list INBOUND permit tcp any object-group FTP range ftp-data ftp
access-list nonat permit ip any any
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.11.30-10.10.11.254 inside
dhcpd dns 1.1.1.2 1.1.1.3
dhcpd enable inside
terminal width 80
Cryptochecksum:3d7c056e8f90642f265cf42674b5a878
: end
2. Single exit to ISP, Router performs no NAT/PAT, PIX/ASA performs NAT/PAT and is as the IPSec VPN Concentrator
This sample configuration assumes the followings:
* You have one ISP providing single path to your router
* You set the PIX/ASA to do the NAT/PAT, the stateful firewall, and IPSec VPN Concentrator
* There are two ISP IP blocks you receive. One is the 1.1.0.0/30 where 1.1.0.1 is the default gateway and you use 1.1.0.2 as your router WAN interface IP address. The second IP block is 1.0.1.0/24 where IP address within this subnet will be the server Public IP addresses, router LAN interface IP address, and PIX Outside interface IP address
* You are running servers visible to the public
* The servers are web, mail, and ftp
* Your internal webserver IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.0.1.3 to be the web server's public IP address (static NAT)
* You use 1.0.1.4 to be the ftp server's public IP address (static NAT)
* You use 1.0.1.5 to be the mail server's public IP address (static NAT)
* You use 1.0.1.254 to be your LAN workstations' public IP address (dynamic PAT)
* You permit only internal hosts of 10.10.8.0/24 to telnet and to pdm to the PIX and router
* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is Admin as the Group Name and is ******** as the Group Password as indicated on the vpngroup Admin password ******** command
* The VPN users log in as Admin receive IP address within the admin range from 192.168.0.1 to 192.168.0.254.
* No external AAA (Authentication, Authorization, and Accounting) server as the TACACS+/RADIUS server
* Telnet attempt to the PIX/ASA itself is not authenticated
Router Configuration
!
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
ip address 1.0.1.1 255.255.255.0
no cdp enable
!
!!!!!!!!!!!! This is to the ISP modem
interface Serial0
ip address 1.1.0.2 255.255.255.252
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 10.0.0.0 255.0.0.0 1.0.1.2
no ip http server
!
!
access-list 1 remark Permit Only Inside Subnets
access-list 1 permit 10.10.8.0 0.0.0.255
no cdp run
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
access-class 1 in
login local
length 0
!
scheduler max-task-time 5000
end
PIX Firewall Configuration
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
domain-name yournetwork.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network Public_Web
description Public Web Server IP address
network-object host 1.0.1.3
object-group network Public_FTP
description Public FTP Server IP address
network-object host 1.0.1.4
object-group network Public_Mail
description Public Mail Server IP address
network-object host 1.0.1.5
object-group network PUBLIC_SERVER
description All Public Servers available
group-object Public_Web
group-object Public_FTP
group-object Public_Mail
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service Public_Web-TCP tcp
description Allowable inbound TCP traffic
port-object eq www
port-object eq https
object-group service Public_FTP-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
object-group service Public_Mail-TCP tcp
description Allowable inbound TCP traffic
port-object eq smtp
port-object eq pop3
access-list INBOUND permit icmp any object-group PUBLIC_SERVER object-group ICMP-INBOUND
access-list INBOUND permit tcp any object-group Public_Web object-group Public_Web-TCP
access-list INBOUND permit tcp any object-group Public_FTP object-group Public_FTP-TCP
access-list INBOUND permit tcp any object-group Public_Mail object-group Public_Mail-TCP
object-group network VPN-Admin
network-object 192.168.0.0 255.255.255.0
object-group network Admin-Network
network-object 10.10.8.0 255.255.252.0
object-group network Outside-Devices
network-object host 1.0.1.1
network-object host 1.1.0.2
access-list 10 remark Split Tunnel for VPN Admin
access-list 10 permit ip any object-group VPN-Admin
access-list nonat remark No NAT within VPN tunnel and to access Outside Devices
access-list nonat permit ip object-group Admin-Network object-group Outside-Devices
access-list nonat permit ip any object-group VPN-Admin
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.0.1.2 255.255.255.0
ip address inside 10.10.8.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool admin 192.168.0.1-192.168.0.254
pdm history enable
arp timeout 14400
global (outside) 1 1.0.1.254
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.0.1.3 10.10.11.2 netmask 255.255.255.255 0 0
static (inside,outside) 1.0.1.4 10.10.11.3 netmask 255.255.255.255 0 0
static (inside,outside) 1.0.1.5 10.10.11.4 netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.0.1.1 1
route inside 10.0.0.0 255.0.0.0 10.10.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup Admin address-pool admin
vpngroup Admin dns-server 10.10.9.2
vpngroup Admin wins-server 10.10.9.3
vpngroup Admin default-domain yournetwork.com
vpngroup Admin split-tunnel 10
vpngroup Admin idle-time 1800
vpngroup Admin password ********
telnet 10.10.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
More Sample Configurations of Setting Up ASA/PIX Firewall as Internet Firewall and IPSec VPN Concentrator
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator
3. Multiple exit to ISP (Failover Routing), Router performs no NAT/PAT, PIX/ASA performs NAT/PAT
This sample configuration assumes the followings:
* You have one ISP providing multiple path to your router
* There is SLA between you and ISP in providing failover routing mechanism
* You set the PIX to do the NAT/PAT and to provide stateful firewall features, where you leave the router to do the failover routing (source routing).
