02-28-2007 09:07 AM - edited 03-09-2019 05:29 PM
Question for you I have a 515E firewall and I have an internal machine that needs to connect an external host on the internet inorder for me to do that all I would need to do is:
nat(inside) 100 205.240.197.50 255.255.255.255
global(outside) 100 38.115.156.104
I don't need to specify the ip address and port number of the distant end machine:
nat(inside) 100 205.240.197.50 255.255.255.255 216.23.224.181 4001
02-28-2007 09:10 AM
Um, not quite. Define what all those ip's are for us and we'll show you how to do it. I'm assuming you cannot get anywhere outside yet? As long as you don't have an acl on the inside interface and your nat is set up, inside will be able to go anywhere outside by default.
02-28-2007 09:17 AM
I have an internal machine 205.240.197.50 and I need it to connect to an external machine via the internet. The external machines ip and port are 216.23.224.181 port 4001
IP address 38.115.156.104 is cognet the internet provider
02-28-2007 09:26 AM
sorry to answer your question yes currently that internal machine cannot get out it this is a new connection
02-28-2007 09:31 AM
Allowing the port out is not your problem. Can you post your pix config and give us a topology of your network with ip address scheme. thanks.
02-28-2007 09:45 AM
02-28-2007 09:52 AM
topology goes as follows:
chirt1 -> chipix1 -> chirt5 -> Cogent network
03-05-2007 08:28 AM
hi,
an example:
inside ip: 1.1.1.1
an ip address on internet : 4.2.2.2
inside ip need to contact 4.2.2.2
what u need :
nat (inside) 1 1.1.1.1
global (outside) 1 interface
1.1.1.1 while going outside on internet to 4.2.2.2 will get translated to the outside interfaces ip address.
source ip address on inside : 1.1.1.1
destination ip address on inside : 4.2.2.2
_______________
when this packet reaches the outside interface of firewall:
source ip address of packet : outside interface's ip address.
destination ip address : 4.2.2.2
____________________
inside:sec level 100
outside: sec level 0
when u send traffic from higher sec level interface (inside) to lower sec level interface (outside),you need the translation rule defined for nat or pat.
(nat and global ) commands.
as we say,by default the traffic is allowed from higher sec zone to lower one,by that we mean that we do not need any access-list to permit the traffic.
that is,if there's no access-list on inside interface,all the traffic is allowed to go to outside ,if we have corresponding nat and global.
if you have put even a single access-list on inside interface,then you need to define access-list for all the traffic,you need to permit.( as in the end of the access-list,there's an implicit deny ).
now,in your case,you should be able to access that remote ip on internet.
hope this clears how pix/asa works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: