[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.6

PIX501 bidirection nat outside to inside to internet

Asked by georgecooldude in Network Software Firewalls

Tags: nat

Hopefully we have some PIX gurus who are able to help me out here :-)


I have a PIX501 firewall with a wireless network attached to the outside interface and our local network attached to the inside interface.
I've setup access lists to permit the wireless clients attached to the outside interface to be able to access services on our inside interfaces.
The wireless clients are on a totally seperate /24 subnet.
Now everything seems to work fine with nat statements for our local wired subnets for example wirelessClients accessing the email server etc however the wireless clients cannot access the internet.

For the wireless clients to get out onto our internet connection they have to take the following path

wirelessLaptop - CiscoAccessPoint - OutsideIntPIX501 - InsideIntPIX501 - CiscoSwitch - InsideCorporatePIX515E - OutsideCorporatePIX515E - Internet

Below is a cut of some of the PIX501 config that the wireless clients are connected to.


name 10.1.1.2 accessPoint
name 10.1.1.0 WirelessLan
name 100.100.100.1 pix515fw

 
object-group network WirelessLan
  network-object WirelessLan 255.255.255.0

object-group network WebAccessNetwork
  network-object pix515fw 255.255.255.255

object-group network InternalAccessNetwork
  network-object ..All our local servers here...


object-group service WebAccessUDP udp
  port-object eq domain
object-group service WebAccessTCP tcp
  port-object eq www
  port-object eq ftp-data
  port-object eq domain
  port-object eq ftp


object-group service InternalAccessUDP udp
port-object eq all our local server ports

object-group service InternalAccessTCP tcp
port-object eq all our local server ports

access-list outside_access_in permit udp object-group WirelessLan object-group InternalAccessNetwork object-group InternalAccessUDP
access-list outside_access_in permit tcp object-group WirelessLan object-group InternalAccessNetwork object-group InternalAccessTCP
access-list outside_access_in permit udp object-group WirelessLan object-group WebAccessNetwork object-group WebAccessUDP
access-list outside_access_in permit tcp object-group WirelessLan object-group WebAccessNetwork object-group WebAccessTCP

ip address outside 10.1.1.1 255.255.255.0
ip address inside 100.100.100.2 255.255.255.0

nat (outside) 0 WirelessLan 255.255.255.0 outside 0 0
static (outside,inside) accessPoint accessPoint netmask 255.255.255.255 0 0
static (inside,outside) InternalSubnet1 InternalSubnet1 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
route inside 0.0.0.0 0.0.0.0 pix515fw 1
route inside InternalSubnet1 255.255.255.0 OurLocalRouter 1




So my question is how should I go about giving the access for the WirelessClients to be able to open web pages on the internet? For that to happen
the traffic has to pass through the outside interface on the 501 firewall out of the inside interface onto the local switch and then back out of our
main PIX515E to reach the destionation.


I'm fairly sure I'd need to modify the WebAccessNetwork access-list to permit WirelessLan to any against the port listings so thats not a problem I can change that
how I'm not entirely sure I to go about it with the NAT statements.


Any suggestions appreciated. :-)
 
Related Solutions
Keywords: PIX501 bidirection nat outside to insid…
Title
1 NAT Configuration Issue in a PIX 515E
2 Open 2 tcp port in Cisco Pix 506E in…
3 Is my CIsco PIX 506E is slowing my i…
4 Pix 515e dmz configuration
5 PIX 515E/DNS Question
6 Veritas Backup Exec & PIX 515
 
Loading Advertisement...
 
[+][-]03/22/07 03:17 PM, ID: 18775388Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zone: Network Software Firewalls
Tags: nat
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 2
Solution Grade: A
 
[+][-]03/23/07 03:32 PM, ID: 18783503Assisted Solution

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 30-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]04/12/07 03:20 AM, ID: 18896715Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-89