Solved

NAT

Posted on 2004-09-01
15
311 Views
Last Modified: 2011-04-14
I have Cisco PIX 515 firewall. How can I configure it to allow all computers from the internal network (192.168.x.x) to have internet access with one public address (1.2.3.4), except for one host with internal address (192.168.0.10 for example) to have internet access with another public address (5.6.7.8)?
0
Comment
Question by:bjove
  • 5
  • 5
  • 2
  • +2
15 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11953534
add this

global (outside) 1 externalIP netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 RouterIP or defaultgwaddress 1
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 335 total points
ID: 11953554
ok for the second IP address you to
global (outside) 2 otherextern ip netmask 255.255.255.0
nat (inside) 1 ipaddressPC netmask 0
0
 
LVL 6

Expert Comment

by:Eric
ID: 11953581
if you have 2 external IP addresses to the internet, you could just add the second IP (external) to the internal network card.

lets say internet public ip addresses are 67.67.67.1 and 67.67.67.2


computer 1:
192.168.1.100 -> firewall -> internet as 67.67.67.1


computer 2:
192.168.1.101 -> firewall -> internet as 67.67.67.1
67.67.67.2 -> internet directly

0
 
LVL 3

Expert Comment

by:fatlad
ID: 11953661
egiblock,  I am not sure this will work, how does the pix route traffic to computer 2's second interface? bloemkool1980's suggestion is much more viable.
0
 
LVL 6

Expert Comment

by:Eric
ID: 11953763
if you add the second  ip address to the computer that you want to get out to the internet, you are bypassing the firewall and just hanging out there on the internet...

so

the internal ip address on the computer will hit the firewall, but the second ip address just goes by it.




0
 
LVL 3

Expert Comment

by:fatlad
ID: 11953949
Assuming you have a link from the LAN directly to the Internet router then yes, BUT:

A. Who the heck sets up a LAN like that?
B. You would also have to have a static route in the Internet router to point to the host?


As you say that client will be "hanging out there on the internet..." harldly a great solution, I can see it now:
bjove "hey boss you know that pix we paid x thousand for? Well the reason it did n't stop all our machines being stuffed with porn and warez is because we thought it would be ok to have a machine just haning on the the internet!"
boss "your so fired"

A static NAT conversion is a far better solution
0
 
LVL 4

Author Comment

by:bjove
ID: 11954115
fatlad:
A: I have a server who needs a connection to another server (Oracle DB) over an internet. So they have to configure firewall on other side to allow conection. Also I want to be sure that only this server can access their server.
B: I only want this server, and only this server, to be able to connect to the other server, not reverse.

bloemkool1980:
Do I need a reload?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 79

Expert Comment

by:lrmoore
ID: 11956208
Some good starting information above, but let's take it all the way:

# use 1 IP address for internal users:
global (outside) 1 interface
nat (inside) 1 0 0

# use 1 dedicated outside IP for the one internal server:
static (inside,outside) 5.6.7.8 192.168.0.10 netmask 255.255.255.255

Now, create access-list rules for access to that one server:

access-list inbound permit tcp host <remote db server> host 5.6.7.8 eq <port#>
access-group inbound in interface outside

>Also I want to be sure that only this server can access their server.
>B: I only want this server, and only this server, to be able to connect to the other server, not reverse.

access-list outbound permit ip host 192.168.0.10 host <remote db server>
access-list outbound deny ip 192.168.0.0 255.255.255.0 host <remote db server>
access-list outbound permit ip any any
access-group outbound in interface inside

0
 
LVL 3

Expert Comment

by:fatlad
ID: 11961042
Almost there. All ACLs have an implicit deny any any rule at the end. This will mean that we have to add a few more lines to make sure it works correctly:

access-list inbound permit tcp host <remote db server> host 5.6.7.8 eq <port#>  //so that the remote can see the server
access-list inbound deny tcp any host 5.6.7.8 // so that nothing else can see the server
access-list inbound permit tcp 192.168.0.0 255.255.255.0 any eq www // so that web traffic still gets to other machines (assuming you want this, it could be alterd anyway you want)
access-group inbound in interface outside

If we don't add these second two lines all the other machines will be prevented from seeing anything else.


You have to have the hole punched through the firewall both ways, unless the server on 192.168.0.10 actually unicasts a UDP packet to the remote server, and never gets an acknoledgement or reply.

Hope that helps

FatLad
0
 
LVL 4

Author Comment

by:bjove
ID: 11961235
The firewall is configured to do PAT of internal host, so they ALL (including DB server) access internet with public address (1.2.3.4). MY DB server needs to have access to another DB server (which is behind firewall) over internet. I have to tell them IP address of my DB server so they can configure their firewall. If they put our current public IP address (1.2.3.4) in their access lists everything is OK ( I don't have to do any changes to my access lists). My question was:
 How to make changes only to NAT so when the server 192.168.0.10 goes on internet to have different IP address. If I can do that, then everything else will be done by them on their firewall (Only my DB server can access their DB server and my other hosts can't).
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11961274
I think that is what bloemkool1980 suggested first?

0
 
LVL 4

Author Comment

by:bjove
ID: 11961293
OK, I assume I'll have to restart the firewall. I will reply if everything is ok (or not).
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11961311
Make sure you write the config to NVRAM first!
0
 
LVL 4

Author Comment

by:bjove
ID: 11961527
Just a simple question about the solution:
  Why do I need to specify netmask in global (outside) command.

And a little confirmation:

I will use:
 p1.p1.p1.p1 - public address 1
 g1.g1.g1.g1 - my internet router ip address
 p2.p2.p2.p2 - public address 2

My current configuration is:

global (outside) 1 p1.p1.p1.p1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

New configuration is:

global (outside) 1 p1.p1.p1.p1 netmask 255.255.255.0
global (outside) 2 p2.p2.p2.p2 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 192.168.0.10 netmask 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

Is that OK?
0
 
LVL 4

Author Comment

by:bjove
ID: 11963079
Thank you bloemkool1980.

This is working configuration:

global (outside) 1 p1.p1.p1.p1
global (outside) 2 p2.p2.p2.p2
nat (inside) 2 192.168.0.10 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

Thank you and others for the help.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now