Setup Pix 515 for basic internet access

Unanswered Question
Sep 8th, 2008

Hi,

I have got a Cisco Pix 515 and just need to give my LAN access to the Internet. I will be at a DR site, so I will just be given a IP for the Internet for the outside interface, what commands would I need as I would like this config complete before I get there :) . I assume I would need a the following, have I missed anything?

My LAN is 192.168.2.0/24

Assume the outside IP I will be given is 20.20.20.18

interface Ethernet0

nameif outside

security-level 0

ip address 20.20.20.17 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

To route unresolved traffic go to >

route outside 0.0.0.0 0.0.0.0 20.20.20.17 1

To allow the internet for the LAN:

access-list inside_access_in extended permit tcp 192.168.2.0 eq http

access-list inside_access_in extended permit tcp 192.168.2.0 eq https

access-list inside_access_in extended permit udp 192.168.2.0 eq domain

I assume I need to NAT the internal LAN to the outside and setup some sort global interface, be I'm not sure at this point.

Thanks for your help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 09/08/2008 - 09:05

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

You also need to edit your access-list ie.

access-list inside_access_in extended permit tcp 192.168.2.0 eq http

should be

access-list inside_access_in extended permit tcp 192.168.2.0 any eq http

Jon

whiteford Mon, 09/08/2008 - 09:19

Thanks, so is "nat (inside) 1 0.0.0.0 0.0.0.0" basically mean NAT devices coming from the inside network and use the global group 1 and allow to any IP?

And this means my global pool is the outside interface, rather like PAT?

global (outside) 1 interface

Thanks

Jon Marshall Mon, 09/08/2008 - 09:26

nat (inside) 1 0.0.0.0 0.0.0.0 means NAT all addresses arriving on the inside interface. You could tie it down to your internal LAN ie.

nat (inside) 1 192.168.2.0 255.255.255.0

Then global (outside) 1 interface is as you say PAT. The index number 1 ties it to the NAT statement.

Jon

singhsaju Mon, 09/08/2008 - 09:15

You can setup PIX in 5 steps:

Step1 : Name the interface

interface Ethernet0

nameif outside

interface Ethernet1

nameif inside

Step 2: Define security levels to interfaces

interface Ethernet0

security-level 0

interface Ethernet1

security-level 100

Step 3: Provide ip addresses to the interfaces:

interface Ethernet0

ip address 20.20.20.17 255.255.255.248

interface Ethernet1

ip address 192.168.2.1 255.255.255.0

Step 4:Enable NAT/Global to allow the traffic to go outside from inside.

nat(inside)1 192.168.2.0 255.255.255.0

or

nat (inside) 1 0.0.0.0 0.0.0.0

global(outside)1 outside

Step 5: Define a Route

route (outside) 0.0.0.0 0.0.0.0

To allow access to the network in the inside zone :

you will have to define a Static NAT and permit in access-list that is bound to outside interface . For example :

static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255

access-list smtp extended permit tcp any host 209.164.3.5 eq smtp

access-group smtp in interface outside

HTH

Saju

Please rate if it helps

whiteford Mon, 09/08/2008 - 09:26

Nice, what's the difference here, just for my understanding:

nat(inside)1 192.168.2.0 255.255.255.0

or

nat (inside) 1 0.0.0.0 0.0.0.0

I think I understand you static NAT, this is to allow external email from 209.164.3.5 to a mail server inside on 192.168.2.57 in port 25?

Thanks

singhsaju Mon, 09/08/2008 - 09:30

nat(inside) 1 0.0.0.0 0.0.0.0 ==> means "any" network sourced from inside

nat (inside) 1 192.168.2.0 255.255.255.0 ==> specific network sourced from inside

You are correct about the static NAT.

HTH

Saju

Please rate if it helps

Actions

This Discussion