Adding subnet to Cisco PIX 501 network

[gurs]

I am looking for some configuration help with a Cisco PIX 501 version 6.3(3). It is currently set up with IP 192.168.1.1 and a subnet mask of 255.255.255.0, and all clients are have IP addresses in the 192.168.1.xxx range. All clients are connecting via an unmanaged switch to the PIX, which in turn connects to the internet.

I am trying to accomplish two things. FIRST, I am trying to add an internal client with an IP address of 192.168.10.10, and allow that client to access everything (both internal and external). I also want to be able to RDP to this client from the internet. SECOND, once I accomplish this, I would like to prohibit the new client from accessing the server at 192.168.1.10 (and vice verse).

I have made an attempt to do this, but so far, no luck. So far, I have done the following:

- added (via the PDM) an inside host/network of 192.168.10.0 255.255.255.0

- added (via the PDM) an Access Rule allowing port 3389 to make it through to the client at 192.168.10.10

- changed (via the PDM) the inside interface to a subnet of 255.255.0.0 (was 255.255.255.0)

- added (via telnet) route inside 192.168.10.0 255.255.255.0 192.168.1.1 1.

Finally, I changed the IP on this client to 192.168.10.10, but left the gateway as 192.168.1.1. (I didn't start to try to limit access for this client to the server at 192.168.1.10, as I still haven't accomplished my first goal.) The current PIX config is detailed below.

I cannot RDP to this client, nor can I ping this client from any other computer on the 192.168.1.xxx subnet. I must have configured something wrong, just not sure what it is. Thanks for your help.

void# wr t

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password [omitted] encrypted

passwd [omitted] encrypted

hostname void

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.11 Server2010

access-list outside-in permit tcp any interface outside eq 3389

access-list outside-in permit tcp any interface outside eq 5900

access-list outside-in permit tcp any interface outside eq smtp

access-list outside-in permit tcp any interface outside eq www

access-list outside-in permit tcp any interface outside eq https

access-list outside-in permit tcp any interface outside eq pop3

access-list outside-in permit tcp any interface outside eq ftp

access-list outside-in permit icmp any any echo

access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.240

access-list splittunnel permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.162 255.255.255.0

ip address inside 192.168.1.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.1.50-192.168.1.60

pdm location 192.168.1.100 255.255.255.255 inside

pdm location 192.168.1.200 255.255.255.255 inside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.1.111 255.255.255.255 inside

pdm location 192.168.1.10 255.255.255.255 inside

pdm location 192.168.10.0 255.255.255.0 inside

pdm location 192.168.10.10 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 5900 192.168.1.200 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.1.10 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255 0 0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.253 1

route outside xxx.xxx.0.0 255.255.0.0 66.166.39.221 1

route inside 192.168.10.0 255.255.255.0 192.168.1.1 1

route outside xxx.xxx.104.0 255.255.254.0 66.166.39.221 1

route outside xxx.xxx.176.0 255.255.248.0 66.166.39.221 1

route outside xxx.xxx.246.0 255.255.255.0 66.166.39.221 1

route outside xxx.xxx.161.0 255.255.255.0 66.166.39.221 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup vpngroup idle-time 1800

vpngroup aravpn address-pool vpnpool

vpngroup aravpn dns-server 192.168.1.10 206.141.192.60

vpngroup aravpn wins-server 192.168.1.10

vpngroup aravpn default-domain mydomain.local

vpngroup aravpn split-tunnel splittunnel

vpngroup aravpn idle-time 1800

vpngroup aravpn password ********

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.101-192.168.1.109 inside

dhcpd dns 192.168.1.10 64.105.189.26

dhcpd wins 192.168.1.10

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain mydomain.local

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:

: end

[OK]

void#

[+BudMan MVC]

Off the top, I don't believe the 501 supports vlans -- I do believe vlan support was added on the pix line with 6.3, so your IOS is ok -- but I don't believe you can actually do vlans on the 501??

Its been a while since I have played with a 501, but I don't think it can do what you want.. I don't believe you can even route with it like that with a 501.

I would think a easier solution with the hardware you have on hand would be to just put the this new client on the same network as every thing else -- you stated you wanted it to be able to access everything on the network except the server at .10 -- so on the .10 firewall just prevent this client.

