Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
0
Helpful
3
Replies

PIX 506E NAT CONFIGURATION OUTSIDE -> INSIDE

puggedo
Level 1
Level 1

‎09-13-2004 10:20 AM - edited ‎02-20-2020 11:37 PM

Hi Guys,

How are you?

I have some problem with PIX 506E NAT’s configurations. I saw that to allow traffic from lower security interface to higher security interface I need to create a STATIC NAT entry or use a NAT EXEMPTION based on ACL. But I have some doubts about the process and I need that all outside hosts that I permit in ACL can communicates with inside hosts without initial communication INSIDE -> OUTSIDE. How is the better way to do this?

The PIX configuration is below:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

........

names

name 10.122.0.0 Corporativa

name 10.122.0.1 Roteador_SP

name 10.122.0.103 Serv_Corp

name 10.4.5.50 PDC01

name 10.4.5.151 PBS01

name 10.4.5.150 BDC01

name 10.4.5.49 IMP

name 10.4.5.11 SA1

name 10.4.5.190 IMP2

name 10.1.1.251 CBP1

name 10.1.1.206 CSP1

object-group network SERV

description GRUPO DE SERVIDORES

network-object PDC01 255.255.255.255

network-object BDC01 255.255.255.255

network-object PBS01 255.255.255.255

network-object SA1 255.255.255.255

object-group network IMPRESSORAS

description GRUPO DE IMPRESSORAS

network-object IMP 255.255.255.255

network-object IMP2 255.255.255.255

object-group network SAP

description Grupo de Servidores SAP

network-object CSP1 255.255.255.255

network-object CBP1 255.255.255.255

access-list outside_access_in permit ip host Roteador_SP 10.4.0.0 255.255.0.0

access-list outside_access_in permit ip host Serv_Corp 10.4.0.0 255.255.0.0

access-list outside_access_in permit ip Corporativa 255.255.0.0 object-group SERVIDORES

access-list outside_access_in permit ip Corporativa 255.255.0.0 object-group IMPRESSORAS

access-list outside_access_in permit ip object-group SAP 10.4.0.0 255.255.0.0

........

ip address outside 10.122.0.251 255.255.0.0

ip address inside 10.4.0.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location PDC01 255.255.255.255 inside

pdm location BDC01 255.255.255.255 inside

pdm location Corporativa 255.255.0.0 outside

pdm location Roteador_SP 255.255.255.255 outside

pdm location Serv_Corp 255.255.255.255 outside

pdm location SA1 255.255.255.255 inside

pdm location IMP 255.255.255.255 inside

pdm location PBS01 255.255.255.255 inside

pdm location IMP2 255.255.255.255 inside

pdm location CSP1 255.255.255.255 outside

pdm location CBP1 255.255.255.255 outside

pdm group SERVIDORES inside

pdm group IMPRESSORAS inside

pdm group SAP outside

pdm logging informational 100

pdm history enablearp timeout 14400

global (outside) 1 interface

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 Roteador_SP 1

timeout xlate 0:05:00

...........

http server enable

http 10.4.0.0 255.255.0.0 inside

0 Helpful
3 Replies 3

pcomeaux
Cisco Employee
Cisco Employee

‎09-13-2004 11:11 AM

Hey there -

Looks like you have setup the translation from the inside --> outside. But you are right, this only permits for established traffic back to the inside.

In order to let hosts from the outside access your hosts on the inside, you need to setup some Static Translations.

The syntax of the command is static (inside, outside) OUTSIDE-IP INSIDE-IP netmask MASK

The OUTSIDE-IP should be the address you want the hosts on the Outside of the firewall to connect to while the INSIDE-IP will be the hosts inside address. These addresses could be the same or different, depending on your network.

You can do this from the command line of from PDM.

Here's a link to the command reference guide:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Please let us know if this helps and if you have any other questions.

thanks

peter

0 Helpful

piseli
Level 1
Level 1

‎09-13-2004 11:24 AM

To communicate from outside (internet) to an inside host you need:

1.) An access-list that permits to talk from a lower security level to higher secuity level. Usually from outside to inside or DMZ interface.

2.) As the inside addresses are usully private addresses, 10.x.x.x/172.16.x.x/192.168.x.x, you need a static NAT to translate from private to public IP Addressing. If your IPs are routable or you doing your NAT on another interface you do not need a STATIC.

syntax example:

access-list outside_access_in permit tcp any host Public-www-IP eq http

access-list outside_access_in permit tcp host YourPartner-Public host YourPublicIP eq xxx

static (inside,outside)YourPublicIP YourPrivateIP netmask 255.255.255.255 0 0

# This translates from a public to a private IP

check this link:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/examples.htm#34386

sincerly

Patrick

0 Helpful

puggedo
Level 1
Level 1
In response to piseli

‎09-14-2004 04:58 PM

Hi Buddys!

I solved the problem! Thanks for help!

I used a NAT Exemption in the subnet 10.4.0.0 and works very well!

nat(inside) 0 10.4.0.0 255.255.0.0

:D

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card