topic PIX Firewall Config Setup( Static & NAT) in Network Security

PIX Firewall Config Setup( Static & NAT)

balakrishnansenthil — Tue, 12 Mar 2019 00:32:31 GMT

Hi Team,

We have 5 servers ( AD,Emailserver,SAP & 2 application servers).

As per customer request i have to public those servers through internet because customer want to access from his office(remote).

The five servers already connected with switch.

Currently i am holding PIX firewall, How to config static and nat (one to one)?

Current Config Details :

--------------------------------

interface Ethernet0

nameif outside

security-level 0

ip address <Public Ip address> 255.255.255.240

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.235.1 255.255.248.0

interface Ethernet2

nameif dmz-network

security-level 50

no ip address

object-group icmp-type ping-group

description ping-group

icmp-object alternate-address

icmp-object conversion-error

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object mask-reply

icmp-object mask-request

icmp-object mobile-redirect

icmp-object parameter-problem

icmp-object redirect

icmp-object router-advertisement

icmp-object router-solicitation

icmp-object source-quench

icmp-object time-exceeded

icmp-object timestamp-reply

icmp-object timestamp-request

icmp-object traceroute

icmp-object unreachable

object-group service HOD_Access tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

port-object eq 12333

port-object eq 992

port-object eq 2001

port-object eq 1023

port-object eq 12343

port-object eq 8989

port-object eq 12323

port-object eq 449

port-object eq 3270

port-object eq telnet

port-object eq 8999

port-object eq 12324

port-object eq 10024

port-object eq 10025

port-object eq 10027

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit icmp any any object-group ping-group

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any object-group ping-group

access-list outside_access_in extended permit tcp any any object-group HOD_Access

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,dmz-network) 192.168.28.11 10.142.1.11 netmask 255.255.255.255 ---- Wrong(old config)

static (inside,dmz-network) 192.168.28.105 10.142.1.15 netmask 255.255.255.255------ Wrong(old config)

static (inside,dmz-network) dr-inside-network dr-inside-network netmask 255.255.248.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 <public ip address same outside interface ip> 1

Server Ip address Details:

---------------------------------------

192.168.235.35

192.168.235.136

192.168.235.37

192.168.235.42

192.168.235.62

Please try to help me to config correctly........

PIX Firewall Config Setup( Static & NAT)

julomban — Wed, 05 Dec 2012 20:00:35 GMT

Hello Senthilkumar,

The following command maps an inside IP address (192.168.235.35) to an outside IP address (x.x.x.x):

hostname(config)# static (inside,outside) x.x.x.x 192.168.235.35 netmask 255.255.255.255

The static command maps addresses x.x.x.x to local addresses 192.168.235.35

This is a one to one translation and you cannot mapped any other private IP address to the same public IP.

If your plan is to use the same public IP for 5 internal users you can do only if they connect inbound on different ports.

Example:

hostname(config)# static (inside,outside) tcp x.x.x.x 80 192.168.235.35 80 netmask 255.255.255.255

hostname(config)# static (inside,outside) tcp x.x.x.x 25 192.168.235.136 25 netmask 255.255.255.255

hostname(config)# static (inside,outside) tcp x.x.x.x 443 192.168.235.37 443 netmask 255.255.255.255

If you are trying to use the same port for all of them you need to assing 5 public IP address and create one to one translation as the first example I gave you.

I hope this is clear.

Regards,

Juan Lombana

Please rate helpful posts.

Re: PIX Firewall Config Setup( Static & NAT)

balakrishnansenthil — Thu, 06 Dec 2012 13:57:22 GMT

Now i changed to ASA firewall........ sorry Customer need SSL connection from his remote location.

I want to access internet from customer server.....

i done all the interface config... and default route also done other then that anything i have to do for internet access from customer server.

I can reach internet from firewall but from customer server i can't able to reach...

Thanks

I have to do any nating for this ASA firewall pleas tell me ASAP...

PIX Firewall Config Setup( Static & NAT)

julomban — Thu, 06 Dec 2012 14:00:38 GMT

Hello Senthilkumar,

Did you configure NAT as well? Please share a show run output from your ASA. Also, make sure it is not a DNS problem on the internal server.

Regards,

Juan Lombana

Please rate helpful posts.