09-08-2008 08:55 AM - edited 03-11-2019 06:41 AM
Hi,
I have got a Cisco Pix 515 and just need to give my LAN access to the Internet. I will be at a DR site, so I will just be given a IP for the Internet for the outside interface, what commands would I need as I would like this config complete before I get there :) . I assume I would need a the following, have I missed anything?
My LAN is 192.168.2.0/24
Assume the outside IP I will be given is 20.20.20.18
interface Ethernet0
nameif outside
security-level 0
ip address 20.20.20.17 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
To route unresolved traffic go to >
route outside 0.0.0.0 0.0.0.0 20.20.20.17 1
To allow the internet for the LAN:
access-list inside_access_in extended permit tcp 192.168.2.0 eq http
access-list inside_access_in extended permit tcp 192.168.2.0 eq https
access-list inside_access_in extended permit udp 192.168.2.0 eq domain
I assume I need to NAT the internal LAN to the outside and setup some sort global interface, be I'm not sure at this point.
Thanks for your help
09-08-2008 09:05 AM
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
You also need to edit your access-list ie.
access-list inside_access_in extended permit tcp 192.168.2.0 eq http
should be
access-list inside_access_in extended permit tcp 192.168.2.0 any eq http
Jon
09-08-2008 09:19 AM
Thanks, so is "nat (inside) 1 0.0.0.0 0.0.0.0" basically mean NAT devices coming from the inside network and use the global group 1 and allow to any IP?
And this means my global pool is the outside interface, rather like PAT?
global (outside) 1 interface
Thanks
09-08-2008 09:26 AM
nat (inside) 1 0.0.0.0 0.0.0.0 means NAT all addresses arriving on the inside interface. You could tie it down to your internal LAN ie.
nat (inside) 1 192.168.2.0 255.255.255.0
Then global (outside) 1 interface is as you say PAT. The index number 1 ties it to the NAT statement.
Jon
09-08-2008 09:15 AM
You can setup PIX in 5 steps:
Step1 : Name the interface
interface Ethernet0
nameif outside
interface Ethernet1
nameif inside
Step 2: Define security levels to interfaces
interface Ethernet0
security-level 0
interface Ethernet1
security-level 100
Step 3: Provide ip addresses to the interfaces:
interface Ethernet0
ip address 20.20.20.17 255.255.255.248
interface Ethernet1
ip address 192.168.2.1 255.255.255.0
Step 4:Enable NAT/Global to allow the traffic to go outside from inside.
nat(inside)1 192.168.2.0 255.255.255.0
or
nat (inside) 1 0.0.0.0 0.0.0.0
global(outside)1 outside
Step 5: Define a Route
route (outside) 0.0.0.0 0.0.0.0
To allow access to the network in the inside zone :
you will have to define a Static NAT and permit in access-list that is bound to outside interface . For example :
static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255
access-list smtp extended permit tcp any host 209.164.3.5 eq smtp
access-group smtp in interface outside
HTH
Saju
Please rate if it helps
09-08-2008 09:26 AM
Nice, what's the difference here, just for my understanding:
nat(inside)1 192.168.2.0 255.255.255.0
or
nat (inside) 1 0.0.0.0 0.0.0.0
I think I understand you static NAT, this is to allow external email from 209.164.3.5 to a mail server inside on 192.168.2.57 in port 25?
Thanks
09-08-2008 09:30 AM
nat(inside) 1 0.0.0.0 0.0.0.0 ==> means "any" network sourced from inside
nat (inside) 1 192.168.2.0 255.255.255.0 ==> specific network sourced from inside
You are correct about the static NAT.
HTH
Saju
Please rate if it helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: