Re: [Vyatta-users] Get rid of PIX!

Dave Greeko Tue, 18 Mar 2008 21:07:58 -0700

Thank you so much for the quick reply.  I just came back from vacation but 
while migrating from cisco PIX I'm faced with a NAT problem.  It's so strange, 
when I use "masquerade" for type things work perfectly but I use "source" for 
type, NAT does not work at all.


Here is my working configuration:

    }
    policy {
    }
    interfaces {
        loopback lo {
        }
        ethernet eth0 {
            description: "WAN-COX"
            hw-id: 00:xx:xx:xx:ef:9f
            address 216.X.X.226 {
                prefix-length: 27
            }
        }
        ethernet eth1 {
            description: "LAN"
            hw-id: 00:xx:xx:xx:48:c6
            address 10.10.10.254 {
                prefix-length: 24
            }
        }
    }
    service {
        nat {
            rule 5 {
                type: "masquerade"
                outbound-interface: "eth0"
                source {
                    network: "10.10.10.0/24"
                }
                destination {
                    network: "0.0.0.0/0"
                }
            }
        }
        ssh {
        }
    }
    firewall {
    }
    system {
        ntp-server "69.59.150.135"
        login {
            user root {
                authentication {
                    encrypted-password: "$1$g3M8oC5KEGP0Gct8rPP/."
                    plaintext-password: ""
                }
            }
        }
        package {
            repository community {
                component: "main"
                url: "http://archive.vyatta.com/vyatta";
            }
        }
    }

Things works perfectly with the above configuration but when I
delete rule 5 and relplace it with the following rule things stop working.

    rule 5 {
        type: "source"
        outbound-interface: "eth0"
        protocols: "all"
        source {
            network: "10.10.10.0/24"
        }
        destination {
            network: "0.0.0.0/0"
        }
        outside-address {
            range {
                start: 216.231.25.227
                stop: 216.231.25.230
            }
        }
    }

Thank for your help!

Dave,


----- Original Message ----
From: Robyn Orosz <[EMAIL PROTECTED]>
To: Dave Strydom <[EMAIL PROTECTED]>
Cc: Dave Greeko <[EMAIL PROTECTED]>; vyatta-users@mailman.vyatta.com
Sent: Wednesday, February 20, 2008 8:24:08 AM
Subject: Re: [Vyatta-users] Get rid of PIX!

I'd just add a few things and change a few things as follows:

Dave Strydom wrote:
> Correct me if i'm wrong:
>  
> # set service nat rule 5
>  
# set service nat rule 5 type source <---------add this line
> # set service nat rule 5 source address 10.10.10.126
> # set service nat rule 5 outside-address address 70.165.x.x
> # set service nat rule 5 outbound-interface eth0 <--- This is not required 
> but is definitely valid
> # commit
> # set service nat rule 10
>  
# set service nat rule 10 type destination <---------add this line
> # set service nat rule 10 inside-address address 10.10.10.126
>  
The line below should be changed from:
> # set service nat rule 10 outside-address address 70.165.x.x
>  
to:

# set service nat rule 10 destination address 70.165.10.10
> # set service nat rule 10 inbound-interface eth0 <--- This is also not 
> required but is a valid option
> # commit
>
> # set firewall name nat-in rule 1 action drop <---This should be changed to 
> accept
> # set firewall name nat-in rule 1 source address 65.248.x.x
> # set firewall name nat-in rule 1 protocol udp
>  
The line below should be changed from:
> # set firewall name nat-in rule 1 destination address 70.165.x.x
>  
to:

# set firewall name nat-in rule 1 destination address 10.10.10.126 (the NAT 
will have already taken place prior to reaching this rule)


> # set firewall name nat-in rule 1 destination port-range start 5059
> # set firewall name nat-in rule 1 destination port-range stop 5062
> # commit
> # set firewall name nat-in rule 2 action drop <--- This should also be 
> changed to accept
> # set firewall name nat-in rule 2 source address 65.248.x.x
> # set firewall name nat-in rule 2 protocol udp
>  
The line below should be changed from:
> # set firewall name nat-in rule 2 destination address 70.165.x.x
>  
to:

# set firewall name nat-in rule 2 destination address 10.10.10.126 


> # set firewall name nat-in rule 2 destination port-range start 10000
> # set firewall name nat-in rule 2 destination port-range stop 51000
> # commit
>
> # set interface ethernet eth0 firewall in name nat-in
> # commit
>
>
> - Dave
>  
The firewall has an implicit deny all at the end, similar to your PIX 
OS.  So, if you want to allow other traffic to pass, you'll need to add 
additional "accept" statements to your firewall.

If the chopped up email is difficult to read, here is the entire set of 
commands uninterrupted:

# set service nat rule 10 type source
# set service nat rule 10 source address 10.10.10.126
# set service nat rule 10 outside-address address 70.165.x.x

# set service nat rule 20 type destination
# set service nat rule 20 destination address 70.165.x.x
# set service nat rule 20 inside-address address 10.10.10.126

# set firewall name nat-in rule 10 action accept
# set firewall name nat-in rule 10 protocol udp
# set firewall name nat-in rule 10 source address 65.248.x.x
# set firewall name nat-in rule 10 destination address 10.10.10.126
# set firewall name nat-in rule 10 destination port-range start 5059
# set firewall name nat-in rule 10 destination port-range stop 5062

# set firewall name nat-in rule 20 action accept
# set firewall name nat-in rule 20 protocol udp
# set firewall name nat-in rule 20 source address 65.248.x.x
# set firewall name nat-in rule 20 destination address 10.10.10.126
# set firewall name nat-in rule 20 destination port-range start 10000
# set firewall name nat-in rule 20 destination port-range stop 51000

# commit

You also need to apply the firewall to your outside facing interface as 
follows:

# set interfaces ethernet eth0 firewall in name nat-in
# commit

I hope this helps get you started!  You can also download and take a 
look at the Vyatta Configuration guide for more information and examples. 

http://www.vyatta.com/documentation/index.php

-Robyn

> On Feb 20, 2008 1:43 AM, Dave Greeko <[EMAIL PROTECTED]> wrote:
>  
>> Hi,
>> I'm trying to get rid of my cisco PIX firewall.  I need to translate the
>> next 3 lines into Vyatta.
>>
>> static (inside,outside) 70.165.x.x 10.10.10.126 netmask 255.255.255.255 1024
>> 768
>> access-list acl_outside permit udp host 65.248.x.x host 70.165.x.x range
>> 5059 5062
>> access-list acl_outside permit udp host 65.248.x.x host 70.165.x.x range
>> 10000 51000
>>
>> What I need to do is allow ONLY host 65.248.x.x to access my LAN (host
>> 10.10.10.126) with range of udp ports.
>> As you may see the internal host is mapped to 70.165.x.x
>>
>> Your help is greatly appreciated
>> Dave,
>>
>>  ________________________________
>> Never miss a thing. Make Yahoo your homepage.
>> _______________________________________________
>> Vyatta-users mailing list
>> Vyatta-users@mailman.vyatta.com
>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>>
>>
>>    
> _______________________________________________
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>  


      
____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Get rid of PIX!

Reply via email to