I hope I can be of help. I have used the PIX extensively, but it's just one
of those appliances that seems to confuse people. This may be lengthy too..
Your PIX probably has two interfaces, an "Inside" and "Outside". The
"Outside" Interface needs an Internet IP address and the "Inside" interface
needs a 192.168.10.0 IP address. Do you have a router on the inside of your
network or is this a flat LAN? If it's a flat LAN, your hosts' default
gateway will be the 192.168.10.PIX address. If it's a routed internal
network, your router's default gateway 0.0.0.0 0.0.0.0 should point to the
PIX. This way, your destination of last resort is the Internet.
Now, if you only have one Internet IP address to spare (aside from the one
assigned to the PIX) then you will use PAT instead of NAT. NAT is a
one-for-one translation. One internal IP gets translated to one external
IP. You can't have multiple internal IPs NAT one single external IP. So,
in your "Global" command you do something like "global (outside) 1
206.135.117.2 netmask 255.255.255.0". (Where 206.135.117.2 is your Internet
IP people will be translating through). When the PIX sees only one IP in a
global command, it will respond with "This IP will be Port Address
Translated". PAT is a way of getting around NAT by allowing 65,000 sessions
to be used via one IP address. If an organization has 5,000 employees, it
would be rediculous to lease 5,000 Internet IPs. So, PAT lets you use just
one. If you global command would read "global (outside) 1
206.135.117.2-206.135.117.254 netmask 255.255.255.0" then you would be
NATing. Remember, a single IP means the PIX will automatically PAT, a range
of IPs means the PIX will NAT. The "(outside)" part just refers to the
desitnation interface. In this case, internal users going OUT to the
Internet.
Ok, hopefully this is making sense so far. Your Proxy server can use PAT
without any problems. The pitfall is that you're running OWA on this box.
That means people from the Internet need to connect to this machine to view
email. So, the PIX has a command called "static" and another called
"conduit". First, let's talk about static. Static is a way of mapping an
Internet IP to an internal LAN IP. If your OWA/Proxy machine has an
internal IP of 192.168.10.10, then you need another IP address from the
Internet on the same subnet as the PIX's outside interface. So if the PIX's
OUTSIDE interface has an IP of 206.135.117.2 with a 255.255.255.0 mask, then
we need an IP from the 206.135.117.0 network. Let's pick 206.135.117.10.
So we now will have 206.135.117.10 be the Internet IP that clients at home
will connect to for OWA, and we need to tell the PIX to map it to
192.168.10.10. That's where STATIC comes in. You have to issue the command
"static (inside,outside) 206.135.117.10 192.168.10.10 netmask
255.255.255.255 0". What you are doing is using 206.135.117.10 as the
Internet IP that client connect to from home, then when the PIX hears the
call, it knows to map that IP -> 192.168.10.10 on the LAN server. You with
me? The problem is even after you issue a Static, you have to tell the PIX
what ports to open up. So, if it's OWA, you probably need to open port 80.
That's where conduit comes in. A conduit works in relation to a static. So
after that static command I listed above, you enter "conduit permit tcp host
206.135.117.10 eq 80". This is saying that any connection that comes in to
that IP address, allow traffic on port 80 to pass through. eq = port in
Cisco terminology. All other ports are denied. You can have as many
conduits as you want relating to a static. You could do another conduit for
ftp if you wanted.
Ok, with me so far? Hope so. So far, you need 3 Internet/Outside IP
addresses. One for the PIX Outside Interface, one for the OWA server, and
one for Port Address Translation. Now we need to set up route statments.
Your probably wondering how the PIX communicated with your Internet router
at this point. Since the ethernet port of your router and the ethernet port
of the PIX are on the same 206.135.117.0 network, the router can see the pix
no problem. There is a command in the PIX called "route". First, you need
to set up a default route for the Internet, or OUTSIDE interface. That IP
will be your router. For example, in the PIX type "route outside 0.0.0.0
0.0.0.0 206.135.117.1 netmask 255.255.255.0" (assuming 206.135.117.1 is the
router's ethernet port). Next, the PIX needs to know your LAN segments. If
you have a router in the inside of your network for multiple subnet like
192.168.10.0, 192.168.9.0, 192.168.10.0, then you need to tell the PIX what
the default router for the LAN is. You can say "route (inside) 0.0.0.0
0.0.0.0 192.168.10.1 netmask 255.255.255.0". Of course, 192.168.10.1 should
know of all other LAN routes.
Hopefully this gets your started!
Regards,
Mark Holloway
Sprint Data Services
""Administrator"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
> I know how to connect a MS proxy server directly to an Internet Router
> and how to retrieve email using OWA,but my problem arises when a Pix is
> sandwiched between them. I also know that the service provider must
> supply me with the internal ip of thier router and one ip address for
> the external interface of the PIX. I set the internal IP of the Proxy
> w/192.168.10.0 network running DHCP for internal users with external
> static IP 172.16.0.0 network . I set the external Ip of the proxy to a
> private address because it is going to the inside E1 of the PIX. How do
> I set up the Pix so users in the Internet can receive thier email via
> OWA(outlook web access) and second, I am slighty confused about
> Nat(inside), Nat(outside) and and the use of static address translation,
> and lastly provide users with the ability to browse the Internet and
> sent Internet E-mail.
>
> |-Internet-|----|-Frac/T1 Router-|----|-PIX515-|----|NT4.0ProxyServer
> with Exchange w/OWA|--|Hub|---|Internal Network|
>
> Bill
>
> -----Original Message-----
> From: Ashok Gupta [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, February 25, 2001 2:29 PM
> To: Administrator
> Subject: RE: Pix515 Between Internet router and MS Proxy
>
>
> Send details what you wish to do, it is not clear what you are asking.
>
> I configured of pix's with MS proxy. Details Please
> Regards
>
> Ashok
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Administrator
> Sent: 25 February 2001 03:08
> To: [EMAIL PROTECTED]
> Subject: Pix515 Between Internet router and MS Proxy
>
>
> Hi,
> I have a customer who wishes to place a Pix between thier Internet
> router and Microsoft Proxy server, but I am not certain how to configure
> the Pix
> The MS Proxy Server is also running MS Exchange with OWA (outlook Web
> Access) so they will want to be able to get thier mail from home . They
> only have one Public IP address and since the Proxy is running NAT
> already, I am not 100% of the Pix Config
>
> Thanks,
> Bill
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
