RE: [fw-wiz] PAT on Cisco PIX 515

From: Luke Butcher (Luke.Butcher_at_alphawest.com.au)
Date: 02/22/05

  • Next message: Behm, Jeffrey L.: "RE: [fw-wiz] Username password VS hardware token plus PIN" 
    To: "Jay" <kinggooch@gmail.com>
Date: Wed, 23 Feb 2005 07:34:25 +1100

     
    Hi Jay,

    Static is fairly simple. You'll need something like (if your interfaces
    are default inside and outside):
       static (inside, outside) public.ip.add.ress private.ip.add.ress
    255.255.255.255
    That will do NAT, basically translate one address to one address. The
    catch is the interfaces are specified more trusted, less trusted but the
    ip addresses are entered the other way around.

    If you have 'sysopt noproxyarp' set you'll have to add an arp entry so
    the PIX 'picks up' any traffic destined for your public NAT address.
    This is basically:
      arp outside public.ip.add.ress 1234.5678.90ab or whatever the mac
    address of the outside interface of your PIX is.

    Then you just add access-lists as appropriate to block/allow whatever
    traffic.

    Hope that helps,
    Luke Butcher
    Network/Security Consultant

    -----Original Message-----
    From: Jay [mailto:kinggooch@gmail.com]
    Sent: Thursday, 17 February 2005 9:56 PM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] PAT on Cisco PIX 515

    Hi,
    i'm relatively new to PIX config and have been tasked with setting up a
    second internal mail server with a different outward facing IP. I need
    to tell the PIX to fwd any mail delivered to the outward ip to the LAN
    side. I've noticed CISCO are fading out the conduit command but i've had
    a trawl through google to check out the STATIC command but its still
    about as clear as mud.
    any help would be greatly appreciated
    Jay
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Behm, Jeffrey L.: "RE: [fw-wiz] Username password VS hardware token plus PIN"

    Relevant Pages

    • Re: [OT]: Hilfe bei Access-Liste
      ... Demzufolge ist das hier keine "NAT 0 Regel" ... Hiermit wird die PIX angewiesen, ... IP addressen der Pakete von der original IP Addresse inside auf ... High-security Interfaces verboten ist ...
      (de.comp.os.unix.networking.misc)
    • Re: Dual routers and PIX question
      ... OSPF comes into play: when you use RIP, the PIX doesn't like ... firewall to do any NAT required to make them work. ... If you use OSPF to select between PIX interfaces, ...
      (comp.dcom.sys.cisco)
    • Re: [OT]: Hilfe bei Access-Liste
      ... Was fuer eine PIX ist es denn? ... die Nutzung von 3 Interfaces zulassen wuerde), ... Gibst du dann Netz1 und Netz2 den selben Security- ...
      (de.comp.os.unix.networking.misc)
    • Re: [OT]: Hilfe bei Access-Liste
      ... Lizenz die Nutzung von 3 Interfaces zulassen wuerde), ... schlicht die Pix an den Router und die beiden NEtze Netz1 und Netz2 ... Gibst du dann Netz1 ... access-list inside_access_in line 2 deny tcp any 192.0.0.0 255.0.0.0 ...
      (de.comp.os.unix.networking.misc)
    • [fw-wiz] PIX DMZ inter-access via outside IP address
      ... In order to support their applications, the two servers must be accessible ... The PIX can ping everything on all interfaces. ... The two servers in the DMZ CAN NOT access each other ...
      (Firewall-Wizards)