Hey I need help setting up my PIX 515E. I have installed asdm and can get into the config. I need help with either routing oor nat, or both.
I have 2 Lan's and a Cisco Router connected. I need to know how to pass all internet traffic from each lan to the router for internet access. I have not set any nat pools, or static routes, because i am unsure on how to do this.
The lan and wan specs are below
lan1: 192.168.0.0/24 lan2: 192.168.1.0/24 internet nic: 220.127.116.11 (cisco router is 18.104.22.168)
Please help on getting these on the Internet. Also, i will have remote users, but the wizard should take care of that.
I'm assuming that you're setup looks something like the following. Correct me if it does not. Bear in mind that the PIX will not route traffic back out the same interface that it came in on like other devices will.
the diagram is a little confusing. I have 2 switches. On the first is the 192.168.0.0/24 subnet. That one is connected to e0 (192.168.0.1). The second switch is the 192.168.1.1/24 subnet connected to e1 (192.168.1.1). The Cisco Router is connected to e3 (22.214.171.124), and has the routers address is 126.96.36.199. I need to get internet access for both networks of the PIX. Both networks are in the same building, just 2 different businesses.
I agree, I suppose the diagram did not work out like I had hoped. So when you are referencing e0, e1, and e3, are you talking about the interfaces on the PIX itself? How many routers do you have, 1 or 2? I assume that the Cisco Router you are talking about is the internet router attached to the external interface of the PIX, correct? And what is acting as the default gateway assigned to the client computers, the PIX, or a router behind the PIX?
Sorry for so many questions, just trying to get a mental picture of your setup.
Is there a specific ethernet port for the internet router? i have only one router for the internet. It is in ethernet 3 of the PIX. I am refering to the PIX interfaces when i say e0,e1, and e3. The default gateway is the ip address of the associated PIX interface. For Lan1, the gateway is 192.168.0.1 and Lan2 is 192.168.1.1.
In that case, it will get a little hairy as far as how the PIX does security on its interfaces. I think (I may be wrong) that if the PIX has more than two interfaces, it will treat the third as a DMZ interface by default. Would it be possible for you to post the configuration "sh run" of your PIX? If I looked at the config, I should be able to point you in the right direction fairly quickly.
That would be all there would be to it for your configuration that you set out in your discussion with DV.
This configuration would send all traffic, from both lans, out through the same single IP address, 188.8.131.52 . If you want the traffic seperated, say with the second lan mapping to 184.108.40.206 then you would use
nat (inside) 1 192.168.0.0 255.255.255.0 nat (dmz) 2 192.168.1.0 255.255.255.0 global (outside) 1 interface global (outside) 2 220.127.116.11
This would PAT both lans, but with different IPs.
If you happened to want the inside traffic to use one-to-one nat as long as IPs were available, and you wanted the traffic seperate, then you could use, for example:
nat (inside) 1 192.168.0.0 255.255.255.0 nat (dmz) 2 192.168.1.0 255.255.255.0 global (outside) 1 18.104.22.168-22.214.171.124 global (outside) 1 126.96.36.199 global (outside) 2 188.8.131.52-184.108.40.206 global (outside) 2 220.127.116.11
You would not need to add any route commands or static commands or any access-lists for what you indicated.
If, though, you want to restrict lan1 from being able to talk to lan2, then you would add (PIX 6.x syntax)
access-list in2out deny ip any 192.168.1.0 255.255.255.0 access-list in2out permit ip 192.168.0.0 255.255.255.0 any
access-group in2out in interface inside
You would not need to do anything to prevent lan2 from talking to lan1.
If you do want lan2 to be able to talk to lan1, then you would need additional configuration, the details of which would depend on whether you want wide access or just access to specific hosts.
If you want the outside world to be able to connect to servers on either of the lans (except through the VPNs) then you would have additional configuration work.
I have done what you said, and i still cannot get internet access.
I added nat (inside) 1 192.168.0.0 255.255.255.0 nat (inside2) 1 192.168.1.0 255.255.255.0 global (outside) 1 interface
I still cannot connect. I also tried using the startup wizard to start fresh, but i still cant connect. All that i have done, is run the startup wizard, used PAT for the outside interface (e0), and have lan1 in e1 and lan2 in e2.
I may add that the lan2 is not a dmz, but a network like lan1, except a different subnet.
While we are at it, can you suggest a way to set up vpn users to access the 192.168.0.0/24 network? I will use the wizard. Which interface do i choose and all that? Can i use the microsoft vpn connection software? What will i need to do to enable remote desktop to this network?