Pentrix2
asked on
PIX NAT Configuration
I am in the process of replacing Checkpoint with a PIX 515e-DMZ-R solution. In my Checkpoint I notice some static mapped IP addresses has NAT enabled with a public IP address.
For example:
MainFrame
Private IP Address: 192.168.85.10
Public IP Address with NAT enable: 62.234.20.10
How would I configure this on a PIX and commands please.
For example:
MainFrame
Private IP Address: 192.168.85.10
Public IP Address with NAT enable: 62.234.20.10
How would I configure this on a PIX and commands please.
static (inside,outside) publicIp PrivateIP
static (dmz,outside) PublicIp PrivateIP
Depending on where you want to point your traffic.
You have to state that in your access-lists. If you want some computers to avoid the rules
static (dmz,outside) PublicIp PrivateIP
Depending on where you want to point your traffic.
You have to state that in your access-lists. If you want some computers to avoid the rules
ASKER
I don't want to use the DMZ in my scanario.
With this command you gave me:
static (inside,outside) publicIP privateIP
-- Telling me that the outside can go straight to my specific private IP?
static (dmz,outside) PublicIP PrivateIP
-- I don't want to use the dmz option, so is there a different command. And what does this do?
I want my computers just to access the internet freely without any firewall or websense rules. If not, I just want to avoid websense if possible.
Can you give me the commands to this?
With this command you gave me:
static (inside,outside) publicIP privateIP
-- Telling me that the outside can go straight to my specific private IP?
static (dmz,outside) PublicIP PrivateIP
-- I don't want to use the dmz option, so is there a different command. And what does this do?
I want my computers just to access the internet freely without any firewall or websense rules. If not, I just want to avoid websense if possible.
Can you give me the commands to this?
That statement tells the pix that the PrivateIP always uses the publicIP when goin to the internet. So there is no access from the outside to the inside.
If you want access to the inside you need to setup access-lists.
So the static command binds the privateIP to an PublicIP
The pix doesnt restrict access from the inside by default. Pix works with security levels and goin from higher to lower is permitted by default.
OutsideIF = 0 InsideIF = 100
If you want access to the inside you need to setup access-lists.
So the static command binds the privateIP to an PublicIP
The pix doesnt restrict access from the inside by default. Pix works with security levels and goin from higher to lower is permitted by default.
OutsideIF = 0 InsideIF = 100
ASKER
So how do I create this access-lists so the outside may have access to a specific inside?
MainFrame
Private IP Address: 192.168.85.10
Public IP Address with NAT enable: 62.234.20.10
MainFrame
Private IP Address: 192.168.85.10
Public IP Address with NAT enable: 62.234.20.10
static (inside,outside) 192.168.85.10 62.234.20.10
example: access-list incoming permit tcp any host 62.234.20.10 eq www
After you created the complete list you have to bind it to an interface. In this example its the outside interface.
access-group incoming in interface outside
This link gives you all the information you need. Configuration examples and a complete command reference.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
example: access-list incoming permit tcp any host 62.234.20.10 eq www
After you created the complete list you have to bind it to an interface. In this example its the outside interface.
access-group incoming in interface outside
This link gives you all the information you need. Configuration examples and a complete command reference.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
ASKER
Okay. I see how to do private to public ip. But how about private ip bypassing the firewall? Let's say I got a bunch of ip's like 192.168.85.201, 204, 209 that I want to bypass the firewall? I'm doing this because I have Websense that does website filtering and to my understanding if I bypass the firewall then those IPs won't get website filtering.
Those ip will not avoid getting filtered by websense. To bypass your firewall rules you have to configure acl´s.
To bypass websense you need a statement like this
filter url except 192.168.85.201 255.255.255.255 0.0.0.0 0.0.0.0
If you dont have this statemtent all traffic will pass the websense databas
To bypass websense you need a statement like this
filter url except 192.168.85.201 255.255.255.255 0.0.0.0 0.0.0.0
If you dont have this statemtent all traffic will pass the websense databas
ASKER
Okay, I understand how to make an IP to bypass the websense. Let's say I have a websense server having IP of 192.168.85.8. How would I make a statement so all internet traffic gets the websense service?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For example.
Private IP Address 192.168.85.9
NO Public IP Address: