Solved

NAT

Posted on 2004-09-01
15
331 Views
Last Modified: 2011-04-14
I have Cisco PIX 515 firewall. How can I configure it to allow all computers from the internal network (192.168.x.x) to have internet access with one public address (1.2.3.4), except for one host with internal address (192.168.0.10 for example) to have internet access with another public address (5.6.7.8)?
0
Comment
Question by:bjove
  • 5
  • 5
  • 2
  • +2
15 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11953534
add this

global (outside) 1 externalIP netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 RouterIP or defaultgwaddress 1
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 335 total points
ID: 11953554
ok for the second IP address you to
global (outside) 2 otherextern ip netmask 255.255.255.0
nat (inside) 1 ipaddressPC netmask 0
0
 
LVL 6

Expert Comment

by:Eric
ID: 11953581
if you have 2 external IP addresses to the internet, you could just add the second IP (external) to the internal network card.

lets say internet public ip addresses are 67.67.67.1 and 67.67.67.2


computer 1:
192.168.1.100 -> firewall -> internet as 67.67.67.1


computer 2:
192.168.1.101 -> firewall -> internet as 67.67.67.1
67.67.67.2 -> internet directly

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Expert Comment

by:fatlad
ID: 11953661
egiblock,  I am not sure this will work, how does the pix route traffic to computer 2's second interface? bloemkool1980's suggestion is much more viable.
0
 
LVL 6

Expert Comment

by:Eric
ID: 11953763
if you add the second  ip address to the computer that you want to get out to the internet, you are bypassing the firewall and just hanging out there on the internet...

so

the internal ip address on the computer will hit the firewall, but the second ip address just goes by it.




0
 
LVL 3

Expert Comment

by:fatlad
ID: 11953949
Assuming you have a link from the LAN directly to the Internet router then yes, BUT:

A. Who the heck sets up a LAN like that?
B. You would also have to have a static route in the Internet router to point to the host?


As you say that client will be "hanging out there on the internet..." harldly a great solution, I can see it now:
bjove "hey boss you know that pix we paid x thousand for? Well the reason it did n't stop all our machines being stuffed with porn and warez is because we thought it would be ok to have a machine just haning on the the internet!"
boss "your so fired"

A static NAT conversion is a far better solution
0
 
LVL 4

Author Comment

by:bjove
ID: 11954115
fatlad:
A: I have a server who needs a connection to another server (Oracle DB) over an internet. So they have to configure firewall on other side to allow conection. Also I want to be sure that only this server can access their server.
B: I only want this server, and only this server, to be able to connect to the other server, not reverse.

bloemkool1980:
Do I need a reload?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11956208
Some good starting information above, but let's take it all the way:

# use 1 IP address for internal users:
global (outside) 1 interface
nat (inside) 1 0 0

# use 1 dedicated outside IP for the one internal server:
static (inside,outside) 5.6.7.8 192.168.0.10 netmask 255.255.255.255

Now, create access-list rules for access to that one server:

access-list inbound permit tcp host <remote db server> host 5.6.7.8 eq <port#>
access-group inbound in interface outside

>Also I want to be sure that only this server can access their server.
>B: I only want this server, and only this server, to be able to connect to the other server, not reverse.

access-list outbound permit ip host 192.168.0.10 host <remote db server>
access-list outbound deny ip 192.168.0.0 255.255.255.0 host <remote db server>
access-list outbound permit ip any any
access-group outbound in interface inside

0
 
LVL 3

Expert Comment

by:fatlad
ID: 11961042
Almost there. All ACLs have an implicit deny any any rule at the end. This will mean that we have to add a few more lines to make sure it works correctly:

access-list inbound permit tcp host <remote db server> host 5.6.7.8 eq <port#>  //so that the remote can see the server
access-list inbound deny tcp any host 5.6.7.8 // so that nothing else can see the server
access-list inbound permit tcp 192.168.0.0 255.255.255.0 any eq www // so that web traffic still gets to other machines (assuming you want this, it could be alterd anyway you want)
access-group inbound in interface outside

If we don't add these second two lines all the other machines will be prevented from seeing anything else.


You have to have the hole punched through the firewall both ways, unless the server on 192.168.0.10 actually unicasts a UDP packet to the remote server, and never gets an acknoledgement or reply.

Hope that helps

FatLad
0
 
LVL 4

Author Comment

by:bjove
ID: 11961235
The firewall is configured to do PAT of internal host, so they ALL (including DB server) access internet with public address (1.2.3.4). MY DB server needs to have access to another DB server (which is behind firewall) over internet. I have to tell them IP address of my DB server so they can configure their firewall. If they put our current public IP address (1.2.3.4) in their access lists everything is OK ( I don't have to do any changes to my access lists). My question was:
 How to make changes only to NAT so when the server 192.168.0.10 goes on internet to have different IP address. If I can do that, then everything else will be done by them on their firewall (Only my DB server can access their DB server and my other hosts can't).
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11961274
I think that is what bloemkool1980 suggested first?

0
 
LVL 4

Author Comment

by:bjove
ID: 11961293
OK, I assume I'll have to restart the firewall. I will reply if everything is ok (or not).
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11961311
Make sure you write the config to NVRAM first!
0
 
LVL 4

Author Comment

by:bjove
ID: 11961527
Just a simple question about the solution:
  Why do I need to specify netmask in global (outside) command.

And a little confirmation:

I will use:
 p1.p1.p1.p1 - public address 1
 g1.g1.g1.g1 - my internet router ip address
 p2.p2.p2.p2 - public address 2

My current configuration is:

global (outside) 1 p1.p1.p1.p1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

New configuration is:

global (outside) 1 p1.p1.p1.p1 netmask 255.255.255.0
global (outside) 2 p2.p2.p2.p2 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 192.168.0.10 netmask 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

Is that OK?
0
 
LVL 4

Author Comment

by:bjove
ID: 11963079
Thank you bloemkool1980.

This is working configuration:

global (outside) 1 p1.p1.p1.p1
global (outside) 2 p2.p2.p2.p2
nat (inside) 2 192.168.0.10 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 g1.g1.g1.g1 1

Thank you and others for the help.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Skype for Business video calls drops 2 61
WLC 5508 controller configuration 4 80
Block YouTube via Application Control in Fortigate 1000C 3 37
Cisco switch suggestion 5 51
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question