pix 506 config change help

Hi i am looking for some help with presenting mulitple private ip
addresses on the outside interface of my cisco pix 506 firewall so
that my isp can nat though via my new router one to one my new public
facing ip addresses.

Reason behind this is we are changing from a single private ip to
multiple public account and require a new router which my isp is
providing but they wish to perform a NAT on the router so that each
available public IP is NAT'd from the WAN interface through to a
different IP address on the WAN interface of the firewall, but do
this
i need to present these multiple private ip addresses.


The isp said they would send an engineer on site but at =A3850 plus
vat.
Cant afford that.


Can any one direct me to a resource or provide any help for this.. Is
this a simple thing to do?


pix version is 6.3 (3)


Thanks for any help provided, if anyone needs any more information
please let me know.


gbm

Re: pix 506 config change help

wellingtonexternaltest@hotmail.co.uk wrote:

> Hi i am looking for some help with presenting mulitple private ip
> addresses on the outside interface of my cisco pix 506 firewall so
> that my isp can nat though via my new router one to one my new public
> facing ip addresses.
>
> Reason behind this is we are changing from a single private ip to
> multiple public account and require a new router which my isp is
> providing but they wish to perform a NAT on the router so that each
> available public IP is NAT'd from the WAN interface through to a
> different IP address on the WAN interface of the firewall, but do
> this i need to present these multiple private ip addresses.

What your ISP wants in complete nonsense. Their router simply should do what
a router is designed to do and that is routing. That means that they should
do no NAT at all on their router but route a public network to you. From
this public network they use one address on their router and with the rest
you can do whatever you want. A Pix can well be considered a serious
deviceb and it is designed to run with one or more public addresses on the
external interface. No need for NAT on the ISP router, almost everywhere,
where Pixes are used these boxes do the NAT, not the ISP router.

Wolfgang

Re: pix 506 config change help

On 21 Mar, 16:45, Wolfgang Kueter wrote:
> wellingtonexternalt...@hotmail.co.uk wrote:
> > Hi i am looking for some help with presenting mulitple private ip
> > addresses on the outside interface of my cisco pix 506 firewall so
> > that my isp can nat though via my new router one to one my new public
> > facing ip addresses.
>
> > Reason behind this is we are changing from a single private ip to
> > multiple public account and require a new router which my isp is
> > providing but they wish to perform a NAT on the router so that each
> > available public IP is NAT'd from the WAN interface through to a
> > different IP address on the WAN interface of the firewall, but do
> > this i need to present these multiple private ip addresses.
>
> What your ISP wants in complete nonsense. Their router simply should do what
> a router is designed to do and that is routing. That means that they should
> do no NAT at all on their router but route a public network to you. From
> this public network they use one address on their router and with the rest
> you can do whatever you want. A Pix can well be considered a serious
> deviceb and it is designed to run with one or more public addresses on the
> external interface. No need for NAT on the ISP router, almost everywhere,
> where Pixes are used these boxes do the NAT, not the ISP router.
>
> Wolfgang

Wolfgang thanks for taking the time to reply.

Some questions, this No Nat solution was briefly discussed but was
ruled out,or at least not encouraged from the isp side of things as
this would require a major change to both the new router they are
currently configuring and the firewall. They suggested this second
option i mentioned in the first post as the way to go as it would be
less changes. Do you agree with their assesment?

Forgetting the router changes that the isp would make, what firewall
changes would be required, as this is what i would have to do and my
skill set on firewall changes is not great, ie the less changes i need
to make the better as i dont want to make any mistakes and expose the
internal network..

If i was to go forward with this router nat through to the firewall
solution that the isp want to do, what would i need to do on the
firewall to present these ip addresses?

If i were to use your suggestion the only nat's would be on my
firewall where i would allow the relevant traffic through for smtp and
owa etc. That makes sense and i cant understand why the isp would
think this is a more complicated solution to go with.

Whats the standard solution usually employed?

