RE: Pix Configuration Problem

[Ben Nagy <bnagy () sa volante com au>]

> -----Original Message-----
> From: Chris [mailto:puetzc () yahoo com]
> Sent: Monday, 21 August 2000 7:51 AM
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] Pix Configuration Problem
>
>
> Hi all,
> I have to configure a brandnew Cisco Pix Firewall but
> run into problems.
> We have a class C IP address network (yes, we use real
> IP addresses / was that way before I joined the
> company). We have 2 routers setup as gateways (one
> goes to the internet and the other goes to our HQs. No
> subnetting in place and I would loose to many IPs if I
> use subnetting.
>
> I'd like to use dummy IPs on the inside of my firewall
> (192.168....) and put the real ones on the outside.
> With NAT or PAT configured things should work OK. My
> Pix also has an additional interface to setup a DMZ
> for our web server / email server.

Is the corporate router on the _outside_ of the PIX? It sounds like it, so
that's what I'm going to assume. This is lucky for you, because the PIX
won't route back to the interface it received a packet on (meaning that it
would not redirect people to your internal router).

> Now comes the problem and I do not know if I can work
> it out.
>
> First of all - all network clients need to have access
> to the internet - I want to configure this as the
> default route on my Pix. I also have two groups of
> machines on the inside of my network. Both groups need
> to access the second router to go to our HQs. They
> (our HQs)have an additional firewall with rules setup
> on their site that routes group 1 (group 1 from my
> network) to their destinations and that routes group 2
> (of my network) to a different destination. The router
> 2 on my site is pre-configured and it is not an option
> to make changes. It is also not an option to have the
> rules on the other site at our HQs to be changed.

So - this is why I assume that the HQ router is on the outside - otherwise
you'd need to change its IP address.

> How can I configure this situation that 
> a) the IP address translation puts different IPs on
> group 1 and 2? I could make 2 different pools but how
> do I tell the Pix which inside IP address goes to
> which outside pool?

Easy. (URL wraps)
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/exa
mples.htm#xtocid248583

Check out the "Two Interfaces with NAT - Advanced Configuration" section.

You make two global NAT pools which permit different IP address ranges. Say
for example you use a 24-bit internal network (you may need bigger). You put
all group 1 people into the lower 127 addresses and all group 2 people into
the upper 127 addresses, however you give them all a 24 bit mask - so they
all think they're on one network. This means that the PIX translates say
192.168.1.0-127 into pool 1 and 192.168.1.128-254 into pool 2, although
everyone _thinks_ they're just on one big network.

> and 
>
> b) How do I tell both groups not to use the router 1
> (Internet)as a gateway but to go to router 2 (linking
> to HQs) as a gateway when accessing specific IP
> addresses at our HQs? Currently I have specific
> routing setup (routing entry is on each client / batch
> file and login script) so that if my clients need to
> access a machine at our HQs they go to the router 2
> and completely bypass router 1. Where would I place
> this additional route to tell them "Go to router 2 if
> IP xyz is destination - do not go to router 1!"?

Why would you need to? Make the PIX the default gateway for everyone
internal and then make sure the PIX knows how to route to your HQ network.
Everyone sends their packets to the PIX, and if they happen to be going to
the HQ network the PIX routes through the HQ router - otherwise it routes
through its default gateway.

> Keep in mind - all IPs are currently real class C IP
> addresses - no subnetting in place. Any help is
> appreciated!! Thanks for your help in advance!

If using real IPs hasn't killed you up until now then it shouldn't after the
change.

Cheers,

--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520  

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards