Here's the relevant stuff (Im in process of modifying the actual config)

Pix Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside secuirty100

ip address outside dhcp setroute

dhcpd auto_config outside

nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0

global (outside) 1 214.220.70.160-214.220.70.170 netmask 255.255.255.128

ip address inside 10.0.0.1 255.255.255.0

this is the main part - let me know if you need more.

I am just trying to put the acl on it...

Hi

Access from inside to outside will work fine with your current config...

In order for you to allow web traffic inside you need to create the static NAT (outside address & inside host)

You need to change the NAT Statements to below:

nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0

global (outside) 1 214.220.70.160-214.220.70.168 netmask 255.255.255.128

global (outside) 1 214.220.70.169

static (inside,outside) 214.220.70.170 inside_host_ip netmask 255.255.255.128

access-list aclin permit tcp any host 214.220.70.170 eq www

access-group aclin in interface outside

Let me konw if you have any questions...

Regards,

MD

Fascinating, thank you.

I guess I misunders stood how to configure this before, as I assumed that I only needed to use a static command if I wanted the outside world to have access to a web server, ftp server, ect. *I did not realize it was also for web access.

Soo, my next question: with your static command can I replace the inside_host_ip with a network (I.E. All hosts inside) by stating:

static (inside, outside) 214.220.70.170 10.0.0.0 255.255.255.0

Thanks for your help, most appreciated.

BWG

This would translate the whole network 214.220.70.170/24 to 10.0.0.0/24 a little bit unusual but possible.

Usually you allow the access to one Public IP access to one inside private IP. Lets say you have 214.220.70.171 for a web server that has private IP 10.0.0.0.171 and 214.220.70.172 to 10.0.0.0.172 for ftp.

example config:

static (inside, outside) 214.220.70.171 10.0.0.171 255.255.255.255

static (inside, outside) 214.220.70.172 10.0.0.172 255.255.255.255

access-list aclin permit tcp any host 214.220.70.171 eq http

access-list aclin permit tcp any host 214.220.70.172 eq ftp

access-group aclin in interface outside

Ok,

Thankfully I do understand what your saying here, but my ultimate goal here is just to have the inside hosts access the internet.

Further reading I see that I must use a static command to permit the lower security interface to allow the web traffic back in. But I guess I'm confused on the point of having to add in a single entry per host that has to access the web. Can anyone point me in a direction to help clarify? *This does not make sense to me just to enable NAT?

Currently the pix is set up - with the aid of PDM - to use PAT instead; all internal hosts are just using the global IP.

Thanks for all of your feedback too; most appreciated.

BWG

You talk about traffic from your inside network going outside to the Internet right?

example with a fixed public IP:

ip address outside YOUR-PUB-IP YOUR-PUB-SubnetMASK

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

# this will take the outside IP for PAT

nat (inside) 1 192.168.1.0 255.255.255.0

# All hosts from 192.168.1.0/24 are permited for PAT

route outside 0.0.0.0 0.0.0.0 Gateway 1

in your case:

global (outside) 1 214.220.70.169

# Port address translation

global (outside) 1 214.220.70.160-214.220.70.168 netmask 255.255.255.128

# Network Address Transaltion for 19 IPs after all addresses are used PAT will be used for the other hosts in the inside network.

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

# Permits any host and network in the inside interface to have PAT or NAT (definition 1)for the Internet.

This is all you need.

If you do not have an access-list in the inside interface then all traffic to the lower security level interfaces is permited. You just need an access-list to permit traffic flow from an lower to a higher lecvel interface for example from outside to dmz or inside.

What do you mean exctly with: Configured a global statement with pool range

Do you mean that:

global (outside) 1 214.220.70.129

# Port address translation

global (outside) 2 214.220.70.192 netmask 255.255.255.192

# Network Address Transaltion (NAT) for 64 IPs

nat (inside) 1 192.168.1.0 255.255.255.128

nat (inside) 1 192.168.1.128 255.255.255.192

nat (inside) 2 192.168.1.192 255.255.255.192

See also:

Establishing Connectivity

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1112345

PIX 500 Series Firewalls

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX

sincerely

Patrick

I think you've got confused with some of the answers. I'll try to give a fairly short answer without complicating it with the actual config:

To allow internal users to access the web, all you need is a NAT and global statement as you had in the first place. You need to look elsewhere for your problem.

You don't need static statements unless you want to allow sessions initiated from the outside to inside.

You also don't need an access list on the outside interface to allow internal users to browse the web.

The pix is a stateful firewall - If your session is initiated from the inside, it is entered in to a state table, which keeps a record of outgoing traffic so that the corresponding return traffic can be allowed back in.

Phew.

Ok so I do understand the correct setup for Nat & Pat.

But to allow web traffic back in I do need an access-list to let the www trafic back in, don't I. I understand that I need nothing in place to allow traffic from a higher security to a lower security interface, but I was under the impression to allow the web traffic back in I need to put an access list or conduit in place.

Thanks for all your help. I am going to write the CSPFA exam shortly and this really does help.

Thanks,

BWG

Concepts of a Firewall !

A stateful firewall is a firewall that has connection state table. If a hosts is allowed to go from the inside to the Internet then the PIX Firewall will allow the returing packet from the web server for example.

There are stateful tables for all tcp and udp connections. ICMP is the only exclusion and is not stateful on the PIX.

You do not have to allow the returning packet !

It is like the PIX controls, allows the First packet (SYN) of the 3 way handshake and then check if the reply (SYN ACK) corresponds with his connection table.

Does this answer your question.

sincerely

Patrick

Thanks for your reply; all is clear - it's what I thought in the first place.

So if I want to allow a group of hosts, on the inside interface, access to the internet:

global (outside) 1 210.220.70.180-210.220.70.189 netmask 255.255.255.128

nat (inside) 1 0 0

*This is what I belive should work yes? It works with PAT, but not nat.

If I remove the global line and change it to it's outside interface:

global (outside) 1 interface

it works fine - internet a gogo. :)

When I put in my global pool above I can see that it translates the inside to the outside IP's specified, but there it stops. *It wont even alow me to ping after that...

Thoughts?

When you use your pool of addresses the xlate and conn's are built but you can't get anywhere is that right?

sh xlate

sh conn

If thats the case then your ISP is most likely not routing that block of IP's to you correctly or at all.

Daniel

This good discussion is very useful to me also, i want to ask simple question (hope so)

is it secure when doing this?

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

because this seems to allow all inside users to go out.., as yesterday 3 staff PCs at my others branch have been infected with W32.bropia worm spread via msn messenger, what a weak security i'm doing...;)

like what he's saying...when i add global pool, everything is stop!

Thanks

(still trying 100% to manage this firewall)

Tonny

Hi Tonny,

It is secure as it's translating all your internal hosts to the outside interface address (PAT).

As for the messenger problem, you could specifically block messenger from running with an ACL - but I'm not sure which ports you would block off hand.