02-21-2003 01:08 PM - edited 03-09-2019 02:12 AM
first post...don't hurt me;-)
Reading through the book "Cisco PIX firewalls" by R. Deal. I'm confused by some of the examples, one in particular. Let's say I have a PIX with 2 interfaces, inside and outside....call them networkA and networkB respectively. I want any host on the internal network to be able to initiate connections to the outside network without doing NAT. What are the commands to do this?
Ok, now let's say that in addition I want any host in the outside network to be able to initiate connections to the inside network without NAT. What are the commands to do this?
02-21-2003 01:29 PM
For outbound connections -
nat (inside) 0
The 0 is for no NAT, and the network/mask would represent your inside interfaces network.
For inbound connections -
static (inside,outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255
access-list 100 permit tcp www host 10.10.10.1
access-group 100 in interface outside
These three commands would setup access to the server with address 10.10.10.1 and allow inbound web traffic.
You could change the static command to allow traffic to the entire network with -
static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
However, you would still need the appropriate acls applied to the outside interface, such as -
access-list 100 permit ip any any
access-group 100 in interface outside
~rls
02-21-2003 02:37 PM
The static command is where I'm falling down. Just to verify...In your example, is the host 10.10.10.1 on the outside network (the access-list is a little different than I'm used to...is www a named host)? If so, this would gel with the example in the book. Conceptually, I was expecting that to be the destination address.
02-21-2003 02:51 PM
10.10.10.1 is on the inside interface and represents the address of your web server. This is the address clients on the outside address would point their browsers to.
02-21-2003 02:54 PM
Excellent. Thank You. For the record, there are quite a few significant errors in this book, this is just one of them. I'm to the point where I'm beginning to question the quality of the information I'm reading.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide