11-12-2003 08:27 AM - edited 02-20-2020 11:05 PM
I do not know much about PIX firewalls so I'm looking for some help.
IP's have been changed for the purpose of this posting and security concerns.
I have a PIX firewall with the below configuration:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname BlahBlah
domain-name someone.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 204.43.93.235 macky
name 204.43.93.234 macky2
name 206.16.32.239 webmack
name 206.16.32.240 joeblow
access-list nonat permit ip 206.16.32.128 255.255.255.128 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.252
ip address inside x.x.x.129 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
pdm location x.x.x.x 255.255.255.0 outside
pdm location x.x.x.224 255.255.255.224 outside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
conduit permit icmp any any
conduit permit ip any x.x.x.0 255.255.255.0
conduit permit tcp host 206.16.32.251 eq smtp any
conduit permit tcp host 206.16.32.251 eq www any
conduit permit tcp host 206.16.32.251 eq 443 any
conduit permit tcp host 206.16.32.251 eq ident any
conduit permit tcp host 206.16.32.250 eq 1494 any
conduit permit tcp host 206.16.32.249 eq 1494 any
conduit permit tcp host webmack eq www any
conduit permit tcp host webmack eq ftp any
conduit permit tcp host joeblow eq ftp any
conduit permit tcp host joeblow eq www any
conduit permit tcp host 206.16.32.220 eq www any
conduit permit tcp host 206.16.32.221 eq www any
conduit permit tcp host 206.16.32.222 eq www any
conduit permit tcp host 206.16.32.223 eq www any
conduit permit tcp host 206.16.32.230 eq www any
conduit permit tcp host 206.16.32.231 eq www any
conduit permit tcp host 206.16.32.232 eq www any
conduit permit tcp host 206.16.32.233 eq www any
conduit permit tcp host 206.16.32.234 eq www any
conduit permit tcp host 206.16.32.235 eq www any
conduit permit tcp host 206.16.32.236 eq www any
conduit permit tcp host 206.16.32.237 eq www any
conduit permit tcp host 206.16.32.238 eq www any
conduit permit tcp host 206.16.32.241 eq www any
conduit permit tcp host 206.16.32.242 eq www any
conduit permit tcp host 206.16.32.243 eq www any
conduit permit tcp host 206.16.32.244 eq www any
conduit permit tcp host 206.16.32.245 eq www any
conduit permit tcp host 206.16.32.246 eq www any
conduit permit tcp host 206.16.32.247 eq www any
conduit permit tcp host 206.16.32.254 eq www any
conduit permit tcp host 206.16.32.220 eq ftp any
conduit permit tcp host 206.16.32.221 eq ftp any
conduit permit tcp host 206.16.32.222 eq ftp any
conduit permit tcp host 206.16.32.223 eq ftp any
conduit permit tcp host 206.16.32.230 eq ftp any
conduit permit tcp host 206.16.32.231 eq ftp any
conduit permit tcp host 206.16.32.232 eq ftp any
conduit permit tcp host 206.16.32.233 eq ftp any
conduit permit tcp host 206.16.32.234 eq ftp any
conduit permit tcp host 206.16.32.235 eq ftp any
conduit permit tcp host 206.16.32.236 eq ftp any
conduit permit tcp host 206.16.32.237 eq ftp any
conduit permit tcp host 206.16.32.238 eq ftp any
conduit permit tcp host 206.16.32.241 eq ftp any
conduit permit tcp host 206.16.32.242 eq ftp any
conduit permit tcp host 206.16.32.243 eq ftp any
conduit permit tcp host 206.16.32.244 eq ftp any
conduit permit tcp host 206.16.32.245 eq ftp any
conduit permit tcp host 206.16.32.246 eq ftp any
conduit permit tcp host 206.16.32.247 eq ftp any
conduit permit tcp host 206.16.32.254 eq ftp any
conduit permit tcp host 206.16.32.220 eq 443 any
conduit permit tcp host 206.16.32.221 eq 443 any
conduit permit tcp host 206.16.32.222 eq 443 any
conduit permit tcp host 206.16.32.223 eq 443 any
conduit permit tcp host 206.16.32.230 eq 443 any
conduit permit tcp host 206.16.32.231 eq 443 any
conduit permit tcp host 206.16.32.232 eq 443 any
conduit permit tcp host 206.16.32.233 eq 443 any
conduit permit tcp host 206.16.32.234 eq 443 any
conduit permit tcp host 206.16.32.235 eq 443 any
conduit permit tcp host 206.16.32.236 eq 443 any
conduit permit tcp host 206.16.32.237 eq 443 any
conduit permit tcp host 206.16.32.238 eq 443 any
conduit permit tcp host 206.16.32.241 eq 443 any
conduit permit tcp host 206.16.32.242 eq 443 any
conduit permit tcp host 206.16.32.243 eq 443 any
conduit permit tcp host 206.16.32.244 eq 443 any
conduit permit tcp host 206.16.32.245 eq 443 any
conduit permit tcp host 206.16.32.246 eq 443 any
conduit permit tcp host 206.16.32.247 eq 443 any
conduit permit tcp host 206.16.32.254 eq 443 any
route outside 0.0.0.0 0.0.0.0 206.16.32.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http x.x.x.0 255.255.255.0 outside
http x.x.x.128 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh x.x.x.x 255.255.255.0 outside
ssh x.x.x.x 255.255.255.224 outside
ssh timeout 5
terminal width 80
Cryptochecksum:xxxxxx
: end
[OK]
What I need is a configuration change to NAT inside my network using the following IP's.
192.168.32.0/22
192.168.32.1-254 servers
192.168.33.1-254 printers
192.168.34.1-254 workstations
192.168.35.1-254 testing/wireless/ip phones/etc
Please help I'll be tasked to give up the real IP's this coming weekend.
Thanks in advance.
11-12-2003 04:01 PM
HI,
You have not speficied what translated address you will be using for these IPs. Lets assume you want all these ips to be translated to one address that is of your interface 206.16.32.10
so you will need to following lines
nat (inside) 1 192.168.32.0 255.255.252.0
global (outside) 1 interface
Also you dont have any route for this 192 network. I am assuming it is on the inside
so you need the following statement as well
route inside 192.168.32.0 255.255.252.0
Thanks
Nadeem
11-13-2003 06:51 AM
Hi Nadeem,
Sorry I ddin't specify. The IP's I'm looking to translate for are:
206.16.32.230 - .254 (They all need to be statically mapped)
I think the command is something like:
static (inside, outside) 192.168.35.240 206.16.32.240 netmask 255.255.255.255
They should only map the following services:
ftp,www,443 (They are websites that do not use host headers)
I have never worked with PIX firewalls before so this is completely new for me. Hopefully I can add new static mappings in the future with very little effort.
Thanks in advance.
11-14-2003 02:17 PM
Help. I have to do this tommorrow and I'm no closer to getting this done. I'm a stated above that they all need to be static mappings, but is there anything else I need to consider? Can I send you my real config Nadeem? I work for a non-profit company so they won't foot the ticket for me to call Cisco and walk me through it.
I figure I just need to remove:
nat (inside) 0 access-list nonat
and add
nat (inside) 1 X.X.X.0 255.255.255.0
remove all the conduit permit entries and replace with static entries like so:
static (server,outside) tcp interface smtp X.X.X.X smtp netmask 255.255.255.255 0 0
static (server,outside) tcp interface ftp X.X.X.X smtp netmask 255.255.255.255 0 0
static (server,outside) tcp interface www X.X.X.X smtp netmask 255.255.255.255 0 0
Am I even remotely close?
HELP!
11-14-2003 05:02 PM
You can email me your config file (even with fake addresses) and a very detailed explanation of what you want and I will help you.
email: bobrob_6@hotmail.com
11-14-2003 05:09 PM
static (server,outside) tcp interface smtp X.X.X.X smtp netmask 255.255.255.255 0 0
static (server,outside) tcp interface ftp X.X.X.X smtp netmask 255.255.255.255 0 0
static (server,outside) tcp interface www X.X.X.X smtp netmask 255.255.255.255 0 0
These commands will not permit the traffic.
The first one will map any smtp traffic destined for "interface" to the smtp services on x.x.x.x
the second will map all FTP traffic destined for interface to the smtp service on x.x.x.x
You need to figure out how you want your statics to look and then you'll need access control lists to actually permit the traffic.
nat(inside) 1 192.168.1.0 255.255.255.255
global(outside) 1 208.209.3.7 255.255.255.255
This would map all traffic originating from the inside with the IP address 192.168.1.x to 208.209.3.7
If you have a server say 208.209.3.15 and you want it to host www, ftp, and ssl, you could do this:
static(inside,outside) 208.209.3.15 192.168.1.5
access-list outside-in permit tcp any host 208.209.3.15 eq www
access-list outside-in permit tcp any host 208.209.3.15 eq ftp
access-list outside-in permit tcp any host 208.209.3.15 eq ssl
access-group outside-in in interface outside
Send me your config and a detailed explanation of everything and I'll help you.
11-14-2003 05:45 PM
That should have been:
nat(inside) 1 192.168.1.0 255.255.255.0
global(outside) 1 208.209.3.7 255.255.255.255
11-16-2003 05:01 AM
What's your email John Mayo. I am pretty desperate. I'll have to revert back today if I don't get this fixed this a.m. You can AIM me at NetResJC or email is j.c@comcast.net or rezo247@yahoo.com
11-15-2003 12:05 AM
Hi,
I appology for the not getting back, I was not checking the forum recently. I think bf has already answered you properly, if you still need further assistance, feel free to send me email at nkhawaja@cisco.com
Thanks
Nadeem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide