PIX 501 NAT Configuration

jerryfreeman · ‎08-21-2003

Our ISP has supplied us with a Cisco router that is configured to forward email messages to the exchange server on our network. I called and told them that I am adding a firewall and they told me that they need to disable NAT on their router and that the firewall will need to be configured to handle this. Below is configuration of the router. How do I enable the firewall so that it will forward the messages to the exchange server once the NAT is disabled on the router. I have read throught the configuration guide and I can't figure out how to set this up. Thanks.

Current configuration for ISP's Cisco Router

ip subnet-zero

ip name-server 220.111.141.46

ip name-server 220.111.141.78

ip name-server 220.111.141.110

!

ip dhcp pool lan1

dns-server 76.153.243.48 76.153.243.49

!

interface Serial0

ip address xx.xx.xxx.155 255.255.255.252

no ip directed-broadcast

ip nat outside

encapsulation ppp

no fair-queue

service-module t1 timeslots 13-24

!

interface FastEthernet0

ip address xx.xx.xx.54 255.255.255.248 secondary

ip address 192.168.1.1 255.255.255.0

no ip directed-broadcast

ip nat inside

!

ip nat inside source list 1 interface Serial0 overload

ip nat inside source static tcp 192.168.1.17 25 76.154.186.55 25 extendable

ip nat inside source static tcp 192.168.1.17 110 76.154.186.55 110 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 0.0.0.0 0.0.0.0 76.154.116.150

no ip http server

!

access-list 1 permit 192.168.1.0 0.0.0.255

Current configuration for PIX Firewall

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx encrypted

passwd xxxx encrypted

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 76.154.186.56 255.255.255.248

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.1 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

jerryfreeman · ‎08-21-2003

Will adding these lines work?

static (outside,inside) 192.168.1.17 76.154.186.55 netmask 255.255.255.255 0 0

static (inside,outside) 76.154.186.55 192.168.1.17 netmask 255.255.255.255 0 0

mike-greene · ‎08-21-2003

This should do the trick...

static (inside,outside) 76.154.186.55 192.168.1.17 netmask 255.255.255.255 1000 500

!

access-list outside_in permit tcp any host 76.154.186.55 eq smtp

!

access-group outside_in in interface outside

If you have remote users that pop in to get there mail, your going to need this line also..

access-list outside_in permit tcp any host 76.154.186.55 eq pop3

Hope that helps.

PIX 501 NAT Configuration

ISE - Field Notice: FN74259 - Configuration Change Recomendado

Cisco NGFW: do PIX ao Firewall Threat Defense

ACI：Interface Configuration (version 6.0以降)

Nexus 9000 シリーズ: MTU Configuration

【原创】Nexus System Verification Configuration