PIX NAT Configuration

I am in the process of replacing Checkpoint with a PIX 515e-DMZ-R solution.  In my Checkpoint I notice some static mapped IP addresses has NAT enabled with a public IP address.

For example:

MainFrame
Private IP Address:  192.168.85.10
Public IP Address with NAT enable:   62.234.20.10

How would I configure this on a PIX and commands please.
LVL 9
Pentrix2Asked:
Who is Participating?
 
martyboyCommented:
url-server (inside)  host 192.168.85.8 timeout 10 protocol TCP
version 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow ( makes all traffic go thru websense )

Pix and websense have a small issue wich makes some sites unavaible. Use these statements to avoid that problem.

url-block url-mempool 1500
url-block url-size 4
0
 
Pentrix2Author Commented:
I also forgot to mention.  Let's say I also have some Private Static IP address that I want to use to bypass the firewall rules.  How would I do this.


For example.
Private IP Address 192.168.85.9
NO Public IP Address:
0
 
martyboyCommented:
static (inside,outside) publicIp PrivateIP
static (dmz,outside) PublicIp PrivateIP

Depending on where you want to point your traffic.

You have to state that in your access-lists. If you want some computers to avoid the rules
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
Pentrix2Author Commented:
I don't want to use the DMZ in my scanario.

With this command you gave me:

static (inside,outside) publicIP privateIP
--  Telling me that the outside can go straight to my specific private IP?

static (dmz,outside) PublicIP PrivateIP
--  I don't want to use the dmz option, so is there a different command.  And what does this do?

I want my computers just to access the internet freely without any firewall or websense rules.  If not, I just want to avoid websense if possible.
Can you give me the commands to this?
0
 
martyboyCommented:
That statement tells the pix that the PrivateIP always uses the publicIP when goin to the internet. So there is no access from the outside to the inside.
If you want access to the inside you need to setup access-lists.

So the static command binds the privateIP to an PublicIP

The pix doesnt restrict access from the inside by default. Pix works with security levels and goin from higher to lower is permitted by default.
OutsideIF = 0  InsideIF = 100
0
 
Pentrix2Author Commented:
So how do I create this access-lists so the outside may have access to a specific inside?

MainFrame
Private IP Address:  192.168.85.10
Public IP Address with NAT enable:   62.234.20.10
0
 
martyboyCommented:
static (inside,outside) 192.168.85.10 62.234.20.10

 example: access-list incoming permit tcp any host 62.234.20.10 eq www


After you created the complete list you have to bind it to an interface. In this example its the outside interface.

access-group incoming in interface outside


This link gives you all the information you need. Configuration examples and a complete command reference.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
0
 
Pentrix2Author Commented:
Okay.  I see how to do private to public ip.  But how about private ip bypassing the firewall?  Let's say I got a bunch of ip's like 192.168.85.201, 204, 209 that I want to bypass the firewall?  I'm doing this because I have Websense that does website filtering and to my understanding if I bypass the firewall then those IPs won't get website filtering.
0
 
martyboyCommented:
Those ip will not avoid getting filtered by websense.  To bypass your firewall rules you have to configure acl´s.

To bypass websense you need a statement like this

filter url except 192.168.85.201 255.255.255.255 0.0.0.0 0.0.0.0
If you dont have this statemtent all traffic will pass the websense databas
0
 
Pentrix2Author Commented:
Okay, I understand how to make an IP to bypass the websense.  Let's say I have a websense server having IP of 192.168.85.8.  How would I make a statement so all internet traffic gets the websense service?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.