Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
2
Replies

No Nat

w.johnson
Level 1
Level 1

‎11-12-2002 11:05 AM - edited ‎03-09-2019 01:02 AM

We currently are using a CISCO 905 cable modem router for Internet access as well as access to our coperate WAN. I am trying to add a CISCO PIX 515E firewall without much success. We are already using NAT on the 905 router so I don't want to use it again on the 515E. Also I have some static routes setup on the 905 to an SQL server on the inside.

Here is some of the config for the 905.

interface Loopback1

ip address 66.190.112.55 255.255.255.255

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip mroute-cache

!

interface cable-modem0

ip address docsis

ip nat outside

no ip mroute-cache

no cable-modem compliant bridge

cable-modem boot admin 2

cable-modem boot oper 5

crypto map chtr

!

ip nat inside source route-map nonat interface Loopback1 overload

ip nat inside source static udp 192.168.1.211 1433 66.190.112.55 1433 extendable

ip nat inside source static tcp 192.168.1.211 1433 66.190.112.55 1433 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 10.157.0.1

ip route 0.0.0.0 0.0.0.0 10.157.144.1

no ip http server

no ip http cable-monitor

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.92.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.94.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.236.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.2.0.0 0.0.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.8.0.0 0.0.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.93.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.92.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.94.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.236.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 10.2.0.0 0.0.255.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 10.8.0.0 0.0.255.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.93.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10

match ip address 102

Can I setup the PIX515E to work in this enviroment without renumbering the inside network and not doing much to the cable-modem router besides changing the ethernet ip address?

The current *incomplete* config on the pix is as follows.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 100full

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.1.2 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm drop

pdm logging informational 100

pdm history enable

arp timeout 14400

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:

30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 5

terminal width 80

Thanks

Warren Johnson

Labels:
0 Helpful
2 Replies 2

a-vazquez
Level 6
Level 6

‎11-18-2002 01:22 PM

I am keen on knowing if you were able to figure a way out. I too am looking at deploying something similar.

0 Helpful

gfullage
Cisco Employee
Cisco Employee

‎11-18-2002 04:58 PM

Try the following:

- change the IP address on e0 of the 905 to 192.168.2.1

- add "ip route 192.168.1.0 255.255.255.0 192.168.2.2" in the 905

That should get you going. If you have trouble with outbound connectivity, you could remove the nat 0 statement and try:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

clear xlate

and see how that goes. This might be better anyway if you need SQL traffic to originate from the Internet to come into your SQL server.

0 Helpful
Customers Also Viewed These Support Documents