cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
581
Views
0
Helpful
2
Replies

PIX501 NAT & PAT

burman
Level 1
Level 1

I am trying to configure a PIX501 to respond on 2-4 different IP addresses on the outside. The idea is to have a mailserver and a webserver on 192.168.1.2

and a DNS and a webserver on 192.168.1.3. To accomplish this two "outside addresses" are used, lets call them a.b.c.2 & a.b.c.3.

I want to do NAT and PAT to accomplish the following:

a.b.c.2 port 80 -> 192.168.0.3 port 80

a.b.c.3 port 80 -> 192.168.0.2 port 80

a.b.c.2 port 25 -> 192.168.0.2 port 25

a.b.c.2 DNS -> 192.168.0.3 DNS

The following is my configuration file (wich doesn't work):

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol smtp 25

names

pager lines 24

logging on

logging monitor alerts

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside a.b.c.6 255.255.255.248

ip address inside 192.168.0.1 255.255.255.0

route outside 0 0 a.b.c.1 1

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 a.b.c.10-a.b.c.12

nat (inside) 1 0 0

static (inside, outside) tcp a.b.c.2 80 192.168.0.3 80

static (inside, outside) tcp a.b.c.2 domain 192.168.0.3 domain

static (inside, outside) udp a.b.c.2 domain 192.168.0.3 domain

static (inside, outside) tcp a.b.c.2 25 192.168.0.2 25

static (inside, outside) tcp a.b.c.2 143 192.168.0.2 143

static (inside, outside) tcp a.b.c.2 135 192.168.0.2 135

static (inside, outside) tcp a.b.c.3 80 192.168.0.2 80

static (inside, outside) tcp a.b.c.3 443 192.168.0.2 443

access-list 100 permit icmp any any

access-list 100 permit tcp any any

access-list 100 permit udp any any

access-list 101 permit icmp any any

access-list 101 permit tcp any any

access-list 101 permit udp any any

access-group 100 in interface inside

access-group 101 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00

timeout sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

The above configuration does not work. However if I

direct with the following commands:

static (inside, outside) a.b.c.2 192.168.0.3

static (inside, outside) a.b.c.3 192.168.0.2

I get something that partly works.

All suggestions are welcome (and needed).

Thank You,

Å. Burman

2 Replies 2

mike.scaggs
Level 1
Level 1

You should be doing your statics like

static (inside, outside) a.b.c.2 192.168.0.3

static (inside, outside) a.b.c.3 192.168.0.2

Do away with access-list 100, you don't need it at all unless you plan on blocking outbound traffic...a real pain!

You don't need a NAT pool.

keep it simple and do this.

global (outside) 1 interface

That uses your outside IP for PAT..

Create your statics, and access-list for your 4 servers. Names are nice too. Remember to use the outside address in your access-lists.

MScaggs

worf
Level 1
Level 1

Your problem lies in your NAT declarations combining port and protocol information with the NAT translations.

Your static NAT translations need to be just that, inside to outside IP address translations. Thats it.

In other words, do not add the port numbers and protocol information to the static NAT statements. The NAT statements in your partially working configuration are how they should read.

Once the NAT translations have been defined, then you permit services to access those identified hosts on specific ports and with specific protocols with Access Lists. Remember just because there is a static NAT translation does not mean that the host can be accessed externally. You allow external access to internal hosts by the use of either "Conduit" statements or preferably Access Lists.

So in a nutshell, map your static NAT translations IP to IP and leave the rest, (i.e TCP, 80, 25 etc..) to the Access List.

Regards

Chris Weber CCNP CCDA

Senior Network Security Engineer

Abacus Technology Corporation