RE: ADSL and PIX puzzle [7:63458]
Hi, Ideally, you should have the 827 using 'ip unumbered' on the ADSL (dialer) interface, so that it uses the ethernet interface as the ip address. This will allow the outside interface of the PIX to be in the public ip address range that you are allocated, no need for subnetting as suggestted as this will waste IP address. Once that is done, just do your standard NAT on you PIX with statics for your webservers etc, etc. If that isn't possible, then will have to do NAT on the router, and put statics on the router. The PIX will be doing no translation, so you can either use nat0 or static (you might need both), I prefer statics. Regards, Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of dlci_16 Sent: Friday, February 21, 2003 12:34 PM To: [EMAIL PROTECTED] Subject: ADSL and PIX puzzle [7:63458] Hello networkers, I am trying to "conjure up" a working config for an ADSL link with static IPs for a 827 series router, these public IPs are supposed to point to, say a webserver, that sits behind a pix firewall (which is directly connected to 827 router4s ethernet interface), problem is when I try to come up with a working config. I find myself getting into trouble. (The catch is, I need the webserver behind that pix.) Now this gets me using NAT twice to get a public IP from the internet through the router past the pix and into my webserver, I know it doesn4t sound right and obviously does not work either ;), Any help/clue/criticisms are most welcome ;) Ok, What it looks like so far: [internet] >[router] ->[pix] ->[lan/webserver] [827series]->[506E]--->[lan/webserver] IP addresses: For internet access I have 200.10.10.136 mask 255.255.255.0 Public IPs: 200.10.15.184 255.255.255.248 (for example) Public IP for my webserver is 200.10.15.189 Router 827: -- ! int eth0 ip address 192.168.0.200 255.255.255.255.0 ip nat inside ! int atm0 no ip address dsl operating-mode auto ! int atm0.1 point-to-point no ip address pvc 0/35 pppoe-cliente dial-pool-number 1 ! int dialer1 ip address 200.10.10.136 255.255.255.0 ip nat outside dialer pool 1 ! ip nat inside source list 1 interface dialer1 overload ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80 extendable access-list 1 permit 192.168.0.0 0.0.0.255 ! ip route 0.0.0.0 0.0.0.0 interface dialer1 ! PIX 506E: - ! nameif eth0 outside security0 nameif eth1 inside security 100 ! ip address outside 192.168.0.201 255.255.255.0 ip address inside 192.168.1.21 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 192.168.0.200 1 ! global (outside) 1 192.168.0.202-192.168.0.248 nat (inside) 1 192.168.0.0 255.255.255.0 ! name 192.168.1.30 webserver ! static (inside,outside) 200.10.15.189 webserver ! access-list acl_out permit tcp any host 200.10.15.189 eq 80 ! access-group acl_out in interface outside ! Maby I am going about this the wrong way, maby there is still hope just by tweaking my static nat translation at the router. If you have reached this far, thank you for your time and effort. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63493&t=63458 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ADSL and PIX puzzle [7:63458]
Just subnet your class c address space into 2 subnets. Make one of them the outside of the router, and one of them on the inside of the router, outside of pix, and just make sure your "subnetted" network has enough addresses for inside of the router, outside of pix, pix global address, and any static Nats to public servers on the network. Here is the breakdown 1. Edge router does NOT perform NAT. 2. Pix performs NAT. NO NAT NAT [internet] >[router]->subnetted network [pix] -->[lan/webserver] [827series]-> [506E]-->[lan/webserver] HTH, Brett Spunt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of dlci_16 Sent: Thursday, February 20, 2003 5:34 PM To: [EMAIL PROTECTED] Subject: ADSL and PIX puzzle [7:63458] Hello networkers, I am trying to "conjure up" a working config for an ADSL link with static IPs for a 827 series router, these public IPs are supposed to point to, say a webserver, that sits behind a pix firewall (which is directly connected to 827 router4s ethernet interface), problem is when I try to come up with a working config. I find myself getting into trouble. (The catch is, I need the webserver behind that pix.) Now this gets me using NAT twice to get a public IP from the internet through the router past the pix and into my webserver, I know it doesn4t sound right and obviously does not work either ;), Any help/clue/criticisms are most welcome ;) Ok, What it looks like so far: [internet] >[router] ->[pix] ->[lan/webserver] [827series]->[506E]--->[lan/webserver] IP addresses: For internet access I have 200.10.10.136 mask 255.255.255.0 Public IPs: 200.10.15.184 255.255.255.248 (for example) Public IP for my webserver is 200.10.15.189 Router 827: -- ! int eth0 ip address 192.168.0.200 255.255.255.255.0 ip nat inside ! int atm0 no ip address dsl operating-mode auto ! int atm0.1 point-to-point no ip address pvc 0/35 pppoe-cliente dial-pool-number 1 ! int dialer1 ip address 200.10.10.136 255.255.255.0 ip nat outside dialer pool 1 ! ip nat inside source list 1 interface dialer1 overload ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80 extendable access-list 1 permit 192.168.0.0 0.0.0.255 ! ip route 0.0.0.0 0.0.0.0 interface dialer1 ! PIX 506E: - ! nameif eth0 outside security0 nameif eth1 inside security 100 ! ip address outside 192.168.0.201 255.255.255.0 ip address inside 192.168.1.21 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 192.168.0.200 1 ! global (outside) 1 192.168.0.202-192.168.0.248 nat (inside) 1 192.168.0.0 255.255.255.0 ! name 192.168.1.30 webserver ! static (inside,outside) 200.10.15.189 webserver ! access-list acl_out permit tcp any host 200.10.15.189 eq 80 ! access-group acl_out in interface outside ! Maby I am going about this the wrong way, maby there is still hope just by tweaking my static nat translation at the router. If you have reached this far, thank you for your time and effort. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63481&t=63458 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ADSL and PIX puzzle [7:63458]
A Couple of pointers from my humble experience (granted this is also provided from a very tired engineer that needs to go to bed :) ): Put 200.10.10.36/30 on the Dialer Interface. ... I think you need to be using the VPDN Group commands to get the DSL working. There are a couple of ways to connect to the ISP DSLAM, i.e., Dialer Interface with VPDN, or BVI interfaces (which is what I would expect with the scenario you describe utilizing the ADSL interface rather than a Service Provider DSL Modem and a PPPoE compliant Eth0 interface). If you go with BVI interface config, then put the 200.10.10.36/30 on the BVI interface. Put 200.10.15.184/29 on the Ethernet0 of the DSL Router... Put 200.10.15.185/29 on the PIX Outside Interface... Do NAT on the PIX ONLY. Static NAT for the Web Server with another one of those IPs in the block you have been issued, or PAT to the Webserver with Port Redirection. Default Route to the DSL Router on the PIX, Default Route to the Upstream provider on the DSL Router. Seems like a pretty straight forward config for both devices. HTH's. Mark -Original Message- From: dlci_16 [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 7:34 PM To: [EMAIL PROTECTED] Subject: ADSL and PIX puzzle [7:63458] Hello networkers, I am trying to "conjure up" a working config for an ADSL link with static IPs for a 827 series router, these public IPs are supposed to point to, say a webserver, that sits behind a pix firewall (which is directly connected to 827 router4s ethernet interface), problem is when I try to come up with a working config. I find myself getting into trouble. (The catch is, I need the webserver behind that pix.) Now this gets me using NAT twice to get a public IP from the internet through the router past the pix and into my webserver, I know it doesn4t sound right and obviously does not work either ;), Any help/clue/criticisms are most welcome ;) Ok, What it looks like so far: [internet] >[router] ->[pix] ->[lan/webserver] [827series]->[506E]--->[lan/webserver] IP addresses: For internet access I have 200.10.10.136 mask 255.255.255.0 Public IPs: 200.10.15.184 255.255.255.248 (for example) Public IP for my webserver is 200.10.15.189 Router 827: -- ! int eth0 ip address 192.168.0.200 255.255.255.255.0 ip nat inside ! int atm0 no ip address dsl operating-mode auto ! int atm0.1 point-to-point no ip address pvc 0/35 pppoe-cliente dial-pool-number 1 ! int dialer1 ip address 200.10.10.136 255.255.255.0 ip nat outside dialer pool 1 ! ip nat inside source list 1 interface dialer1 overload ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80 extendable access-list 1 permit 192.168.0.0 0.0.0.255 ! ip route 0.0.0.0 0.0.0.0 interface dialer1 ! PIX 506E: - ! nameif eth0 outside security0 nameif eth1 inside security 100 ! ip address outside 192.168.0.201 255.255.255.0 ip address inside 192.168.1.21 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 192.168.0.200 1 ! global (outside) 1 192.168.0.202-192.168.0.248 nat (inside) 1 192.168.0.0 255.255.255.0 ! name 192.168.1.30 webserver ! static (inside,outside) 200.10.15.189 webserver ! access-list acl_out permit tcp any host 200.10.15.189 eq 80 ! access-group acl_out in interface outside ! Maby I am going about this the wrong way, maby there is still hope just by tweaking my static nat translation at the router. If you have reached this far, thank you for your time and effort. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63480&t=63458 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ADSL and PIX puzzle [7:63458]
Change this: ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80 extendable to something like: ip nat inside source static tcp 192.168.0.30 80 200.10.15.189 80 extendable -The inside from the 827's perspective needs to be something in the 192.168.0.x address space And change this: static (inside,outside) 200.10.15.189 webserver to something like: static (inside,outside) 192.168.0.30 webserver -From the PIX's perspective, the outside address of the webserver is going to be something in the 192.168.0.x range, just as from the 827's perspective, 192.168.0.x is the inside range. HTH, Kent On Thu, 2003-02-20 at 20:33, dlci_16 wrote: > Hello networkers, > > I am trying to "conjure up" a working config for an ADSL link with static IPs > for a 827 series router, > these public IPs are supposed to point to, say a webserver, that sits behind > a > pix firewall > (which is directly connected to 827 router4s ethernet interface), > problem is when I try to come up with a working config. I find myself > getting into trouble. > (The catch is, I need the webserver behind that pix.) > Now this gets me using NAT twice to get a public IP from > the internet through the router past the pix and into my webserver, > I know it doesn4t sound right and obviously does not work either ;), > Any help/clue/criticisms are most welcome ;) > Ok, > What it looks like so far: > > > [internet] >[router] ->[pix] ->[lan/webserver] > [827series]->[506E]--->[lan/webserver] > > > IP addresses: > For internet access I have 200.10.10.136 mask 255.255.255.0 > Public IPs: 200.10.15.184 255.255.255.248 (for example) > Public IP for my webserver is 200.10.15.189 > > > Router 827: > -- > > ! > int eth0 > ip address 192.168.0.200 255.255.255.255.0 > ip nat inside > ! > int atm0 > no ip address > dsl operating-mode auto > ! > int atm0.1 point-to-point >no ip address >pvc 0/35 > pppoe-cliente dial-pool-number 1 > ! > int dialer1 > ip address 200.10.10.136 255.255.255.0 > ip nat outside > dialer pool 1 > ! > ip nat inside source list 1 interface dialer1 overload > ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80 extendable > access-list 1 permit 192.168.0.0 0.0.0.255 > ! > ip route 0.0.0.0 0.0.0.0 interface dialer1 > ! > > > PIX 506E: > - > > ! > nameif eth0 outside security0 > nameif eth1 inside security 100 > ! > ip address outside 192.168.0.201 255.255.255.0 > ip address inside 192.168.1.21 255.255.255.0 > ! > route outside 0.0.0.0 0.0.0.0 192.168.0.200 1 > ! > global (outside) 1 192.168.0.202-192.168.0.248 > nat (inside) 1 192.168.0.0 255.255.255.0 > ! > name 192.168.1.30 webserver > ! > static (inside,outside) 200.10.15.189 webserver > ! > access-list acl_out permit tcp any host 200.10.15.189 eq 80 > ! > access-group acl_out in interface outside > ! > > > Maby I am going about this the wrong way, > maby there is still hope just by tweaking my static nat translation at the > router. > If you have reached this far, thank you for your time and effort. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63476&t=63458 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ADSL and PIX puzzle [7:63458]
Hello networkers, I am trying to "conjure up" a working config for an ADSL link with static IPs for a 827 series router, these public IPs are supposed to point to, say a webserver, that sits behind a pix firewall (which is directly connected to 827 router4s ethernet interface), problem is when I try to come up with a working config. I find myself getting into trouble. (The catch is, I need the webserver behind that pix.) Now this gets me using NAT twice to get a public IP from the internet through the router past the pix and into my webserver, I know it doesn4t sound right and obviously does not work either ;), Any help/clue/criticisms are most welcome ;) Ok, What it looks like so far: [internet] >[router] ->[pix] ->[lan/webserver] [827series]->[506E]--->[lan/webserver] IP addresses: For internet access I have 200.10.10.136 mask 255.255.255.0 Public IPs: 200.10.15.184 255.255.255.248 (for example) Public IP for my webserver is 200.10.15.189 Router 827: -- ! int eth0 ip address 192.168.0.200 255.255.255.255.0 ip nat inside ! int atm0 no ip address dsl operating-mode auto ! int atm0.1 point-to-point no ip address pvc 0/35 pppoe-cliente dial-pool-number 1 ! int dialer1 ip address 200.10.10.136 255.255.255.0 ip nat outside dialer pool 1 ! ip nat inside source list 1 interface dialer1 overload ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80 extendable access-list 1 permit 192.168.0.0 0.0.0.255 ! ip route 0.0.0.0 0.0.0.0 interface dialer1 ! PIX 506E: - ! nameif eth0 outside security0 nameif eth1 inside security 100 ! ip address outside 192.168.0.201 255.255.255.0 ip address inside 192.168.1.21 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 192.168.0.200 1 ! global (outside) 1 192.168.0.202-192.168.0.248 nat (inside) 1 192.168.0.0 255.255.255.0 ! name 192.168.1.30 webserver ! static (inside,outside) 200.10.15.189 webserver ! access-list acl_out permit tcp any host 200.10.15.189 eq 80 ! access-group acl_out in interface outside ! Maby I am going about this the wrong way, maby there is still hope just by tweaking my static nat translation at the router. If you have reached this far, thank you for your time and effort. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63458&t=63458 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
