-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn,
When configuring the Pix there are some simple rules to follow. Static commands are written with this format: For Nat use: static (HIGH security level interface, LOW security level interface) LOW interface IP HIGH interface IP For Non NAT use: Static (HIGH security level interface, LOW security level interface) HIGH interface IP HIGH interface IP These security levels are set by default Outside security0, inside security100. 100 is considered High. As an example: static (inside,outside) 172.16.0.1 192.168.1.1 (nat static) static (inside,outside) 192.168.1.1 192.168.1.1 (one to one translation) Access-list acl_outside permit tcp host any host 172.16.0.1 eq 23 Access-group acl_outside in interface outside (applies the access list to inbound traffic of the outside interface) The command NAT (inside) 0 0 (allows connections to start from any IP on the inside, and is used for Non NAT. the first 0 tells NAT not to use a global address pool.) with out a NAT entry in either format the pix will not send traffic out of an interface, inside interface included. To establish a NAT to global IP use NAT (inside) 1 192.168.1.0 The 1 is the global pool #. You can have multiples Global (outside) 1 interface ( this is a many to one NAT/Pat) For many to many translations Global (outside) 1 172.16.1.100-172.16.1.250 netmask 255.255.255.248 Global (outside) 1 172.16.1.254 netmask 255.255.255.248 (this is the PAT address) Hope this helps. - -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 7:26 PM To: Glenn English Cc: 'Security-Basics' Subject: Re: Some Cisco PIX newbie questions Glenn, do you have something like this: static (inside,outside) 172.16.0.149 192.168.82.42 netmask 255.255.255.255 access-list acl_outside permit tcp 172.16.0.0 255.255.0.0 host 172.16.0.149 eq 80 access-list acl_outside permit tcp 172.16.0.0 255.255.0.0 host 172.16.0.149 eq 23 access-list acl_outside permit icmp 172.16.0.0 255.255.0.0 host 172.16.0.149 echo access-list acl_outside permit icmp 172.16.0.0 255.255.0.0 host 172.16.0.149 echo-reply access-group acl_outside in interface outside The above assumes the following: your mac se/30 = 192.168.82.42 you have 172.16.0.149 available as a free IP on the 'internet' This allows tcp port 80 http and tcp port 23 telnet to the published IP of 172.16.0.149 it also allows pinging. the access-group command applies the access-list to the outside interface. If you have further questions, send me your lab config (strip passwords and such). - -James At 17:50 7/22/2003, Glenn English wrote: >I got a 506E (first experience with Cisco) last Friday, and I'm >learning how to use it with the 172.16.0.146/28 (a LAN around the >building) as the Internet and 192.168.82.40/29 (my workstation) as >the protected LAN. (And an old Mac SE/30 as the terminal.) > >Configuring from the terminal works, telnet works, https works, tftp > works, the Java PDM pretty much works, and connecting from inside >to outside works. > >But I can't figure out how to get through the firewall in the other >direction. There's a static map from an "Internet" IP to my >workstation, and the PIX' log shows a connection attempt. But what I > specifically permit is being denied. Is the anti-spoofing blocking >it? If so, why is it not blocking packets returning to the PAT >address? > >-- >Glenn English >[EMAIL PROTECTED] > > >--------------------------------------------------------------------- >-- ---- >--------------------------------------------------------------------- >------- - ---------------------------------------------------------------------- - ----- - ---------------------------------------------------------------------- - ------ -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBPx6ufm5K7GIhja4mEQInDwCg961+GHYS+eI42b0UofeE9Q/pFxMAoOTj KFpm92672XxvZlCR0Q163x/n =S1aM -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
