Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX NAT

Hi

I have got a PIX firewall with outiside,inside 2 subnets( 192.168.128.0 255.255.252.0 & 192.168.136.0 255.255.248.0)

and DMZ (192.168.132.0 255.255.254.0 ). Below are my config's for the same...please lemme know if it is right...the inside users need to communicate with DMZ and vise versa,as well as outside..Dmz also needs to access the inside & outside users .and outside needs to communicate with inside & DMZ...

--------------

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 outstation security50

enable password cisco encrypted

passwd Infy encrypted

hostname Firewall

domain-name cisco.com

!

!

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 shutdown

interface ethernet4 shutdown

interface ethernet5 shutdown

!

ip address outside X.X.X.X 255.255.255.248

ip address inside 192.168.130.2 255.255.255.240

ip address Dmz 192.168.132.1 255.255.255.240

!

pdm history disable

arp timeout 14400

!

global (outside) 1 X.X.X.X X.X.X.X

nat (inside) 1 192.168.128.0 255.255.252.0

nat (inside) 1 192.168.136.0 255.255.248.0

nat (dmz) 1 192.168.132.0 255.255.252.0

global (dmz) 1 192.168.132.10-192.168.132.20 or instead of this line i can use the below two lines right for inside to DMZ

----------------------------------------------------------------------------

static (inside,dmz) 192.168.128.0 192.168.128.0 netmask 255.255.252.0

static (inside,dmz) 192.168.136.0 192.168.136.0 netmask 255.255.248.0

----------------------------------------------------------------------------

access-group acl_in in interface outside

access-list acl_in permit ip any DMZ Web server eq 80

route outside 0.0.0.0 0.0.0.0 x.x.x.x

route inside 192.168.128.0 255.255.255.0 192.168.130.1

thanks

Nagu

1 REPLY
Gold

Re: PIX NAT

Hello Nagu,

Please read the following document which covers setting up PIX with 3 interface with failover, a very well presented document by The SANS Org.

The document is in PDF format -

http://www.sans.org/rr/papers/21/813.pdf

Hope this helps -

98
Views
0
Helpful
1
Replies
CreatePlease login to create content