?
Solved

NAT

Posted on 2004-09-01
15
Medium Priority
?
355 Views
Last Modified: 2011-04-14
I have Cisco PIX 515 firewall. How can I configure it to allow all computers from the internal network (192.168.x.x) to have internet access with one public address (1.2.3.4), except for one host with internal address (192.168.0.10 for example) to have internet access with another public address (5.6.7.8)?
0
Comment
Question by:bjove
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +2
15 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11953534
add this

global (outside) 1 externalIP netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 RouterIP or defaultgwaddress 1
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 1340 total points
ID: 11953554
ok for the second IP address you to
global (outside) 2 otherextern ip netmask 255.255.255.0
nat (inside) 1 ipaddressPC netmask 0
0
 
LVL 6

Expert Comment

by:Eric
ID: 11953581
if you have 2 external IP addresses to the internet, you could just add the second IP (external) to the internal network card.

lets say internet public ip addresses are 67.67.67.1 and 67.67.67.2


computer 1:
192.168.1.100 -> firewall -> internet as 67.67.67.1


computer 2:
192.168.1.101 -> firewall -> internet as 67.67.67.1
67.67.67.2 -> internet directly

0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 3

Expert Comment

by:fatlad
ID: 11953661
egiblock,  I am not sure this will work, how does the pix route traffic to computer 2's second interface? bloemkool1980's suggestion is much more viable.
0
 
LVL 6

Expert Comment

by:Eric
ID: 11953763
if you add the second  ip address to the computer that you want to get out to the internet, you are bypassing the firewall and just hanging out there on the internet...

so

the internal ip address on the computer will hit the firewall, but the second ip address just goes by it.




0
 
LVL 3

Expert Comment

by:fatlad
ID: 11953949
Assuming you have a link from the LAN directly to the Internet router then yes, BUT:

A. Who the heck sets up a LAN like that?
B. You would also have to have a static route in the Internet router to point to the host?


As you say that client will be "hanging out there on the internet..." harldly a great solution, I can see it now:
bjove "hey boss you know that pix we paid x thousand for? Well the reason it did n't stop all our machines being stuffed with porn and warez is because we thought it would be ok to have a machine just haning on the the internet!"
boss "your so fired"

A static NAT conversion is a far better solution
0
 
LVL 4

Author Comment

by:bjove
ID: 11954115
fatlad:
A: I have a server who needs a connection to another server (Oracle DB) over an internet. So they have to configure firewall on other side to allow conection. Also I want to be sure that only this server can access their server.
B: I only want this server, and only this server, to be able to connect to the other server, not reverse.

bloemkool1980:
Do I need a reload?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11956208
Some good starting information above, but let's take it all the way:

# use 1 IP address for internal users:
global (outside) 1 interface
nat (inside) 1 0 0

# use 1 dedicated outside IP for the one internal server:
static (inside,outside) 5.6.7.8 192.168.0.10 netmask 255.255.255.255

Now, create access-list rules for access to that one server:

access-list inbound permit tcp host <remote db server> host 5.6.7.8 eq <port#>
access-group inbound in interface outside

>Also I want to be sure that only this server can access their server.
>B: I only want this server, and only this server, to be able to connect to the other server, not reverse.

access-list outbound permit ip host 192.168.0.10 host <remote db server>
access-list outbound deny ip 192.168.0.0 255.255.255.0 host <remote db server>
access-list outbound permit ip any any
access-group outbound in interface inside

0
 
LVL 3

Expert Comment

by:fatlad
ID: 11961042
Almost there. All ACLs have an implicit deny any any rule at the end. This will mean that we have to add a few more lines to make sure it works correctly:

access-list inbound permit tcp host <remote db server> host 5.6.7.8 eq <port#>  //so that the remote can see the server
access-list inbound deny tcp any host 5.6.7.8 // so that nothing else can see the server
access-list inbound permit tcp 192.168.0.0 255.255.255.0 any eq www // so that web traffic still gets to other machines (assuming you want this, it could be alterd anyway you want)
access-group inbound in interface outside

If we don't add these second two lines all the other machines will be prevented from seeing anything else.


You have to have the hole punched through the firewall both ways, unless the server on 192.168.0.10 actually unicasts a UDP packet to the remote server, and never gets an acknoledgement or reply.

Hope that helps

FatLad
0
 
LVL 4

Author Comment

by:bjove
ID: 11961235
The firewall is configured to do PAT of internal host, so they ALL (including DB server) access internet with public address (1.2.3.4). MY DB server needs to have access to another DB server (which is behind firewall) over internet. I have to tell them IP address of my DB server so they can configure their firewall. If they put our current public IP address (1.2.3.4) in their access lists everything is OK ( I don't have to do any changes to my access lists). My question was:
 How to make changes only to NAT so when the server 192.168.0.10 goes on internet to have different IP address. If I can do that, then everything else will be done by them on their firewall (Only my DB server can access their DB server and my other hosts can't).
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11961274
I think that is what bloemkool1980 suggested first?

0
 
LVL 4

Author Comment

by:bjove
ID: 11961293
OK, I assume I'll have to restart the firewall. I will reply if everything is ok (or not).
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11961311
Make sure you write the config to NVRAM first!
0
 
LVL 4

Author Comment

by:bjove
ID: 11961527
Just a simple question about the solution:
  Why do I need to specify netmask in global (outside) command.

And a little confirmation:

I will use:
 p1.p1.p1.p1 - public address 1
 g1.g1.g1.g1 - my internet router ip address
 p2.p2.p2.p2 - public address 2

My current configuration is:

global (outside) 1 p1.p1.p1.p1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

New configuration is:

global (outside) 1 p1.p1.p1.p1 netmask 255.255.255.0
global (outside) 2 p2.p2.p2.p2 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 192.168.0.10 netmask 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

Is that OK?
0
 
LVL 4

Author Comment

by:bjove
ID: 11963079
Thank you bloemkool1980.

This is working configuration:

global (outside) 1 p1.p1.p1.p1
global (outside) 2 p2.p2.p2.p2
nat (inside) 2 192.168.0.10 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

Thank you and others for the help.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month12 days, 15 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question