[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 363
  • Last Modified:

NAT

I have Cisco PIX 515 firewall. How can I configure it to allow all computers from the internal network (192.168.x.x) to have internet access with one public address (1.2.3.4), except for one host with internal address (192.168.0.10 for example) to have internet access with another public address (5.6.7.8)?
0
bjove
Asked:
bjove
  • 5
  • 5
  • 2
  • +2
1 Solution
 
bloemkool1980Commented:
add this

global (outside) 1 externalIP netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 RouterIP or defaultgwaddress 1
0
 
bloemkool1980Commented:
ok for the second IP address you to
global (outside) 2 otherextern ip netmask 255.255.255.0
nat (inside) 1 ipaddressPC netmask 0
0
 
EricCommented:
if you have 2 external IP addresses to the internet, you could just add the second IP (external) to the internal network card.

lets say internet public ip addresses are 67.67.67.1 and 67.67.67.2


computer 1:
192.168.1.100 -> firewall -> internet as 67.67.67.1


computer 2:
192.168.1.101 -> firewall -> internet as 67.67.67.1
67.67.67.2 -> internet directly

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
fatladCommented:
egiblock,  I am not sure this will work, how does the pix route traffic to computer 2's second interface? bloemkool1980's suggestion is much more viable.
0
 
EricCommented:
if you add the second  ip address to the computer that you want to get out to the internet, you are bypassing the firewall and just hanging out there on the internet...

so

the internal ip address on the computer will hit the firewall, but the second ip address just goes by it.




0
 
fatladCommented:
Assuming you have a link from the LAN directly to the Internet router then yes, BUT:

A. Who the heck sets up a LAN like that?
B. You would also have to have a static route in the Internet router to point to the host?


As you say that client will be "hanging out there on the internet..." harldly a great solution, I can see it now:
bjove "hey boss you know that pix we paid x thousand for? Well the reason it did n't stop all our machines being stuffed with porn and warez is because we thought it would be ok to have a machine just haning on the the internet!"
boss "your so fired"

A static NAT conversion is a far better solution
0
 
bjoveAuthor Commented:
fatlad:
A: I have a server who needs a connection to another server (Oracle DB) over an internet. So they have to configure firewall on other side to allow conection. Also I want to be sure that only this server can access their server.
B: I only want this server, and only this server, to be able to connect to the other server, not reverse.

bloemkool1980:
Do I need a reload?
0
 
lrmooreCommented:
Some good starting information above, but let's take it all the way:

# use 1 IP address for internal users:
global (outside) 1 interface
nat (inside) 1 0 0

# use 1 dedicated outside IP for the one internal server:
static (inside,outside) 5.6.7.8 192.168.0.10 netmask 255.255.255.255

Now, create access-list rules for access to that one server:

access-list inbound permit tcp host <remote db server> host 5.6.7.8 eq <port#>
access-group inbound in interface outside

>Also I want to be sure that only this server can access their server.
>B: I only want this server, and only this server, to be able to connect to the other server, not reverse.

access-list outbound permit ip host 192.168.0.10 host <remote db server>
access-list outbound deny ip 192.168.0.0 255.255.255.0 host <remote db server>
access-list outbound permit ip any any
access-group outbound in interface inside

0
 
fatladCommented:
Almost there. All ACLs have an implicit deny any any rule at the end. This will mean that we have to add a few more lines to make sure it works correctly:

access-list inbound permit tcp host <remote db server> host 5.6.7.8 eq <port#>  //so that the remote can see the server
access-list inbound deny tcp any host 5.6.7.8 // so that nothing else can see the server
access-list inbound permit tcp 192.168.0.0 255.255.255.0 any eq www // so that web traffic still gets to other machines (assuming you want this, it could be alterd anyway you want)
access-group inbound in interface outside

If we don't add these second two lines all the other machines will be prevented from seeing anything else.


You have to have the hole punched through the firewall both ways, unless the server on 192.168.0.10 actually unicasts a UDP packet to the remote server, and never gets an acknoledgement or reply.

Hope that helps

FatLad
0
 
bjoveAuthor Commented:
The firewall is configured to do PAT of internal host, so they ALL (including DB server) access internet with public address (1.2.3.4). MY DB server needs to have access to another DB server (which is behind firewall) over internet. I have to tell them IP address of my DB server so they can configure their firewall. If they put our current public IP address (1.2.3.4) in their access lists everything is OK ( I don't have to do any changes to my access lists). My question was:
 How to make changes only to NAT so when the server 192.168.0.10 goes on internet to have different IP address. If I can do that, then everything else will be done by them on their firewall (Only my DB server can access their DB server and my other hosts can't).
0
 
fatladCommented:
I think that is what bloemkool1980 suggested first?

0
 
bjoveAuthor Commented:
OK, I assume I'll have to restart the firewall. I will reply if everything is ok (or not).
0
 
fatladCommented:
Make sure you write the config to NVRAM first!
0
 
bjoveAuthor Commented:
Just a simple question about the solution:
  Why do I need to specify netmask in global (outside) command.

And a little confirmation:

I will use:
 p1.p1.p1.p1 - public address 1
 g1.g1.g1.g1 - my internet router ip address
 p2.p2.p2.p2 - public address 2

My current configuration is:

global (outside) 1 p1.p1.p1.p1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

New configuration is:

global (outside) 1 p1.p1.p1.p1 netmask 255.255.255.0
global (outside) 2 p2.p2.p2.p2 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 192.168.0.10 netmask 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

Is that OK?
0
 
bjoveAuthor Commented:
Thank you bloemkool1980.

This is working configuration:

global (outside) 1 p1.p1.p1.p1
global (outside) 2 p2.p2.p2.p2
nat (inside) 2 192.168.0.10 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

Thank you and others for the help.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 5
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now