Cisco PIX 501 NAT Config

I have a small business client who I am trying to help out with a project.  Currently they have a router provided by their ISP which is doing NAT and forwarding their SMTP traffic to an internal mail server.  

They want to add a PIX 501 firewall for a little extra security and VPN capabilities.

I'm going to use specific addresses (which I'm modifying slightly for anonymity) because I feel like a total idiot when it comes to configuring these PIX devices.

Right now their MX record points to 60.102.157.114 which the ISP's router points to an internal address of 192.168.1.2.  The router's external WAN address is 60.102.157.113.  I will ask the ISP to remove the forwarding upon installation of the new firewall.

I have available addresses of 60.102.157.114-126.  I really don't wish to modify the MX record as getting the DNS changes done is always difficult in their case.

So here's what I'd like to have happen:  I want ports 80,443, and 25 on external address 60.102.157.114 to forward to internal address 192.168.1.2 in the PIX.  I need to know specifically how I should configure the interfaces on the PIX and how the NAT is configured.

Thanks in advance for your help.
yert69Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Need to know the config of the router. If it is doing NAT now, you have two choices - either continue using NAT, and then NAT again on the PIX, or stop doing the NAT on the router, and assign the PIX a public IP address (most certainly will have to re-configure the router)..

0
yert69Author Commented:
The router is doing NAT now and I've spoken with the ISP.  They are going to turn off the NAT as soon as I get the firewall configured properly.  So the end result will (hopefully) be that the PIX will do the NAT.  Ideally I'd like to assign one of my available public IPs to the outside interface on the PIX.  I have available addresses of 60.102.157.114-126.  Since the MX record already points to the 114 address I'd like to use that one.  Just need some specifics on how to configure it properly.
0
lrmooreCommented:
Since the MX is already using .114, then do something like this:

ip address outside 60.102.157.115 255.255.255.240 <== I'm assuming that is the correct mask for you
ip address inside 192.168.222.1 255.255.255.0  <== assuming you want to use a Private IP subnet inside
route 0.0.0.0 0.0.0.0 60.102.157.11x  <== whatever IP is on the router LAN interface
global (outside) 1 interface   <== setup PAT for outbound connections
nat (inside) 1 192.168.222.0 255.255.255.0   <== identify LAN subnet to be natted to the PAT gobal
static (inside,outside) 60.102.157.114 192.168.222 114 netmask 255.255.255.255
access-list outside_in permit tcp any host 60.102.157.114 eq smtp
access-group outside_in in interface outside

That's pretty much all there is to it..
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

yert69Author Commented:
Just to clarify a couple of things:

The router currently has a private address on the LAN side, so would I need to change that?  I was just looking at the config line "route 0.0.0.0 0.0.0.0 60.102.157.11x" and wondered if it was important to have a public address on the LAN side of the router as well.

And they also would like to be able to use OWA (Outlook web access) so I'm assuming there would be a similar access-list line for ports 80 and 443.  Are there any other ports I am leaving out?
0
lrmooreCommented:
Yes, you must have a public IP on the router as well.
Yes, you need to open ports 80 and 443 in the access-list. Just add lines like below for any additional ports.

access-list outside_in permit tcp any host 60.102.157.114 eq smtp
access-list outside_in permit tcp any host 60.102.157.114 eq http
access-list outside_in permit tcp any host 60.102.157.114 eq https

No other ports that I can think of, unless you want users to use POP3..

Are you using MS Exchange? Yes, then you need to also disable fixup:
   no fixup protocol smtp 25



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yert69Author Commented:
One more follow up:  You're saying I need a public address on both the Serial (WAN) and LAN side of the router?  You've been wonderfully helpful.  Thanks for your time and detailed response.
0
lrmooreCommented:
You don't necessarily have to have a public Ip on the serial interface, Cisco has a feature that uses 'ip unnumbered' that works on the serial interface. it's up to the ISp to route your subnet through the proper circuit on their end.
0
yert69Author Commented:
Currently the ISP has the router configured with 113 on the serial interface and a private address on the LAN side.  So would there be any harm in leaving it configured as such and using, say, 116 on the LAN side?
0
lrmooreCommented:
Can't do that, but what you can do is configure the LAN side with .113 and use 'ip unnumbered' on the serial.

0
yert69Author Commented:
Great.  Thanks again for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.