PIX 515E Configuration Help...

I'm assuming that you're setup looks something like the following. Correct me if it does not. Bear in mind that the PIX will not route traffic back out the same interface that it came in on like other devices will.

192.168.1.1 162.40.148.2 -----> Router 162.40.148.1 e1 e0 | | 192.168.0.1 e0--Router PIX | | | e1 Switch --------------- 192.168.0.5

If so, you'll want to do this on your router that is connecting the two internal networks:

ip route 0.0.0.0 0.0.0.0 192.168.0.5

Then on the PIX you'll want to do the following:

ip address inside 192.168.0.5 255.255.255.0 ip address outside 162.40.148.2 255.255.255.248 (or whatever the external mask is) route outside 0.0.0.0 0.0.0.0 162.40.148.1 route inside 192.168.1.0 255.255.255.0 192.168.0.1 nat (inside) 1 0.0.0.0 0.0.0.0 global (outside) 1 interface

the diagram is a little confusing. I have 2 switches. On the first is the 192.168.0.0/24 subnet. That one is connected to e0 (192.168.0.1). The second switch is the 192.168.1.1/24 subnet connected to e1 (192.168.1.1). The Cisco Router is connected to e3 (162.40.148.2), and has the routers address is 162.40.148.1. I need to get internet access for both networks of the PIX. Both networks are in the same building, just 2 different businesses.

Thanks Jason S.

I agree, I suppose the diagram did not work out like I had hoped. So when you are referencing e0, e1, and e3, are you talking about the interfaces on the PIX itself? How many routers do you have, 1 or 2? I assume that the Cisco Router you are talking about is the internet router attached to the external interface of the PIX, correct? And what is acting as the default gateway assigned to the client computers, the PIX, or a router behind the PIX?

Sorry for so many questions, just trying to get a mental picture of your setup.

Is there a specific ethernet port for the internet router? i have only one router for the internet. It is in ethernet 3 of the PIX. I am refering to the PIX interfaces when i say e0,e1, and e3. The default gateway is the ip address of the associated PIX interface. For Lan1, the gateway is 192.168.0.1 and Lan2 is 192.168.1.1.

Thanks for your help. Jason

In that case, it will get a little hairy as far as how the PIX does security on its interfaces. I think (I may be wrong) that if the PIX has more than two interfaces, it will treat the third as a DMZ interface by default. Would it be possible for you to post the configuration "sh run" of your PIX? If I looked at the config, I should be able to point you in the right direction fairly quickly.

Your reference to asdm indicates you have PIX 7.0. I have not studied the 7.0 syntax, so I can't give you the exact commands.

In PIX 6.x, what you want would be quite simple:

nat (inside) 1 192.168.0.0 255.255.255.0 nat (dmz) 1 192.168.1.0 255.255.255.0 global (outside) 1 interface

That would be all there would be to it for your configuration that you set out in your discussion with DV.

This configuration would send all traffic, from both lans, out through the same single IP address, 162.40.148.2 . If you want the traffic seperated, say with the second lan mapping to 162.40.148.3 then you would use

nat (inside) 1 192.168.0.0 255.255.255.0 nat (dmz) 2 192.168.1.0 255.255.255.0 global (outside) 1 interface global (outside) 2 162.40.148.2

This would PAT both lans, but with different IPs.

If you happened to want the inside traffic to use one-to-one nat as long as IPs were available, and you wanted the traffic seperate, then you could use, for example:

nat (inside) 1 192.168.0.0 255.255.255.0 nat (dmz) 2 192.168.1.0 255.255.255.0 global (outside) 1 162.40.148.3-162.40.148.205 global (outside) 1 162.40.148.206 global (outside) 2 162.40.148.207-162.40.148.253 global (outside) 2 192.40.148.254

You would not need to add any route commands or static commands or any access-lists for what you indicated.

If, though, you want to restrict lan1 from being able to talk to lan2, then you would add (PIX 6.x syntax)

access-list in2out deny ip any 192.168.1.0 255.255.255.0 access-list in2out permit ip 192.168.0.0 255.255.255.0 any

access-group in2out in interface inside

You would not need to do anything to prevent lan2 from talking to lan1.

If you do want lan2 to be able to talk to lan1, then you would need additional configuration, the details of which would depend on whether you want wide access or just access to specific hosts.

If you want the outside world to be able to connect to servers on either of the lans (except through the VPNs) then you would have additional configuration work.

I have done what you said, and i still cannot get internet access.

I added nat (inside) 1 192.168.0.0 255.255.255.0 nat (inside2) 1 192.168.1.0 255.255.255.0 global (outside) 1 interface

I still cannot connect. I also tried using the startup wizard to start fresh, but i still cant connect. All that i have done, is run the startup wizard, used PAT for the outside interface (e0), and have lan1 in e1 and lan2 in e2.

I may add that the lan2 is not a dmz, but a network like lan1, except a different subnet.

Please help. I need to get connected asap.

Thanks Jason

Did you add the "route outside 0.0.0.0 0.0.0.0 162.40.148.1" command? Do all your interfaces have the correct IPs assigned to them? Would it be possible to post your config?

i know how to capture the text correctly on a router, but not sure on the PIX. when i use terminal length 0, it is not a valid entry.

I need the command so that it will not say .

Thanks Jason

Can't you just hit space bar all the way to the end and then copy all the text?

i added the command you said, and here is my running config. I cannot try and see if it connects right now, but see if this look right.

Thanks Jason

pixfirewall# sh run : Saved : PIX Version 7.0(4) ! hostname pixfirewall domain-name default.domain enable password /r9ayOm.CUP8NGkt encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 162.40.148.2 255.255.255.248 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet2 nameif inside2 security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Ethernet3 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive ! http-map test strict-http action allow log ! pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 mtu inside2 1500 no failover asdm image flash:/asdm-504.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 1 192.168.1.0 255.255.255.0 nat (inside) 10 0.0.0.0 0.0.0.0 nat (inside2) 2 192.168.0.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 162.40.148.1 1 route inside2 192.168.0.0 255.255.255.0 192.168.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.0.0 255.255.255.0 inside2 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.1.0 255.255.255.0 inside telnet timeout 15 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd lease 3600 dhcpd ping_timeout 50 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:b81536603c19f6ff29ccbd845352592e : end

Delete all these commands:

global (outside) 10 interface nat (inside) 1 192.168.1.0 255.255.255.0 nat (inside) 10 0.0.0.0 0.0.0.0 nat (inside2) 2 192.168.0.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 162.40.148.1 1 route inside2 192.168.0.0 255.255.255.0 192.168.0.1 1

and enter them like this:

nat (inside) 1 192.168.1.0 255.255.255.0 nat (inside2) 1 192.168.0.0 255.255.255.0 global (outside) 1 interface route outside 0.0.0.0 0.0.0.0 162.40.148.1

It should work after you do that.

Thanks for all of your help. I will put these in and try it out when i get back to work. I will let you guys know if it works or not.

Thanks again

Jason

While we are at it, can you suggest a way to set up vpn users to access the 192.168.0.0/24 network? I will use the wizard. Which interface do i choose and all that? Can i use the microsoft vpn connection software? What will i need to do to enable remote desktop to this network?

Thanks Jason