Thanks for any more help..
gbm

Re: pix 506 config change help

wellingtonexternaltest@hotmail.co.uk wrote:

Hello,

>> What your ISP wants in complete nonsense. Their router simply should do
>> what a router is designed to do and that is routing. That means that they
>> should do no NAT at all on their router but route a public network to
>> you. From this public network they use one address on their router and
>> with the rest you can do whatever you want. A Pix can well be considered
>> a serious deviceb and it is designed to run with one or more public
>> addresses on the external interface. No need for NAT on the ISP router,
>> almost everywhere, where Pixes are used these boxes do the NAT, not the
>> ISP router.

> Some questions, this No Nat solution was briefly discussed but was
> ruled out,or at least not encouraged from the isp side of things as
> this would require a major change to both the new router they are
> currently configuring and the firewall. They suggested this second
> option i mentioned in the first post as the way to go as it would be
> less changes. Do you agree with their assesment?

I've been involved into the ISP business for more than a decade and I've
seen more than ISP during that time. Your ISP is simply talking nonsense.
It is the plain usual business of any ISP to route a public network to a
customer. Period.

> Forgetting the router changes that the isp would make, what firewall
> changes would be required, as this is what i would have to do and my
> skill set on firewall changes is not great, ie the less changes i need
> to make the better as i dont want to make any mistakes and expose the
> internal network..

You find a lot of Pix configuration examples on www.cisco.com. It is just
normal to run a Pix (like any other serious firewalling device) with one or
more public (= routable) addresses on the external interface(s).

> If i was to go forward with this router nat through to the firewall
> solution that the isp want to do, what would i need to do on the
> firewall to present these ip addresses?

You find a lot of Pix configuration examples on www.cisco.com. But I really
doubt that you want to run such a double NAT setup. Just consider that you
want to use your Pix as an endpoint of one or more IPSeC VPN tunnel(s). You
definitely want a public IP on the external interface of the Pix and no NAT
from any ISP router for such a setup. The firewall (in your case that is
the Pix) is the device on the perimeter of your network. It is designed to
run there. If you fear to run it on the border to a hostile network, then
something is definitely plain wrong with the device you have chosen as your
firewall.

> If i were to use your suggestion the only nat's would be on my
> firewall where i would allow the relevant traffic through for smtp and
> owa etc. That makes sense and i cant understand why the isp would
> think this is a more complicated solution to go with.

That is indeed the normal solution.

> Whats the standard solution usually employed?

see above.

Wolfgang

Re: pix 506 config change help

On 21 Mar, 20:29, Wolfgang Kueter wrote:
> wellingtonexternalt...@hotmail.co.uk wrote:
>
> Hello,
>
> >> What your ISP wants in complete nonsense. Their router simply should do
> >> what a router is designed to do and that is routing. That means that they
> >> should do no NAT at all on their router but route a public network to
> >> you. From this public network they use one address on their router and
> >> with the rest you can do whatever you want. A Pix can well be considered
> >> a serious deviceb and it is designed to run with one or more public
> >> addresses on the external interface. No need for NAT on the ISP router,
> >> almost everywhere, where Pixes are used these boxes do the NAT, not the
> >> ISP router.
> > Some questions, this No Nat solution was briefly discussed but was
> > ruled out,or at least not encouraged from the isp side of things as
> > this would require a major change to both the new router they are
> > currently configuring and the firewall. They suggested this second
> > option i mentioned in the first post as the way to go as it would be
> > less changes. Do you agree with their assesment?
>
> I've been involved into the ISP business for more than a decade and I've
> seen more than ISP during that time. Your ISP is simply talking nonsense.
> It is the plain usual business of any ISP to route a public network to a
> customer. Period.
>
> > Forgetting the router changes that the isp would make, what firewall
> > changes would be required, as this is what i would have to do and my
> > skill set on firewall changes is not great, ie the less changes i need
> > to make the better as i dont want to make any mistakes and expose the
> > internal network..
>
> You find a lot of Pix configuration examples onwww.cisco.com. It is just
> normal to run a Pix (like any other serious firewalling device) with one or
> more public (= routable) addresses on the external interface(s).
>
> > If i was to go forward with this router nat through to the firewall
> > solution that the isp want to do, what would i need to do on the
> > firewall to present these ip addresses?
>
> You find a lot of Pix configuration examples onwww.cisco.com. But I really
> doubt that you want to run such a double NAT setup. Just consider that you
> want to use your Pix as an endpoint of one or more IPSeC VPN tunnel(s). You
> definitely want a public IP on the external interface of the Pix and no NAT
> from any ISP router for such a setup. The firewall (in your case that is
> the Pix) is the device on the perimeter of your network. It is designed to
> run there. If you fear to run it on the border to a hostile network, then
> something is definitely plain wrong with the device you have chosen as your
> firewall.
>
> > If i were to use your suggestion the only nat's would be on my
> > firewall where i would allow the relevant traffic through for smtp and
> > owa etc. That makes sense and i cant understand why the isp would
> > think this is a more complicated solution to go with.
>
> That is indeed the normal solution.
>
> > Whats the standard solution usually employed?
>
> see above.
>
> Wolfgang

Wolfgang again thanks for the reply.

Going forward then with the normal solution, apart from creating the
relevant nat, access lists etc for say smtp traffic is there any other
changes i need to make to the firewall to prepare it in advance for
accepting these public ip addresses? do i need set anything up in the
firewall config to tell it your now associated with this range of ip
addresses. or is that what the router is for?

im guessing that all i need to do is tell the isp that i want to
progress with this no nat solution instead., they will then deliver
this newly configured router, this router will be configured to
deliver the external public ip addresses to the outside interface of
firewall. i add nat for an external ip address with rules and access
lists for smtp traffic to the internal mail server.

seems simple enough.. am i missing anything obvious?

thanks
gbm

Re: pix 506 config change help

wellingtonexternaltest@hotmail.co.uk wrote:

> Going forward then with the normal solution, apart from creating the
> relevant nat, access lists etc for say smtp traffic is there any other
> changes i need to make to the firewall to prepare it in advance for
> accepting these public ip addresses? do i need set anything up in the
> firewall config to tell it your now associated with this range of ip
> addresses. or is that what the router is for?

Of course you have to configure the new ip address(es) on the external
interfaces of the pix and change the default gateway.

Assuming the ISP routes the network 100.100.100.0 netmask 255.255.255.248 to
you and uses 100.100.100.1 on their router the setup look like this:

This means:

100.100.100.0 network address, not usable
100.100.100.1 use by the ISP router, not usable
100.100.100.2 usable by the customer for hosts or NAT
100.100.100.3 usable by the customer for hosts or NAT
100.100.100.4 usable by the customer for hosts or NAT
100.100.100.5 usable by the customer for hosts or NAT
100.100.100.6 usable by the customer for hosts or NAT
100.100.100.7 braodcast address, not usable


the setup will look like this:

Internet
|
|
external IP doesn't matter for you ...
ISP-router
100.100.100.1/29 (public ip)
|
|
|
|
|
100.100.100.2/29 (external, public ip)
Pix
192.168.100.254 (internal, private ip)
|
|
|
LAN

100.100.100.1 = default gateway for the pix

> seems simple enough.. am i missing anything obvious?

see above and RTFM ...

http://www.cisco.com/en/US/products/sw/secursw/ps2120/produc ts_configuration_guide_book09186a0080172852.html
http://www.cisco.com/en/US/products/sw/secursw/ps2120/produc ts_configuration_guide_chapter09186a0080172786.html

The described setup is standard and assuming that apart from some static NAT
and filtering rules for a few incoming connections you have no special
requirements any skilled pix admin using a configuration template needs
less than an hour to configure such a box in the way you need it.

Wolfgang

Re: pix 506 config change help

On 22 Mar, 10:24, Wolfgang Kueter wrote:
> wellingtonexternalt...@hotmail.co.uk wrote:
> > Going forward then with the normal solution, apart from creating the
> > relevant nat, access lists etc for say smtp traffic is there any other
> > changes i need to make to the firewall to prepare it in advance for
> > accepting these public ip addresses? do i need set anything up in the
> > firewall config to tell it your now associated with this range of ip
> > addresses. or is that what the router is for?
>
> Of course you have to configure the new ip address(es) on the external
> interfaces of the pix and change the default gateway.
>
> Assuming the ISP routes the network 100.100.100.0 netmask 255.255.255.248 to
> you and uses 100.100.100.1 on their router the setup look like this:
>
> This means:
>
> 100.100.100.0 network address, not usable
> 100.100.100.1 use by the ISP router, not usable
> 100.100.100.2 usable by the customer for hosts or NAT
> 100.100.100.3 usable by the customer for hosts or NAT
> 100.100.100.4 usable by the customer for hosts or NAT
> 100.100.100.5 usable by the customer for hosts or NAT
> 100.100.100.6 usable by the customer for hosts or NAT
> 100.100.100.7 braodcast address, not usable
>
> the setup will look like this:
>
> Internet
> |
> |
> external IP doesn't matter for you ...
> ISP-router
> 100.100.100.1/29 (public ip)
> |
> |
> |
> |
> |
> 100.100.100.2/29 (external, public ip)
> Pix
> 192.168.100.254 (internal, private ip)
> |
> |
> |
> LAN
>
> 100.100.100.1 = default gateway for the pix
>
> > seems simple enough.. am i missing anything obvious?
>
> see above and RTFM ...
>
> http://www.cisco.com/en/US/products/sw/secursw/ps2120/produc ts_config...http://www.cisco.com/en/US/products/sw/secursw/p s2120/products_config...
>
> The described setup is standard and assuming that apart from some static NAT
> and filtering rules for a few incoming connections you have no special
> requirements any skilled pix admin using a configuration template needs
> less than an hour to configure such a box in the way you need it.
>
> Wolfgang

Hi Wolfgang

The current firewall config is shown below, i have talked with the isp
who agree option 1 is the correct and preferred route to take, however
they are saying the firewall will need total reconfigured.

My thoughts would be i would only need to change the ip address
outside entry to reflect the new external interface ip address, and
change the route outside to reflect the new gateway ip address. Would
there be anything else to change, or am i way off the mark and the isp
is correct we need the whole firewall reconfigured?

the config is...

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password /5ospAYwwHZzG7mb encrypted
passwd VWKoADlYPYb1lVRR encrypted
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct
2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 194.42.239.225 Redstone-Bram
name 212.44.35.5 Redstone-Bwd
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 10.1.1.2 255.255.255.0
ip address inside 10.0.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Redstone-Bram 255.255.255.255 outside
pdm location Redstone-Bwd 255.255.255.255 outside
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.4 255.255.255.255 inside
pdm location 10.0.0.100 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.1.1.3 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http Redstone-Bram 255.255.255.255 outside
http Redstone-Bwd 255.255.255.255 outside
http 10.0.0.4 255.255.255.255 inside
http 10.0.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.4 255.255.255.255 inside
telnet 10.0.0.100 255.255.255.255 inside
telnet timeout 5
ssh Redstone-Bram 255.255.255.255 outside
ssh Redstone-Bwd 255.255.255.255 outside
ssh timeout 5
console timeout 5
terminal width 80
banner exec No unauthorised access
banner login No unauthorised access
banner motd No unauthorised access

thanks
gbm

Re: pix 506 config change help

wellingtonexternaltest@hotmail.co.uk wrote:


> The current firewall config is shown below, [...]

Well, read the fine manual on www.cisco.com (I posted a link to the
documentation in my last article) and try to understand what each line of
the config you posted means. Then think about all that and try to find out
what that config lacks now and what it lacks, when you just change the
external IP address(es).

Sorry, but when I look at that config I get the strong feeling that you've
formerly been ripped off in quite an evil manner by someone who sold you
you a fancy device that was delivered to you basically with the factory
default configuration which does not even use more than 2% of what a pix
can do, but instead includes known buggy default pix settings like the
default fixup protocol stuff (something any skilled pix admin will switch
off first) and so on.

My advice is: Hire a *skilled* pix consultant and let him configure the box
according to your requirements, if you are not able to figure out the
problems of the config you posted yourself.

Wolfgang