pix 506 config change help

What your ISP wants in complete nonsense. Their router simply should do what a router is designed to do and that is routing. That means that they should do no NAT at all on their router but route a public network to you. From this public network they use one address on their router and with the rest you can do whatever you want. A Pix can well be considered a serious deviceb and it is designed to run with one or more public addresses on the external interface. No need for NAT on the ISP router, almost everywhere, where Pixes are used these boxes do the NAT, not the ISP router.

Wolfgang

Wolfgang thanks for taking the time to reply.

Some questions, this No Nat solution was briefly discussed but was ruled out,or at least not encouraged from the isp side of things as this would require a major change to both the new router they are currently configuring and the firewall. They suggested this second option i mentioned in the first post as the way to go as it would be less changes. Do you agree with their assesment?

Forgetting the router changes that the isp would make, what firewall changes would be required, as this is what i would have to do and my skill set on firewall changes is not great, ie the less changes i need to make the better as i dont want to make any mistakes and expose the internal network..

If i was to go forward with this router nat through to the firewall solution that the isp want to do, what would i need to do on the firewall to present these ip addresses?

If i were to use your suggestion the only nat's would be on my firewall where i would allow the relevant traffic through for smtp and owa etc. That makes sense and i cant understand why the isp would think this is a more complicated solution to go with.

Whats the standard solution usually employed?

Thanks for any more help.. gbm

Hello,

I've been involved into the ISP business for more than a decade and I've seen more than ISP during that time. Your ISP is simply talking nonsense. It is the plain usual business of any ISP to route a public network to a customer. Period.

You find a lot of Pix configuration examples on

It is just normal to run a Pix (like any other serious firewalling device) with one or more public (= routable) addresses on the external interface(s).

You find a lot of Pix configuration examples on

But I really doubt that you want to run such a double NAT setup. Just consider that you want to use your Pix as an endpoint of one or more IPSeC VPN tunnel(s). You definitely want a public IP on the external interface of the Pix and no NAT from any ISP router for such a setup. The firewall (in your case that is the Pix) is the device on the perimeter of your network. It is designed to run there. If you fear to run it on the border to a hostile network, then something is definitely plain wrong with the device you have chosen as your firewall.

That is indeed the normal solution.

see above. Wolfgang

Wolfgang again thanks for the reply.

Going forward then with the normal solution, apart from creating the relevant nat, access lists etc for say smtp traffic is there any other changes i need to make to the firewall to prepare it in advance for accepting these public ip addresses? do i need set anything up in the firewall config to tell it your now associated with this range of ip addresses. or is that what the router is for?

im guessing that all i need to do is tell the isp that i want to progress with this no nat solution instead., they will then deliver this newly configured router, this router will be configured to deliver the external public ip addresses to the outside interface of firewall. i add nat for an external ip address with rules and access lists for smtp traffic to the internal mail server.

seems simple enough.. am i missing anything obvious?

thanks gbm

Of course you have to configure the new ip address(es) on the external interfaces of the pix and change the default gateway.

Assuming the ISP routes the network 100.100.100.0 netmask 255.255.255.248 to you and uses 100.100.100.1 on their router the setup look like this:

This means:

100.100.100.0 network address, not usable 100.100.100.1 use by the ISP router, not usable 100.100.100.2 usable by the customer for hosts or NAT 100.100.100.3 usable by the customer for hosts or NAT 100.100.100.4 usable by the customer for hosts or NAT 100.100.100.5 usable by the customer for hosts or NAT 100.100.100.6 usable by the customer for hosts or NAT 100.100.100.7 braodcast address, not usable

the setup will look like this:

Internet | | external IP doesn't matter for you ... ISP-router

100.100.100.1/29 (public ip) | | | | | 100.100.100.2/29 (external, public ip) Pix 192.168.100.254 (internal, private ip) | | | LAN

100.100.100.1 = default gateway for the pix

see above and RTFM ...

The described setup is standard and assuming that apart from some static NAT and filtering rules for a few incoming connections you have no special requirements any skilled pix admin using a configuration template needs less than an hour to configure such a box in the way you need it.

Wolfgang

Hi Wolfgang

The current firewall config is shown below, i have talked with the isp who agree option 1 is the correct and preferred route to take, however they are saying the firewall will need total reconfigured.

My thoughts would be i would only need to change the ip address outside entry to reflect the new external interface ip address, and change the route outside to reflect the new gateway ip address. Would there be anything else to change, or am i way off the mark and the isp is correct we need the whole firewall reconfigured?

the config is...

interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password /5ospAYwwHZzG7mb encrypted passwd VWKoADlYPYb1lVRR encrypted clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct

2:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 194.42.239.225 Redstone-Bram name 212.44.35.5 Redstone-Bwd pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside 10.1.1.2 255.255.255.0 ip address inside 10.0.0.3 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location Redstone-Bram 255.255.255.255 outside pdm location Redstone-Bwd 255.255.255.255 outside pdm location 10.0.0.0 255.255.255.0 inside pdm location 10.0.0.4 255.255.255.255 inside pdm location 10.0.0.100 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 10.1.1.3 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http Redstone-Bram 255.255.255.255 outside http Redstone-Bwd 255.255.255.255 outside http 10.0.0.4 255.255.255.255 inside http 10.0.0.100 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 10.0.0.4 255.255.255.255 inside telnet 10.0.0.100 255.255.255.255 inside telnet timeout 5 ssh Redstone-Bram 255.255.255.255 outside ssh Redstone-Bwd 255.255.255.255 outside ssh timeout 5 console timeout 5 terminal width 80 banner exec No unauthorised access banner login No unauthorised access banner motd No unauthorised access

thanks gbm

Well, read the fine manual on

(I posted a link to the documentation in my last article) and try to understand what each line of the config you posted means. Then think about all that and try to find out what that config lacks now and what it lacks, when you just change the external IP address(es).

Sorry, but when I look at that config I get the strong feeling that you've formerly been ripped off in quite an evil manner by someone who sold you you a fancy device that was delivered to you basically with the factory default configuration which does not even use more than 2% of what a pix can do, but instead includes known buggy default pix settings like the default fixup protocol stuff (something any skilled pix admin will switch off first) and so on.

My advice is: Hire a *skilled* pix consultant and let him configure the box according to your requirements, if you are not able to figure out the problems of the config you posted yourself.

Wolfgang