cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2376
Views
0
Helpful
6
Replies

Setup Pix 515 for basic internet access

whiteford
Level 1
Level 1

Hi,

I have got a Cisco Pix 515 and just need to give my LAN access to the Internet. I will be at a DR site, so I will just be given a IP for the Internet for the outside interface, what commands would I need as I would like this config complete before I get there :) . I assume I would need a the following, have I missed anything?

My LAN is 192.168.2.0/24

Assume the outside IP I will be given is 20.20.20.18

interface Ethernet0

nameif outside

security-level 0

ip address 20.20.20.17 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

To route unresolved traffic go to >

route outside 0.0.0.0 0.0.0.0 20.20.20.17 1

To allow the internet for the LAN:

access-list inside_access_in extended permit tcp 192.168.2.0 eq http

access-list inside_access_in extended permit tcp 192.168.2.0 eq https

access-list inside_access_in extended permit udp 192.168.2.0 eq domain

I assume I need to NAT the internal LAN to the outside and setup some sort global interface, be I'm not sure at this point.

Thanks for your help

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

You also need to edit your access-list ie.

access-list inside_access_in extended permit tcp 192.168.2.0 eq http

should be

access-list inside_access_in extended permit tcp 192.168.2.0 any eq http

Jon

Thanks, so is "nat (inside) 1 0.0.0.0 0.0.0.0" basically mean NAT devices coming from the inside network and use the global group 1 and allow to any IP?

And this means my global pool is the outside interface, rather like PAT?

global (outside) 1 interface

Thanks

nat (inside) 1 0.0.0.0 0.0.0.0 means NAT all addresses arriving on the inside interface. You could tie it down to your internal LAN ie.

nat (inside) 1 192.168.2.0 255.255.255.0

Then global (outside) 1 interface is as you say PAT. The index number 1 ties it to the NAT statement.

Jon

singhsaju
Level 4
Level 4

You can setup PIX in 5 steps:

Step1 : Name the interface

interface Ethernet0

nameif outside

interface Ethernet1

nameif inside

Step 2: Define security levels to interfaces

interface Ethernet0

security-level 0

interface Ethernet1

security-level 100

Step 3: Provide ip addresses to the interfaces:

interface Ethernet0

ip address 20.20.20.17 255.255.255.248

interface Ethernet1

ip address 192.168.2.1 255.255.255.0

Step 4:Enable NAT/Global to allow the traffic to go outside from inside.

nat(inside)1 192.168.2.0 255.255.255.0

or

nat (inside) 1 0.0.0.0 0.0.0.0

global(outside)1 outside

Step 5: Define a Route

route (outside) 0.0.0.0 0.0.0.0

To allow access to the network in the inside zone :

you will have to define a Static NAT and permit in access-list that is bound to outside interface . For example :

static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255

access-list smtp extended permit tcp any host 209.164.3.5 eq smtp

access-group smtp in interface outside

HTH

Saju

Please rate if it helps

Nice, what's the difference here, just for my understanding:

nat(inside)1 192.168.2.0 255.255.255.0

or

nat (inside) 1 0.0.0.0 0.0.0.0

I think I understand you static NAT, this is to allow external email from 209.164.3.5 to a mail server inside on 192.168.2.57 in port 25?

Thanks

nat(inside) 1 0.0.0.0 0.0.0.0 ==> means "any" network sourced from inside

nat (inside) 1 192.168.2.0 255.255.255.0 ==> specific network sourced from inside

You are correct about the static NAT.

HTH

Saju

Please rate if it helps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: