Hosting Provided By

Some Cisco PIX newbie questions

From: ALLEN, DONALD S (AIT) <da1295(at)sbc.com>
Date: Wed Jul 23 2003 - 11:55:27 EDT

Glenn,

When configuring the Pix there are some simple rules to follow.

Static commands are written with this format:

For Nat use:
static (HIGH security level interface, LOW security level interface) LOW interface IP HIGH interface
IP For Non NAT use:
Static (HIGH security level interface, LOW security level interface) HIGH interface IP HIGH interface IP

These security levels are set by default Outside security0, inside security100. 100 is considered High.

As an example:
static (inside,outside) 172.16.0.1 192.168.1.1 (nat static) static (inside,outside) 192.168.1.1 192.168.1.1 (one to one translation)

Access-list acl_outside permit tcp host any host 172.16.0.1 eq 23 Access-group acl_outside in interface outside (applies the access list to inbound traffic of the outside interface)

The command NAT (inside) 0 0 (allows connections to start from any IP on the inside, and is used for Non NAT. the first 0 tells NAT not to use a global address pool.) with out a NAT entry in either format the pix will not send traffic out of an interface, inside interface included.

Do you need help?

To establish a NAT to global IP use:
NAT (inside) 1 192.168.1.0
The 1 is the global pool #. You can have multiples

Global (outside) 1 interface ( this is a many to one NAT/Pat)

For many to many translations:
Global (outside) 1 172.16.1.100-172.16.1.250 netmask 255.255.255.248 Global (outside) 1 172.16.1.254 netmask 255.255.255.248 (this is the PAT address)

Hope this helps.

-----Original Message----- From: jamesworld@intelligencia.com [mailto:jamesworld@intelligencia.com] Sent: Tuesday, July 22, 2003 7:26 PM To: Glenn English Cc: 'Security-Basics' Subject: Re: Some Cisco PIX newbie questions

Glenn,

do you have something like this:

static (inside,outside) 172.16.0.149 192.168.82.42 netmask 255.255.255.255 access-list acl_outside permit tcp 172.16.0.0 255.255.0.0 host 172.16.0.149 eq 80
access-list acl_outside permit tcp 172.16.0.0 255.255.0.0 host 172.16.0.149 eq 23
access-list acl_outside permit icmp 172.16.0.0 255.255.0.0 host 172.16.0.149 echo
access-list acl_outside permit icmp 172.16.0.0 255.255.0.0 host 172.16.0.149 echo-reply
access-group acl_outside in interface outside

The above assumes the following:

Do you need more help?

your mac se/30 = 192.168.82.42
you have 172.16.0.149 available as a free IP on the 'internet'

This allows tcp port 80 http and tcp port 23 telnet to the published IP of 172.16.0.149
it also allows pinging.

the access-group command applies the access-list to the outside interface.

If you have further questions, send me your lab config (strip passwords and such).

-James

At 17:50 7/22/2003, Glenn English wrote:
>I got a 506E (first experience with Cisco) last Friday, and I'm

----------------------------------------------------------------------
-----
----------------------------------------------------------------------
------

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBPx6ufm5K7GIhja4mEQInDwCg961+GHYS+eI42b0UofeE9Q/pFxMAoOTj KFpm92672XxvZlCR0Q163x/n
=S1aM
-----END PGP SIGNATURE-----

Received on Wed Jul 23 19:13:29 2003

This message: [ Message body ]
Next message: salgak(at)speakeasy.net: "Re: Encrypted Mail"
Previous message: Vachon, Scott: "RE: What to look at, source or destination port?"
In reply to Paul Benedek: "RE: Some Cisco PIX newbie questions"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:06:24 EDT

Can we help you?