Re: Need aid with Static rules

echelon360 · ‎08-18-2004

I'm using pix 515E and i'm running into problems with static mappings/access-list

interface configs

interface outside 210.6.160.162 255.255.255.240 security0

interface inside 172.25.30.1 255.255.255.128 security100

global configs

nat (inside) 1 0.0

global (outside) 1 210.6.160.172-210.6.160.173 netmask 255.255.255.240

global (outside) 1 210.6.160.174 netmask 255.255.255.240

I need one host in the inside interface to get internet access and to use ftp

static (inside,outside) 210.6.160.166 172.25.30.3

i've got to mock pcs setup for testing

pc A >210.6.160.167

pc B >172.25.30.3

Basically PC B is acting as the host that needs to internet/ftp

Pls verify my configurations

-access-list 100 permit tcp any host 210.6.160.166 eq 80

-access-list 100 permit tcp any host 210.6.160.166 eq 20

access-list 100 permit tcp any host 210.6.160.166 eq 21

-access-group 100 in interface inside

Could anyone give some pointers to test out the configs in an evironment where both pcs just hold static (hardcode ips)

thanks!

nkhawaja · ‎08-18-2004

Sorry! What exactly are you looking for?

Thanks

Nadeem

a.awan · ‎08-19-2004

You are applying the access-list on the wrong interface. Bind it to the outside interface instead of the inside if you want to be able to open http and ftp access to pc B from pc A. Your static will allow pc B to access the outside provided you remove the access-list from the inside interface.

It is kind of vague what you are trying to achieve though !!

echelon360 · ‎08-19-2004

Believe me,i am "flying blind" with this too.More so with the fact that i'm not familiar with pix.Thus,whatever requirements that have been given to me,i refrain from saying "no it can't be done" cos i am not sure of the technology at hand.

Having said that,kindly clear my doubts.

1)Suppose i have two interfaces

interface outside 202.16.x.x 255.x.x.x security 0

interface inside 172.25.x.x 255.x.x.x security 100

Scenario 1

-I want a host that resides in the inside interface (172.25.12.3) to be able to surf the internet and use ftp as well.

My Solution

-Allow a public ip to exist for this host

>>static (inside,outside) 202.16.25.3 172.25.12.3

-Allow access-list for www and ftp

>>access-list 100 permit tcp any host 202.16.25.3 eq www

>>access-list 100 permit tcp any host 202.16.25.3 eq 20

>>access-list 100 permit tcp any host 202.16.25.3 eq 21

>>access-group 100 in interface outside

Here's the puzzling thing

-Can the pix function as a gateway?

-how do i enable this host (172.25.12.3) to surf the web/ftp

Scenario 2

interface inside 172.25.x.x 255.x.x.x security 100

interface e2 10.1.x.x 255.x.x.x security 50

-i need a host from "inside" to communicate with a host in the "e2" interface

Here's the other puzzling thing

-the host that resides in the e2 comes with this ip (172.26.16.1)

-Can i allow such a host to reside in the e2 interface when it has been configured for 10.1.x.x

Are these requirements remotely achieveable?Pls advise.

a.awan · ‎08-19-2004

Scenario 1:

To allow the host 172.25.12.3 to surf the internet you can do two things. One is to create a static just like you did. The other way is to do a NAT using the NAT/Global statements. For now your static should suffice. You do not need the access-list applied to your outbound interface if your only requirement is to provide internet connectivity to the 172.25.12.3 host. Yes the PIX can act as a default gateway for this host.

Scenario 2:

To allow a host in the inside interface to talk to a host in the e2 interface again you can achieve it in two ways. One is to define a static of the format:

static (inside,e2) x.x.x.x x.x.x.x

Or you can use a combination of NAT/Global again.

The host residing in e2 either needs to be addressed out of the 10.1.x.x range or the PIX configured with a route so that it can reach the 172.26.x.x subnet.