I'd just add a few things and change a few things as follows: Dave Strydom wrote: > Correct me if i'm wrong: > > # set service nat rule 5 > # set service nat rule 5 type source <---------add this line > # set service nat rule 5 source address 10.10.10.126 > # set service nat rule 5 outside-address address 70.165.x.x > # set service nat rule 5 outbound-interface eth0 <--- This is not required > but is definitely valid > # commit > # set service nat rule 10 > # set service nat rule 10 type destination <---------add this line > # set service nat rule 10 inside-address address 10.10.10.126 > The line below should be changed from: > # set service nat rule 10 outside-address address 70.165.x.x > to:
# set service nat rule 10 destination address 70.165.10.10 > # set service nat rule 10 inbound-interface eth0 <--- This is also not > required but is a valid option > # commit > > # set firewall name nat-in rule 1 action drop <---This should be changed to > accept > # set firewall name nat-in rule 1 source address 65.248.x.x > # set firewall name nat-in rule 1 protocol udp > The line below should be changed from: > # set firewall name nat-in rule 1 destination address 70.165.x.x > to: # set firewall name nat-in rule 1 destination address 10.10.10.126 (the NAT will have already taken place prior to reaching this rule) > # set firewall name nat-in rule 1 destination port-range start 5059 > # set firewall name nat-in rule 1 destination port-range stop 5062 > # commit > # set firewall name nat-in rule 2 action drop <--- This should also be > changed to accept > # set firewall name nat-in rule 2 source address 65.248.x.x > # set firewall name nat-in rule 2 protocol udp > The line below should be changed from: > # set firewall name nat-in rule 2 destination address 70.165.x.x > to: # set firewall name nat-in rule 2 destination address 10.10.10.126 > # set firewall name nat-in rule 2 destination port-range start 10000 > # set firewall name nat-in rule 2 destination port-range stop 51000 > # commit > > # set interface ethernet eth0 firewall in name nat-in > # commit > > > - Dave > The firewall has an implicit deny all at the end, similar to your PIX OS. So, if you want to allow other traffic to pass, you'll need to add additional "accept" statements to your firewall. If the chopped up email is difficult to read, here is the entire set of commands uninterrupted: # set service nat rule 10 type source # set service nat rule 10 source address 10.10.10.126 # set service nat rule 10 outside-address address 70.165.x.x # set service nat rule 20 type destination # set service nat rule 20 destination address 70.165.x.x # set service nat rule 20 inside-address address 10.10.10.126 # set firewall name nat-in rule 10 action accept # set firewall name nat-in rule 10 protocol udp # set firewall name nat-in rule 10 source address 65.248.x.x # set firewall name nat-in rule 10 destination address 10.10.10.126 # set firewall name nat-in rule 10 destination port-range start 5059 # set firewall name nat-in rule 10 destination port-range stop 5062 # set firewall name nat-in rule 20 action accept # set firewall name nat-in rule 20 protocol udp # set firewall name nat-in rule 20 source address 65.248.x.x # set firewall name nat-in rule 20 destination address 10.10.10.126 # set firewall name nat-in rule 20 destination port-range start 10000 # set firewall name nat-in rule 20 destination port-range stop 51000 # commit You also need to apply the firewall to your outside facing interface as follows: # set interfaces ethernet eth0 firewall in name nat-in # commit I hope this helps get you started! You can also download and take a look at the Vyatta Configuration guide for more information and examples. http://www.vyatta.com/documentation/index.php -Robyn > On Feb 20, 2008 1:43 AM, Dave Greeko <[EMAIL PROTECTED]> wrote: > >> Hi, >> I'm trying to get rid of my cisco PIX firewall. I need to translate the >> next 3 lines into Vyatta. >> >> static (inside,outside) 70.165.x.x 10.10.10.126 netmask 255.255.255.255 1024 >> 768 >> access-list acl_outside permit udp host 65.248.x.x host 70.165.x.x range >> 5059 5062 >> access-list acl_outside permit udp host 65.248.x.x host 70.165.x.x range >> 10000 51000 >> >> What I need to do is allow ONLY host 65.248.x.x to access my LAN (host >> 10.10.10.126) with range of udp ports. >> As you may see the internal host is mapped to 70.165.x.x >> >> Your help is greatly appreciated >> Dave, >> >> ________________________________ >> Never miss a thing. Make Yahoo your homepage. >> _______________________________________________ >> Vyatta-users mailing list >> Vyatta-users@mailman.vyatta.com >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> >> >> > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
