Suggested prerequisite reading:
»Cisco Forum FAQ »Redundant Internet Link Graceful Load Balance/Failover
»Cisco Forum FAQ »Things to expect when setup network for home or small business
1. One exit to ISP, Router performs NAT/PAT, PIX/ASA performs no NAT/PAT
This sample configuration assumes the followings:
* You have one ISP providing single path to your router
* You set the router to do the NAT/PAT and basic firewall, where you leave the PIX to do the stateful firewall.
* There is one ISP IP blocks you receive; the 1.1.0.0/30 where 1.1.0.1 is the default gateway and you use 1.1.0.2 (the only usable Public IP address for all servers and other machines in your LAN)
* You are running servers visible to the public
* The servers are web, mail, and ftp
* Your internal webserver IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.1.0.2 to be your three server's public IP address (static PAT)
* You use a range of 1.0.1.30 to 1.0.1.254 to be your LAN workstations' public IP address (dynamic NAT and PAT)
* You permit only internal host of 10.10.11.5 to telnet and to pdm to the PIX
* Internal hosts are receiving IP address automatically (as DHCP clients) from the PIX
* Since the PIX outside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet
Router Configuration
!
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
ip address 10.10.10.1 255.255.255.252
ip nat inside
no cdp enable
!
!!!!!!!!!!!! This is to the ISP modem
interface Ethernet1
ip address 1.1.0.2 255.255.255.252
ip nat outside
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 10.10.11.0 255.255.255.0 10.10.10.2
no ip http server
!
ip nat inside source static tcp 10.10.11.2 80 1.1.0.2 80
ip nat inside source static tcp 10.10.11.2 443 1.1.0.2 443
ip nat inside source static tcp 10.10.11.3 20 1.1.0.2 20
ip nat inside source static tcp 10.10.11.3 21 1.1.0.2 21
ip nat inside source static tcp 10.10.11.4 25 1.1.0.2 25
ip nat inside source static tcp 10.10.11.4 110 1.1.0.2 110
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 remark Permit Only Inside Subnets
access-list 1 permit ip 10.10.8.0 0.0.3.255
no cdp run
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
access-class 1 in
login local
length 0
!
scheduler max-task-time 5000
end
PIX Firewall Configuration
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network WEB
network-object host 10.10.11.2
object-group network FTP
network-object host 10.10.11.3
object-group network MAIL
network-object host 10.10.11.4
object-group service MAIL_SERVICES tcp
port-object eq smtp
port-object eq pop3
object-group service WEB_SERVICES tcp
port-object eq www
port-object eq https
access-list INBOUND permit icmp any any
access-list INBOUND permit tcp any object-group WEB object-group WEB_SERVICES
access-list INBOUND permit tcp any object-group MAIL object-group MAIL_SERVICES
access-list INBOUND permit tcp any object-group FTP range ftp-data ftp
access-list nonat permit ip any any
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.11.30-10.10.11.254 inside
dhcpd dns 1.1.1.2 1.1.1.3
dhcpd enable inside
terminal width 80
Cryptochecksum:3d7c056e8f90642f265cf42674b5a878
: end
2. Multiple exit to ISP (Failover Routing), Router performs no NAT/PAT, PIX/ASA performs NAT/PAT
This sample configuration assumes the followings:
* You have one ISP providing multiple path to your router
* There is SLA between you and ISP in providing failover routing mechanism
* You set the PIX to do the NAT/PAT and to provide stateful firewall features, where you leave the router to do the failover routing (source routing).
* There are two ISP IP blocks you receive; the 1.0.0.0/24 and the 1.0.1.0/24
* The ISP path #1 subnet is 1.1.0.0/30 where the 1.1.0.2 is on your side
* The ISP path #2 subnet is 1.1.0.4/30 where the 1.1.0.6 is on your side
* Both 1.1.0.1 and 1.1.0.5 are on the ISP router that serve as your default gateway to the Internet
* ISP router is set to use path #1 primary to reach the 1.0.0.0/24; and to use path #2 as alternate
* Likewise, the ISP router is set to use path #2 primary to reach the 1.0.1.0/24; and to use path #1 as alternate
* The network visible to your ISP are only the ones that they assign to you, which are the 1.1.0.0/29 and the 1.0.0.0/23. Other IP addresses or subnets are internal and are only visible to your network
* You are running servers visible to the public
* The servers are using 1.0.0.0/24 block and the workstations are using 1.0.1.0/24 block
* The servers are web, mail, and ftp
* Your internal webserver IP address is 10.10.11.2
* Your internal ftp server IP address is 10.10.11.3
* Your internal mail server IP address is 10.10.11.4
* You use 1.0.0.3 to be your three server's public IP address (static PAT)
* You use a range of 1.0.1.1 to 1.0.1.254 to be your LAN workstations' public IP address (dynamic NAT and PAT)
* You permit only internal host of 10.10.11.5 to telnet and to pdm to the PIX
* Internal hosts are receiving IP address automatically (as DHCP clients) from the PIX
* Since the PIX outside interface subnet is /30, there would be no other IP-based hosts between the PIX and the router within the same subnet
Router Configuration
!
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
ip address 10.10.10.1 255.255.255.252
no cdp enable
ip policy route-map SourceRouting
!
!!!!!!!!!!!! This is the ISP path #1
interface Ethernet1
ip address 1.1.0.2 255.255.255.252
no cdp enable
!
!!!!!!!!!!!! This is the ISP path #2
interface Ethernet2
ip address 1.1.0.6 255.255.255.252
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 0.0.0.0 0.0.0.0 1.1.0.5
ip route 1.0.0.0 255.255.254.0 10.10.10.2
no ip http server
!
access-list 101 remark Primary Route to ISP #1
access-list 101 permit ip host 1.0.0.3 any
access-list 102 remark Primary Route to ISP #2
access-list 102 permit ip 1.0.1.0 0.0.0.255 any
no cdp run
!
route-map SourceRouting permit 10
match ip address 101
set ip next-hop 1.1.0.1
set interface Ethernet2
!
route-map SourceRouting permit 20
match ip address 102
set ip next-hop 1.1.0.5
set interface Ethernet1
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end
PIX Firewall Configuration
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Allowable inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service PUBLIC_SERVER-TCP tcp
description Allowable inbound TCP traffic
port-object range ftp-data ftp
port-object eq smtp
port-object eq www
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
access-list INBOUND permit tcp any any object-group PUBLIC_SERVER-TCP
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 1.0.1.1-1.0.1.253 netmask 255.255.255.0
global (outside) 1 1.0.1.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.0.0.3 www 10.10.11.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 ftp-data 10.10.11.3 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 ftp 10.10.11.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.0.0.3 smtp 10.10.11.4 smtp netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.11.30-10.10.11.254 inside
dhcpd dns 1.1.1.2 1.1.1.3
dhcpd enable inside
terminal width 80
Cryptochecksum:3d7c056e8f90642f265cf42674b5a878
: end
Note:
This is just a sample configuration and not intended as working configuration on any network design. Your actual failover routing mechanism might be different than is suggested here due to the SLA between you and your ISP.
 feedback form
 feedback form
by aryoba 
last modified: 2008-02-06 15:10:41 |
