Check out this page:
http://www.cisco.com/public/technotes/tech_features.shtml
Look under the headings of Security and Routing Protocols.
NAT is network address translation. "ip nat inside" is configured on the
interfaces on which you want the addresses to be translated (usually - but
not in your case) to a valid public IP address. The traffic will be sent to
the outside world - often to the Internet or some network that you do not
control. These internal addresses may be from the private ranges
192.168.0.0, 172.16.0.0, 10.0.0.0
"ip nat outside" goes on the interface that is connected to the outside
world.
The group of outside addresses are listed in a "nat pool" that is named.
Then an access-list associated with the nat pool is configured. It specifies
which inside addresses can be translated to the addresses given in the nat
pool. Last the access-list is given with the inside address(es).
In your configuration below there are lines that do nothing. The lines that
do work are:
ip nat pool rabobank2 192.168.3.101 192.168.3.240 netmask
255.255.255.0
ip nat inside source list 1 pool rabobank2
access-list 1 permit any
Your other questions deal with CBAC, Context Based Access Control which is
the heart of the Cisco Secure or Firewall IOS.
The access-list is named "fw" and in this case is applied to the internal
interface in the "in" direction i.e. from the subnet INTO the router. That
is your "ip inspect fw in".
It has been set up to allow all tcp traffic originating from inside.
Therefore the "ip inspect name fw tcp".
Get a copy of Cisco ConfigMaker and try different scenarios. It will show
you enough to see the logic. It gets more interesting when you have three or
more interfaces all with rules regarding their mutual relationships.
I use EtherPeek, a software protocol analyzer, to deal with the situations
where I have "senior moments". (Usually about 1AM.)
> -----Original Message-----
> From: Sim, CT (Chee Tong) [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 05, 2000 8:47 PM
> To: 'Tim O'Brien'; 'Justin Marcus'; '[EMAIL PROTECTED]'
> Subject: firewall configuration question XXXX
>
>
>
> Dear friends, I am just a junior, I have a few question
> after seeing our
> company firewall configuration... Pls see below,
>
> 1) What is meaning of "ip inspect name fw tcp"
> 2) What is meaning of "ip nat outside" and "ip nat inside"
> What is the
> difference?
> 3) What is meaning of "ip inspect fw in"
> 4) What is meaning of "ip nat pool rabobank 192.168.3.101
> 192.168.3.200
> netmask 255.255.255.0"
>
>
>
> Chee Tong
>
> service timestamps log uptime
> no service password-encryption
> !
> hostname RBFW2514
> !
> enable password XXXXXXXXXXXXX
> !
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> ip inspect name fw tcp
> ip inspect name fw udp
> ip inspect name fw smtp
> ip inspect name fw ftp
> !
> !
> process-max-time 200
> !
> interface Ethernet0
> description Interface facing Financial Service Provider
> ip address X .X.X.X 255.255.255.0
> ip access-group 100 in
> no ip directed-broadcast
> ip nat outside
> !
> interface Ethernet1
> description Interface facing Rabobank (Trusted) network
> ip address X.X.X.X 255.255.254.0
> no ip directed-broadcast
> ip nat inside
> ip inspect fw in
> !
> interface Serial0
> ip unnumbered Ethernet0
> no ip directed-broadcast
> no ip mroute-cache
> shutdown
> no fair-queue
> !
> interface Serial1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> ip nat pool rabobank 192.168.3.101 192.168.3.200 netmask 255.255.255.0
> ip nat pool rabobank1 192.168.3.201 192.168.3.240 netmask
> 255.255.255.0
> ip nat pool rabobank2 192.168.3.101 192.168.3.240 netmask
> 255.255.255.0
> ip nat inside source list 1 pool rabobank2
> ip nat inside source list 2 pool rabobank1
> ip classless
> access-list 1 permit any
> access-list 100 permit tcp any any eq www
> access-list 100 permit tcp any eq www any
> access-list 100 permit tcp any any eq 5100
> access-list 100 permit tcp any eq 5100 any
> access-list 100 permit tcp any any eq 60101
> access-list 100 permit tcp any eq 60101 any
> access-list 100 permit tcp any any eq 7091
>
> access-list 100 permit tcp any any eq 4040
> access-list 100 permit tcp any any eq 6080
> access-list 100 permit tcp any any range 8194 8294
> access-list 100 permit udp any any range 48129 48192
> access-list 100 permit udp any eq 6080 any
> access-list 100 permit udp any eq 4040 any
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
