?
Solved

Cisco PIX 501 NAT Config

Posted on 2004-11-16
10
Medium Priority
?
2,440 Views
Last Modified: 2013-11-16
I have a small business client who I am trying to help out with a project.  Currently they have a router provided by their ISP which is doing NAT and forwarding their SMTP traffic to an internal mail server.  

They want to add a PIX 501 firewall for a little extra security and VPN capabilities.

I'm going to use specific addresses (which I'm modifying slightly for anonymity) because I feel like a total idiot when it comes to configuring these PIX devices.

Right now their MX record points to 60.102.157.114 which the ISP's router points to an internal address of 192.168.1.2.  The router's external WAN address is 60.102.157.113.  I will ask the ISP to remove the forwarding upon installation of the new firewall.

I have available addresses of 60.102.157.114-126.  I really don't wish to modify the MX record as getting the DNS changes done is always difficult in their case.

So here's what I'd like to have happen:  I want ports 80,443, and 25 on external address 60.102.157.114 to forward to internal address 192.168.1.2 in the PIX.  I need to know specifically how I should configure the interfaces on the PIX and how the NAT is configured.

Thanks in advance for your help.
0
Comment
Question by:yert69
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12600306
Need to know the config of the router. If it is doing NAT now, you have two choices - either continue using NAT, and then NAT again on the PIX, or stop doing the NAT on the router, and assign the PIX a public IP address (most certainly will have to re-configure the router)..

0
 

Author Comment

by:yert69
ID: 12600562
The router is doing NAT now and I've spoken with the ISP.  They are going to turn off the NAT as soon as I get the firewall configured properly.  So the end result will (hopefully) be that the PIX will do the NAT.  Ideally I'd like to assign one of my available public IPs to the outside interface on the PIX.  I have available addresses of 60.102.157.114-126.  Since the MX record already points to the 114 address I'd like to use that one.  Just need some specifics on how to configure it properly.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12600601
Since the MX is already using .114, then do something like this:

ip address outside 60.102.157.115 255.255.255.240 <== I'm assuming that is the correct mask for you
ip address inside 192.168.222.1 255.255.255.0  <== assuming you want to use a Private IP subnet inside
route 0.0.0.0 0.0.0.0 60.102.157.11x  <== whatever IP is on the router LAN interface
global (outside) 1 interface   <== setup PAT for outbound connections
nat (inside) 1 192.168.222.0 255.255.255.0   <== identify LAN subnet to be natted to the PAT gobal
static (inside,outside) 60.102.157.114 192.168.222 114 netmask 255.255.255.255
access-list outside_in permit tcp any host 60.102.157.114 eq smtp
access-group outside_in in interface outside

That's pretty much all there is to it..
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:yert69
ID: 12600642
Just to clarify a couple of things:

The router currently has a private address on the LAN side, so would I need to change that?  I was just looking at the config line "route 0.0.0.0 0.0.0.0 60.102.157.11x" and wondered if it was important to have a public address on the LAN side of the router as well.

And they also would like to be able to use OWA (Outlook web access) so I'm assuming there would be a similar access-list line for ports 80 and 443.  Are there any other ports I am leaving out?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12600656
Yes, you must have a public IP on the router as well.
Yes, you need to open ports 80 and 443 in the access-list. Just add lines like below for any additional ports.

access-list outside_in permit tcp any host 60.102.157.114 eq smtp
access-list outside_in permit tcp any host 60.102.157.114 eq http
access-list outside_in permit tcp any host 60.102.157.114 eq https

No other ports that I can think of, unless you want users to use POP3..

Are you using MS Exchange? Yes, then you need to also disable fixup:
   no fixup protocol smtp 25



0
 

Author Comment

by:yert69
ID: 12600673
One more follow up:  You're saying I need a public address on both the Serial (WAN) and LAN side of the router?  You've been wonderfully helpful.  Thanks for your time and detailed response.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12600691
You don't necessarily have to have a public Ip on the serial interface, Cisco has a feature that uses 'ip unnumbered' that works on the serial interface. it's up to the ISp to route your subnet through the proper circuit on their end.
0
 

Author Comment

by:yert69
ID: 12600709
Currently the ISP has the router configured with 113 on the serial interface and a private address on the LAN side.  So would there be any harm in leaving it configured as such and using, say, 116 on the LAN side?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12600725
Can't do that, but what you can do is configure the LAN side with .113 and use 'ip unnumbered' on the serial.

0
 

Author Comment

by:yert69
ID: 12600728
Great.  Thanks again for your help.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 11 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question