×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

1 to 1 Nat on Pix 501

Unanswered Question
Aug 6th, 2002
User Badges:

I am in need of some real help here. I have to setup a Cisco Pix 501 firewall at work. First I guess it would help to know my setup and what it is that I would like to do:


Cisco 678 router is my gateway 65.xxx.xxx.14


then I want to have the following done.


outside Ip 65.xxx.xxx.9 mapped to 10.0.0.10(allow Terminal Services, PCAnywhere)

outside Ip 65.xxx.xxx.10 mapped to 10.0.0.11(allow Terminal Services, PCAnywhere)

outside Ip 65.xxx.xxx.11 mapped to 10.0.0.28(allow Terminal Services, PCAnywhere)

outside Ip 65.xxx.xxx.12 mapped to 10.0.0.95(allow Terminal Services, PCAnywhere)

outside Ip 65.xxx.xxx.13 mapped to 10.0.0.1(allow www,smtp,pop,443)


Here is my current config:


PIX Version 6.1(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxx encrypted

hostname xxxxxxxxxxx

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 65.xxx.xxx.13 firewall

name 10.0.0.1 server

access-list fromoutside permit tcp any any eq pop3

access-list fromoutside permit tcp any any eq www

access-list fromoutside permit tcp any any eq smtp

access-list acl_outside permit tcp any host 65.xxx.xxx.9 eq smtp

access-list acl_outside permit tcp any host 65.xxx.xxx.9 eq www

access-list acl_outside permit tcp any host 65.xxx.xxx.9 eq 443

access-list acl_outside permit tcp any host 65.xxx.xxx.10 eq 3389

access-list acl_outside permit tcp any host 65.xxx.xxx.10 eq 5631

access-list acl_outside permit udp any host 65.xxx.xxx.10 eq 5632

access-list acl_outside permit tcp any host 65.xxx.xxx.11 eq 3389

access-list acl_outside permit tcp any host 65.xxx.xxx.11 eq 5631

access-list acl_outside permit udp any host 65.xxx.xxx.11 eq 5632

access-list acl_outside permit tcp any host 65.xxx.xxx.12 eq 3389

access-list acl_outside permit tcp any host 65.xxx.xxx.12 eq 5631

access-list acl_outside permit udp any host 65.xxx.xxx.12 eq 5632

access-list acl_inside permit ip 10.0.0.0 255.255.255.0 any

access-list acl_inside permit tcp 10.0.0.0 255.255.255.0 any

pager lines 24

logging on

logging timestamp

logging buffered notifications

logging trap warnings

logging history notifications

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside firewall 255.255.255.0

ip address inside server 255.0.0.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location server 255.255.255.255 inside

pdm logging notifications 512

pdm history enable

arp timeout 14400

global (outside) 1 65.xxx.xxx.11

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp firewall pop3 10.0.0.2 pop3 netmask 255.255.255.2550

static (inside,outside) tcp firewall smtp 10.0.0.2 smtp netmask 255.255.255.2550

static (inside,outside) tcp firewall www 10.0.0.2 www netmask 255.255.255.255 00

static (inside,outside) 65.xxx.xxx.9 10.0.0.10 netmask 255.255.255.255 0 0

static (inside,outside) 65.xxx.xxx.10 10.0.0.11 netmask 255.255.255.255 0 0

static (inside,outside) 65.xxx.xxx.11 10.0.0.28 netmask 255.255.255.255 0 0

static (inside,outside) 65.xxx.xxx.12 10.0.0.95 netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

access-group acl_inside in interface inside

route outside 0.0.0.0 0.0.0.0 firewall 1

timeout xlate 0:05:00

timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0

timeout uauth 0:04:00 absolute uauth 0:02:00 inactivity

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet server 255.255.255.255 inside

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 10

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


I dont need or want any extras and I dont know if I have stuff in here that falls under the "extras" category. I just need to accomplish what I have listed above and I will be the happiest person on the planet Any help would be greatly appreciated. Thanks very much.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paqiu Tue, 08/06/2002 - 16:13
User Badges:

Hi,


1 "route outside 0.0.0.0 0.0.0.0 65.xxx.xxx.14"


2 combining "access-list fromoutside" into "acl_outside", because only "acl_outside" applying to the outside interface.


3 take off "ip verify reverse-path interface outside" because it proivde extral secure but sometimes will deny some incoming traffic.


Hope above suggestions help.


Best Regards,





chooser1 Wed, 08/07/2002 - 08:56
User Badges:

Hey thanks a lot. I will try this when I get back to the office. Cant wait to see if it works.


Regards,



Actions

This Discussion