On the pix just setup a rule to allow the RDP access to this client.

[sc302 Veteran]

1st don't use the pdm, you can mess up your config pretty good with that.

2nd you will have to create vlans (please do not use the pdm for this), I am not sure that the 501 is capable, but this is what is needed.

interface ethernet2 auto

nameif ethernet2 secure_vlan security100

ip address secure_vlan 192.168.10.1

---------------------

With this secuity level on the ethernet2 port being at the same security level as ethernet1 this should deny access between the two.

Your gateway is going to be 192.168.10.1 for the pc, not 192.168.1.1

[Teebor]

you mentioned the subnets you have applied to the PIX but what about the client

If you changed the ip to "Finally, I changed the IP on this client to 192.168.10.10, but left the gateway as 192.168.1.1" but the subnet is 255.255.255.0 then it probably cannot see the PIX at 192.168.1.1

it is usually something I forget to overlook, change the subnet to 255.255.0.0 and it will spring to life

this could cause you problems with preventing it from performing the other things you want to do.

I would say best thing to do would be to set a secondary ip on the internal interface (if you can) to give you a gateway of something like 192.168.10.1

But I really don't know much about a cisco PIX and am probably completely going down the wrong path with this advice

**Edit** ohh look beaten by sc302 while posting :D lol, said my advice was probably wrong :D

[sc302 Veteran]

slight correction to this statement:

ip address secure_vlan 192.168.10.1

it should read:

ip address secure_vlan 192.168.10.1 255.255.255.0

[gurs]

Thanks for the replies. Looks like I need to track down whether the 501 supports vlans.

One other thing: I mis-stated one fact in my summary above (although if the 501 doesn't support vlans, it probably won't matter). The outside port on the PIX does not connect directly to the internet, it connects to another internal router over which I have no control. The PIX has an outside IP of 192.168.2.162. No machines on the 192.168.1.xxx network (or 192.168.10.xxx) need to access any resources on the 192.168.2.xxx network. When data leaves the outbound port on the PIX, it is destined for the internet. Don't know if that changes anyone's thoughts.

[sc302 Veteran]

well you are going to have to see the 2.x network. they can limit you if they want on their end. being that you are double natting (192.168.2.x----->192.168.1.x & 10.x) I highly doubt that you are going to be able to give rdp access from the internet to your pc's, unless they have it configured that their equipment passess all port traffic to you and the 2.x network is nothing but a pass through.

that changes things quite a bit from doable, to impossible.

[gurs]

According to this site, the 501 does not support any logical interfaces. So I'm down to one option now.

If I put the new client back on the 192.168.1.xxx domain (with an IP of 192.168.1.11 and a subnet mask of 255.255.255.0), what do I need to do in order to allow that client access to only the outside port, but nothing on the inside network?

[sc302 Veteran]

  On 22/04/2010 at 16:24, gurs said:

According to this site, the 501 does not support any logical interfaces. So I'm down to one option now.

If I put the new client back on the 192.168.1.xxx domain (with an IP of 192.168.1.11 and a subnet mask of 255.255.255.0), what do I need to do in order to allow that client access to only the outside port, but nothing on the inside network?

nothing. your config should be set that no one from the outside will access the inside, but the inside will access the outside.

If you edited your config with a console cable or through telnet just put a no in front of the lines i put here to remove them.

example

no ip address secure_vlan 192.168.10.1 255.255.255.0

[+BudMan MVC]

You can't with your current hardware.. For starters your connected to some dumb switch are you not? It has not support for ACLs - so the only way from preventing access would be with firewalls on the other machines on the same segment to prevent the access.. Or a firewall on the pc in question preventing access to everything but the pix.. I thought you said you wanted to allow access to everything other than some server on .10?

Also if your behind a double nat like you say, with no access to that 1st router -- unless they have put your PIXs wan IP into a dmz or something were all traffic is forwarded to it.. which I doubt - then it would be impossible for you to setup RDP to anything behind the double nat.

You would have to use something like teamviewer or something where an outside source is the go between for the connection.. Where the pc makes an outbound connection, etc.

[Sn00pY]

You need a 506/506E minimum to get VLAN/Logical interfaces.

You'll simply not find a 501 which can do this.