PIX 501 Basic Configuration

I have just been given a PIX 501 to configure and have very little knowledge of CISCO routers. Apologies if I do not explain this very well.

My configuration sounds simple, I do not want DHCP and I do not think I have any VPN requirements at moment.

I want the inside IP addresses to be the same as the outside and I want to be able to specifically enable ports when required and on an individual or group basis, i.e. everyone needs SMTP, POP and WEB, some need to use NetMeeting, SSH etc.

I also need to know how to allow access to a single IP address from outside.

Thanks, DP

Reply to
DP
Loading thread data ...

In article , DP wrote: :I have just been given a PIX 501 to configure and have very little :knowledge of CISCO routers.

formatting link
is the Cisco PIX Firewall and VPN Configuration Guide, Version 6.3

:My configuration sounds simple, I do not want DHCP and I do not think I :have any VPN requirements at moment.

:I want the inside IP addresses to be the same as the outside

I notice you say "addresses". Is it correct that you have multiple public IP addresses, and that none of the "inside" IP addresses need to be the same as the PIX's IP address?

:and I want :to be able to specifically enable ports when required and on an :individual or group basis, i.e. everyone needs SMTP, POP and WEB, some :need to use NetMeeting, SSH etc.

Is that for incoming or outgoing?

:I also need to know how to allow access to a single IP address from :outside.

That would tend to imply that the paragraph above was with respect to outgoing, but tis better to ask and be sure.

Your requirement to user inside IP addresses that are the same as the outside could be troublesome. The PIX will not allow you to put the inside and outside interfaces into the same subnet. To solve this, you have two choices:

a) use an IP address in a different range for your PIX outside interface IP and you or your ISP must route the internal public IP subnet to that outside subnet; or

b) use an inside interface IP address in a private IP range, and have an inside router in that range, and set up individual host routes for each inside IP, directing it to the inside router. The inside router then has an interface in that range (as well as the private range) and so redistributes the traffic. For example,

ip address outside 123.45.67.1 netmask 255.255.255.248 ip address inside 192.168.67.1 netmask 255.255.255.0 route inside 123.45.67.2 255.255.255.255 192.168.67.2 route inside 123.45.67.3 255.255.255.255 192.168.67.2 route inside 123.45.67.4 255.255.255.255 192.168.67.2 route inside 123.45.67.5 255.255.255.255 192.168.67.2 route inside 123.45.67.6 255.255.255.255 192.168.67.2

For the other answers... please review the configuration guide.

Reply to
Walter Roberson

Walter,

I have decided to go down option (b), I have a range of 64 addresses

123.45.67.0/26 my CISCO 2600 Router is 123.45.67.1 and I would like to have the PIX as 123.45.67.18 and my PC is 123.45.67.21

I tried to "ip address outside 123.45.67.18 netmask 255.255.255.192" and I got a "Invalid subnet mask netmask"

I have just signed up for my MCSE and CCNA so please be patient.

Reply to
DP

In article , DP wrote: :I tried to "ip address outside 123.45.67.18 netmask 255.255.255.192" :and I got a "Invalid subnet mask netmask"

Sorry about that. Some of the commands that take netmasks prefix them with the word 'netmask', and some of them don't.

ip address outside 123.45.67.18 255.255.255.192

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.