This weekend I'm migrating a Netscreen's firewall rules to a PIX .
I was hoping someone can take a look at what I plan on doing and let me know if there are any possible issues. I am not so much concerned with the issues of in-bound security. More in the use of PAT and the statics overlapping the PAT range. In examples I've seen the NAT or PAT range/pool is separate from the in-bound IPs.
The config is listed below.
I will be using a single PAT address to allow the office network out-bound access to the internet. I will be implementing static translations and access lists to allow in-bound traffic reach some servers on the office LAN.
I was wondering if there could be any issues because my PAT statement is for the whole class C (the office LAN) and the in-bound static translations are to various IPs in that same class C range.
I was told the internal servers will not initiate out-bound requests, but I'm not sure of that. If the servers were to attempt an outside connection, would they use the static translations or the PAT statement?
ip address 22.214.171.124 255.255.255.0
ip address 10.11.28.100 255.255.255.0
PAT FOR THE OFFICE LAN IPs
nat (internal_net) 1 0.0.0.0 0.0.0.0
global (outside_net) 1 interface
access-list internal_net_access_in extended permit ip any any
access-list outside_net_access_in extended permit udp any host 126.96.36.199 eq pptp
access-list outside_net_access_in extended permit tcp any host 188.8.131.52 eq https
access-list outside_net_access_in extended permit tcp any host 184.108.40.206 eq https
access-list outside_net_access_in extended permit tcp any host 220.127.116.11 eq ssh
access-list outside_net_access_in extended permit tcp any host 18.104.22.168 eq ssh
STATIC's for in-bound server access
static (internal_net, outside_net) 22.214.171.124 10.11.28.10
static (internal_net, outside_net) 126.96.36.199 10.11.28.23
static (internal_net, outside_net) 188.8.131.52 10.11.28.240
static (internal_net, outside_net) 184.108.40.206 10.11.28.14
route outside_net 0.0.0.0 0.0.0.0 220.127.116.11
access-group outside_net_access_in in interface outside_net
access-group internal_net_access_in in interface internal_net