* There are two ISP IP blocks you receive; the 1.0.0.0/24 and the 1.0.1.0/24
* The ISP path #1 subnet is 1.1.0.0/30 where the 1.1.0.2 is on your side
* The ISP path #2 subnet is 1.1.0.4/30 where the 1.1.0.6 is on your side
* Both 1.1.0.1 and 1.1.0.5 are on the ISP router that serve as your default gateway to the Internet
* ISP router is set to use path #1 primary to reach the 1.0.0.0/24; and to use path #2 as alternate
* Likewise, the ISP router is set to use path #2 primary to reach the 1.0.1.0/24; and to use path #1 as alternate
* The network visible to your ISP are only the ones that they assign to you, which are the 1.1.0.0/29 and the 1.0.0.0/23. Other IP addresses or subnets are internal and are only visible to your network
* You are running servers visible to the public
* The servers are using 1.0.0.0/24 block and the workstations are using 1.0.1.0/24 block
* The servers are web, mail, and ftp
* Your internal webserver IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.0.0.3 to be your three server's public IP address (static PAT)
* You use a range of 1.0.1.1 to 1.0.1.254 to be your LAN workstations' public IP address (dynamic NAT and PAT)
* You permit only internal host of 10.10.11.5 to telnet and to pdm to the PIX
* Internal hosts are receiving IP address automatically (as DHCP clients) from the PIX
* Since the PIX outside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet
Router Configuration
!
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
ip address 10.10.10.1 255.255.255.252
no cdp enable
ip policy route-map SourceRouting
!
!!!!!!!!!!!! This is the ISP path #1
interface Ethernet1
ip address 1.1.0.2 255.255.255.252
no cdp enable
!
!!!!!!!!!!!! This is the ISP path #2
interface Ethernet2
ip address 1.1.0.6 255.255.255.252
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 0.0.0.0 0.0.0.0 1.1.0.5
ip route 1.0.0.0 255.255.254.0 10.10.10.2
no ip http server
!
access-list 101 remark Primary Route to ISP #1
access-list 101 permit ip host 1.0.0.3 any
access-list 102 remark Primary Route to ISP #2
access-list 102 permit ip 1.0.1.0 0.0.0.255 any
no cdp run
!
route-map SourceRouting permit 10
match ip address 101
set ip next-hop 1.1.0.1
set interface Ethernet2
!
route-map SourceRouting permit 20
match ip address 102
set ip next-hop 1.1.0.5
set interface Ethernet1
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end
PIX Firewall Configuration
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
access-list INBOUND permit tcp any any object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 1.0.1.1-1.0.1.253 netmask 255.255.255.0
global (outside) 1 1.0.1.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.0.0.3 www 10.10.11.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 ftp-data 10.10.11.3 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 ftp 10.10.11.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 smtp 10.10.11.4 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.11.30-10.10.11.254 inside
dhcpd dns 1.1.1.2 1.1.1.3
dhcpd enable inside
terminal width 80
Cryptochecksum:3d7c056e8f90642f265cf42674b5a878
: end
Note:
This is just a sample configuration and not intended as working configuration on any network design. Your actual failover routing mechanism might be different than is suggested here due to the SLA between you and your ISP.
feedback formby aryoba
last modified: 2008-11-17 13:11:11
Internet - PIX - Router - LAN (#14241)
»Cisco Forum FAQ »Things to expect when setup network for home or small business
Typical network environment that might utilize following sample PIX configuration is as follows
* There is a modem in front of the PIX, which the modem connects to the ISP
* ISP is providing Public IP address to the PIX statically
* There is NAT/PAT in place on the PIX to translate internal IP addresses to the ISP-provided Public IP address
* The router behind the PIX is directly connected physically to the PIX LAN (inside) interface using crossover patch cable
* No devices (workstations, servers, switches, hubs) are sitting between the PIX and the router
* All the switches, workstations, and servers are sitting behind the router
* The router is acting as DHCP server, which provide dynamic IP info for hosts behind the router
* The router is not able to provide stateful firewall protection; hence PIX is setup in front of the router before connecting to the ISP (the modem) to protect your LAN from unauthorized accesses
This sample configuration assumes the followings:
* You receive a static IP address from ISP as 1.1.1.2
* The ISP default gateway is 1.1.1.1
* You are running servers visible to the public
* The servers are web, mail, and ftp
* Your internal webserver IP address is 192.168.100.1
* Your internal ftp server IP address is 192.168.100.2
* Your internal mail server IP address is 192.168.100.3
* You have syslog server with IP address of 192.168.100.5
* You use 1.1.1.2 (the PIX outside interface IP address) to be your three server's public IP address (static PAT)
* You permit only internal host of 192.168.100.4 to telnet and to pdm to the PIX
* Internal hosts are receiving IP address automatically (as DHCP clients) from the router
* Since the PIX inside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet
PIX Configuration
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 1.1.1.2 PUBLIC_IP_01
name 192.168.100.1 WEB_SERVER_01
name 192.168.100.2 FTP_SERVER_01
name 192.168.100.3 MAIL_SERVER_01
name 192.168.100.4 TERMINAL_SERVER_01
name 192.168.100.5 SYSLOG_SERVER_01
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any host PUBLIC_IP_01 object-group ICMP-INBOUND
access-list INBOUND permit tcp any host PUBLIC_IP_01 object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging trap informational
logging host inside SYSLOG_SERVER_01
mtu outside 1500
mtu inside 1500
ip address outside PUBLIC_IP_01 255.255.255.0
ip address inside 10.0.0.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
pdm location TERMINAL_SERVER_01 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www WEB_SERVER_01 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data FTP_SERVER_01 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp FTP_SERVER_01 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp MAIL_SERVER_01 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route inside 192.168.100.0 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http TERMINAL_SERVER_01 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet TERMINAL_SERVER_01 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Router Configuration
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password 7 ******
!
no aaa new-model
ip subnet-zero
!
!
ip name-server 68.87.64.196
ip name-server 68.87.66.196
ip dhcp excluded-address 192.168.100.1 192.168.100.5
ip dhcp excluded-address 192.168.100.254
!
ip dhcp pool INSIDE-LAN
network 192.168.100.0 255.255.255.0
default-router 192.168.100.254
dns-server 68.87.64.196 68.87.66.196
!
no ip bootp server
ip cef
!
!
!
!
interface FastEthernet0
ip address 10.0.0.2 255.255.255.252
no ip redirects
no ip proxy-arp
speed auto
duplex auto
no cdp enable
!
interface FastEthernet1
ip address 192.168.100.254 255.255.255.0
no ip redirects
no ip proxy-arp
speed 100
full-duplex
no cdp enable
hold-queue 100 out
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
no ip http server
!
logging history warnings
logging 192.168.100.5
no cdp run
!
line con 0
line aux 0
line vty 0 4
exec-timeout 120 0
password 7 ******
login
!
end
Note:
* The PIX Firewall Inside and Router FastEthernet0 interfaces are within 10.0.0.0/30 network. This means there are no other devices within such network beside the PIX and the router. Sometimes there are other machines within this network where the PIX Inside and Router FastEthernet0 interfaces connect to a switch using straight-through cables. Other machines such as servers connect to the same switch. Since there are more devices, then typically the network is /24 size or larger (i.e. 10.0.0.0/24).
When this is the case, make sure that all of those machines have default gateway of 10.0.0.2 (the Router FastEthernet0 interface IP address) and not the 10.0.0.1 (the PIX Firewall Inside interface IP address). This way all the machines have ability to reach both any machines within 192.168.100.0/24 (the Inside LAN) and the Internet.
feedback formby aryoba
last modified: 2008-11-06 15:20:36