Re: Changing to NAT on my PIX firewall (currently in drop-in mod

rezo247 · ‎11-12-2003

I do not know much about PIX firewalls so I'm looking for some help.

IP's have been changed for the purpose of this posting and security concerns.

I have a PIX firewall with the below configuration:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxx encrypted

passwd xxxxxx encrypted

hostname BlahBlah

domain-name someone.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 204.43.93.235 macky

name 204.43.93.234 macky2

name 206.16.32.239 webmack

name 206.16.32.240 joeblow

access-list nonat permit ip 206.16.32.128 255.255.255.128 any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.252

ip address inside x.x.x.129 255.255.255.128

ip audit info action alarm

ip audit attack action alarm

pdm location x.x.x.x 255.255.255.0 outside

pdm location x.x.x.224 255.255.255.224 outside

pdm history enable

arp timeout 14400

nat (inside) 0 access-list nonat

conduit permit icmp any any

conduit permit ip any x.x.x.0 255.255.255.0

conduit permit tcp host 206.16.32.251 eq smtp any

conduit permit tcp host 206.16.32.251 eq www any

conduit permit tcp host 206.16.32.251 eq 443 any

conduit permit tcp host 206.16.32.251 eq ident any

conduit permit tcp host 206.16.32.250 eq 1494 any

conduit permit tcp host 206.16.32.249 eq 1494 any

conduit permit tcp host webmack eq www any

conduit permit tcp host webmack eq ftp any

conduit permit tcp host joeblow eq ftp any

conduit permit tcp host joeblow eq www any

conduit permit tcp host 206.16.32.220 eq www any

conduit permit tcp host 206.16.32.221 eq www any

conduit permit tcp host 206.16.32.222 eq www any

conduit permit tcp host 206.16.32.223 eq www any

conduit permit tcp host 206.16.32.230 eq www any

conduit permit tcp host 206.16.32.231 eq www any

conduit permit tcp host 206.16.32.232 eq www any

conduit permit tcp host 206.16.32.233 eq www any

conduit permit tcp host 206.16.32.234 eq www any

conduit permit tcp host 206.16.32.235 eq www any

conduit permit tcp host 206.16.32.236 eq www any

conduit permit tcp host 206.16.32.237 eq www any

conduit permit tcp host 206.16.32.238 eq www any

conduit permit tcp host 206.16.32.241 eq www any

conduit permit tcp host 206.16.32.242 eq www any

conduit permit tcp host 206.16.32.243 eq www any

conduit permit tcp host 206.16.32.244 eq www any

conduit permit tcp host 206.16.32.245 eq www any

conduit permit tcp host 206.16.32.246 eq www any

conduit permit tcp host 206.16.32.247 eq www any

conduit permit tcp host 206.16.32.254 eq www any

conduit permit tcp host 206.16.32.220 eq ftp any

conduit permit tcp host 206.16.32.221 eq ftp any

conduit permit tcp host 206.16.32.222 eq ftp any

conduit permit tcp host 206.16.32.223 eq ftp any

conduit permit tcp host 206.16.32.230 eq ftp any

conduit permit tcp host 206.16.32.231 eq ftp any

conduit permit tcp host 206.16.32.232 eq ftp any

conduit permit tcp host 206.16.32.233 eq ftp any

conduit permit tcp host 206.16.32.234 eq ftp any

conduit permit tcp host 206.16.32.235 eq ftp any

conduit permit tcp host 206.16.32.236 eq ftp any

conduit permit tcp host 206.16.32.237 eq ftp any

conduit permit tcp host 206.16.32.238 eq ftp any

conduit permit tcp host 206.16.32.241 eq ftp any

conduit permit tcp host 206.16.32.242 eq ftp any

conduit permit tcp host 206.16.32.243 eq ftp any

conduit permit tcp host 206.16.32.244 eq ftp any

conduit permit tcp host 206.16.32.245 eq ftp any

conduit permit tcp host 206.16.32.246 eq ftp any

conduit permit tcp host 206.16.32.247 eq ftp any

conduit permit tcp host 206.16.32.254 eq ftp any

conduit permit tcp host 206.16.32.220 eq 443 any

conduit permit tcp host 206.16.32.221 eq 443 any

conduit permit tcp host 206.16.32.222 eq 443 any

conduit permit tcp host 206.16.32.223 eq 443 any

conduit permit tcp host 206.16.32.230 eq 443 any

conduit permit tcp host 206.16.32.231 eq 443 any

conduit permit tcp host 206.16.32.232 eq 443 any

conduit permit tcp host 206.16.32.233 eq 443 any

conduit permit tcp host 206.16.32.234 eq 443 any

conduit permit tcp host 206.16.32.235 eq 443 any

conduit permit tcp host 206.16.32.236 eq 443 any

conduit permit tcp host 206.16.32.237 eq 443 any

conduit permit tcp host 206.16.32.238 eq 443 any

conduit permit tcp host 206.16.32.241 eq 443 any

conduit permit tcp host 206.16.32.242 eq 443 any

conduit permit tcp host 206.16.32.243 eq 443 any

conduit permit tcp host 206.16.32.244 eq 443 any

conduit permit tcp host 206.16.32.245 eq 443 any

conduit permit tcp host 206.16.32.246 eq 443 any

conduit permit tcp host 206.16.32.247 eq 443 any

conduit permit tcp host 206.16.32.254 eq 443 any

route outside 0.0.0.0 0.0.0.0 206.16.32.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http x.x.x.0 255.255.255.0 outside

http x.x.x.128 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh x.x.x.x 255.255.255.0 outside

ssh x.x.x.x 255.255.255.224 outside

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxx

: end

[OK]

What I need is a configuration change to NAT inside my network using the following IP's.

192.168.32.0/22

192.168.32.1-254 servers

192.168.33.1-254 printers

192.168.34.1-254 workstations

192.168.35.1-254 testing/wireless/ip phones/etc

Please help I'll be tasked to give up the real IP's this coming weekend.

Thanks in advance.

nkhawaja · ‎11-12-2003

HI,

You have not speficied what translated address you will be using for these IPs. Lets assume you want all these ips to be translated to one address that is of your interface 206.16.32.10

so you will need to following lines

nat (inside) 1 192.168.32.0 255.255.252.0

global (outside) 1 interface

Also you dont have any route for this 192 network. I am assuming it is on the inside

so you need the following statement as well

route inside 192.168.32.0 255.255.252.0

Thanks

Nadeem

rezo247 · ‎11-13-2003

Hi Nadeem,

Sorry I ddin't specify. The IP's I'm looking to translate for are:

206.16.32.230 - .254 (They all need to be statically mapped)

I think the command is something like:

static (inside, outside) 192.168.35.240 206.16.32.240 netmask 255.255.255.255

They should only map the following services:

ftp,www,443 (They are websites that do not use host headers)

I have never worked with PIX firewalls before so this is completely new for me. Hopefully I can add new static mappings in the future with very little effort.

Thanks in advance.

rezo247 · ‎11-14-2003

Help. I have to do this tommorrow and I'm no closer to getting this done. I'm a stated above that they all need to be static mappings, but is there anything else I need to consider? Can I send you my real config Nadeem? I work for a non-profit company so they won't foot the ticket for me to call Cisco and walk me through it.

I figure I just need to remove:

nat (inside) 0 access-list nonat

and add

nat (inside) 1 X.X.X.0 255.255.255.0

remove all the conduit permit entries and replace with static entries like so:

static (server,outside) tcp interface smtp X.X.X.X smtp netmask 255.255.255.255 0 0

static (server,outside) tcp interface ftp X.X.X.X smtp netmask 255.255.255.255 0 0

static (server,outside) tcp interface www X.X.X.X smtp netmask 255.255.255.255 0 0

Am I even remotely close?

HELP!

bfl1 · ‎11-14-2003

You can email me your config file (even with fake addresses) and a very detailed explanation of what you want and I will help you.

email: bobrob_6@hotmail.com

bfl1 · ‎11-14-2003

static (server,outside) tcp interface smtp X.X.X.X smtp netmask 255.255.255.255 0 0

static (server,outside) tcp interface ftp X.X.X.X smtp netmask 255.255.255.255 0 0

static (server,outside) tcp interface www X.X.X.X smtp netmask 255.255.255.255 0 0

These commands will not permit the traffic.

The first one will map any smtp traffic destined for "interface" to the smtp services on x.x.x.x

the second will map all FTP traffic destined for interface to the smtp service on x.x.x.x

You need to figure out how you want your statics to look and then you'll need access control lists to actually permit the traffic.

nat(inside) 1 192.168.1.0 255.255.255.255

global(outside) 1 208.209.3.7 255.255.255.255

This would map all traffic originating from the inside with the IP address 192.168.1.x to 208.209.3.7

If you have a server say 208.209.3.15 and you want it to host www, ftp, and ssl, you could do this:

static(inside,outside) 208.209.3.15 192.168.1.5

access-list outside-in permit tcp any host 208.209.3.15 eq www

access-list outside-in permit tcp any host 208.209.3.15 eq ftp

access-list outside-in permit tcp any host 208.209.3.15 eq ssl

access-group outside-in in interface outside

Send me your config and a detailed explanation of everything and I'll help you.

bfl1 · ‎11-14-2003

That should have been:

nat(inside) 1 192.168.1.0 255.255.255.0

global(outside) 1 208.209.3.7 255.255.255.255

rezo247 · ‎11-16-2003

What's your email John Mayo. I am pretty desperate. I'll have to revert back today if I don't get this fixed this a.m. You can AIM me at NetResJC or email is j.c@comcast.net or rezo247@yahoo.com

nkhawaja · ‎11-15-2003

Hi,

I appology for the not getting back, I was not checking the forum recently. I think bf has already answered you properly, if you still need further assistance, feel free to send me email at nkhawaja@cisco.com

Thanks

Nadeem

Changing to NAT on my PIX firewall (currently in drop-in mode w/real IP's)