How to configure Cisco firewall PIX 525 (2)_how to configure cloud in cisco-优快云博客

In this session we'll will add an internal OSPF network and configure on PIX to let OSPF network to access external and dmz, based on the work of How to configure Cisco firewall PIX 525 (1)

1. The diagram with OSPF network

2. Configure OSPF on R9, R2 and R7

R9-InternalSvr(config)#int f0/0
R9-InternalSvr(config-if)#ip address 10.10.90.9 255.255.255.0
R9-InternalSvr(config-if)#no sh
R9-InternalSvr(config-if)#int lo0
R9-InternalSvr(config-if)#ip address 9.9.9.9 255.255.255.255
R9-InternalSvr(config-if)#router ospf 1
R9-InternalSvr(config-router)#network 9.9.9.9 0.0.0.0 area 0
R9-InternalSvr(config-router)#network 10.10.90.0 0.0.0.255 a 0

R2-Inside(config)#int f0/1
R2-Inside(config-if)#ip address 10.10.90.12 255.255.255.0
R2-Inside(config-if)#no sh
R2-Inside(config-if)#router ospf 1
R2-Inside(config-router)#network 10.10.90.0 0.0.0.255 a 0

R7-Inside(config)#int f1/0
R7-Inside(config-if)#ip address 10.10.90.17 255.255.255.0
R7-Inside(config-if)#no sh
R7-Inside(config-if)#router ospf 1
R7-Inside(config-router)#network 10.10.90.0 0.0.0.255 a 0

R9-InternalSvr#sh ip os nei

Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/BDR 00:00:37 10.10.90.12 FastEthernet0/0
7.7.7.7 1 FULL/DROTHER 00:00:33 10.10.90.17 FastEthernet0/0

3. Add default routing to external for internal OSPF network

Before add default routing:

R9-InternalSvr#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

9.0.0.0/32 is subnetted, 1 subnets
C 9.9.9.9 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.90.0 is directly connected, FastEthernet0/0
R9-InternalSvr#

Add default routing on R2 and R7:

R2-Inside(config)#router ospf 1
R2-Inside(config-router)#default-information originate

R7-Inside(config)#router ospf 1
R7-Inside(config-router)#default-information originate

After adding default routing

Gateway of last resort is 10.10.90.12 to network 0.0.0.0

9.0.0.0/32 is subnetted, 1 subnets
C 9.9.9.9 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.90.0 is directly connected, FastEthernet0/0
O*E2 0.0.0.0/0 [110/1] via 10.10.90.12, 00:03:00, FastEthernet0/0
[110/1] via 10.10.90.17, 00:03:00, FastEthernet0/0
R9-InternalSvr#

4. Add routing from PIX to OSPF network for PIX

We have two paths from PIX to R9. To avoid a single point of failure, we configure HSRP on R2 and R7.

R2-Inside(config)#int f0/0
R2-Inside(config-if)#standby 1 ip 10.10.10.254
R2-Inside(config-if)#standby 1 priority 105
R2-Inside(config-if)#standby 1 preempt

R7-Inside(config-router)#int f0/0
R7-Inside(config-if)#standby 1 ip 10.10.10.254

Check the HSRP status:

R2-Inside#sh standby brie
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 1 105 P Active local 10.10.10.17 10.10.10.254
R2-Inside#

Add static routing in PIX to R9:

pix3# conf t
pix3(config)# route inside 10.10.90.0 255.255.255.0 10.10.10.254
pix3(config)# route inside 9.9.9.9 255.255.255.255 10.10.10.254
pix3(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

C 172.16.1.0 255.255.255.0 is directly connected, dmz
C 202.1.1.0 255.255.255.0 is directly connected, outside
S 9.9.9.9 255.255.255.255 [1/0] via 10.10.10.254, inside
C 10.10.10.0 255.255.255.0 is directly connected, inside
S 10.10.90.0 255.255.255.0 [1/0] via 10.10.10.254, inside
pix3(config)# ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
!?!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
pix3(config)#

5. Configure R9 to access external

We follow the way:(Actually it's alreadly done for all internal network to access external, pls refer to artical How to configure Cisco firewall PIX 525 (2), Chapter 11.)

High to low:

- Global address (pool) in low area

- Internal address in high area

- Access control (access-list + access-group)

R9-InternalSvr#ping 202.1.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R9-InternalSvr#telnet 202.1.1.10
Trying 202.1.1.10 ... Open

R1-Internet#

R9 to DMZ is also OK:

R9-InternalSvr#ping 172.16.1.13

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R9-InternalSvr#telnet 172.16.1.13
Trying 172.16.1.13 ... Open

R3-dmz#

6. Configure DMZ to Internal OSPF network

DMZ to R9:

pix3(config)# static (inside,dmz) 9.9.9.9 9.9.9.9 netmask 255.255.255.255

pix3(config)# access-list from_dmz extended permit tcp any 9.9.9.9 255.255.255.255 eq telnet

R3-dmz#ping 9.9.9.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3-dmz#telnet 9.9.9.9
Trying 9.9.9.9 ... Open

R9-InternalSvr#