[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX NAT Configuration

Posted on 2005-05-11
10
Medium Priority
?
400 Views
Last Modified: 2013-11-16
I am in the process of replacing Checkpoint with a PIX 515e-DMZ-R solution.  In my Checkpoint I notice some static mapped IP addresses has NAT enabled with a public IP address.

For example:

MainFrame
Private IP Address:  192.168.85.10
Public IP Address with NAT enable:   62.234.20.10

How would I configure this on a PIX and commands please.
0
Comment
Question by:Pentrix2
  • 5
  • 5
10 Comments
 
LVL 9

Author Comment

by:Pentrix2
ID: 13976877
I also forgot to mention.  Let's say I also have some Private Static IP address that I want to use to bypass the firewall rules.  How would I do this.


For example.
Private IP Address 192.168.85.9
NO Public IP Address:
0
 
LVL 2

Expert Comment

by:martyboy
ID: 13976989
static (inside,outside) publicIp PrivateIP
static (dmz,outside) PublicIp PrivateIP

Depending on where you want to point your traffic.

You have to state that in your access-lists. If you want some computers to avoid the rules
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 13977048
I don't want to use the DMZ in my scanario.

With this command you gave me:

static (inside,outside) publicIP privateIP
--  Telling me that the outside can go straight to my specific private IP?

static (dmz,outside) PublicIP PrivateIP
--  I don't want to use the dmz option, so is there a different command.  And what does this do?

I want my computers just to access the internet freely without any firewall or websense rules.  If not, I just want to avoid websense if possible.
Can you give me the commands to this?
0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 
LVL 2

Expert Comment

by:martyboy
ID: 13977130
That statement tells the pix that the PrivateIP always uses the publicIP when goin to the internet. So there is no access from the outside to the inside.
If you want access to the inside you need to setup access-lists.

So the static command binds the privateIP to an PublicIP

The pix doesnt restrict access from the inside by default. Pix works with security levels and goin from higher to lower is permitted by default.
OutsideIF = 0  InsideIF = 100
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 13977161
So how do I create this access-lists so the outside may have access to a specific inside?

MainFrame
Private IP Address:  192.168.85.10
Public IP Address with NAT enable:   62.234.20.10
0
 
LVL 2

Expert Comment

by:martyboy
ID: 13977229
static (inside,outside) 192.168.85.10 62.234.20.10

 example: access-list incoming permit tcp any host 62.234.20.10 eq www


After you created the complete list you have to bind it to an interface. In this example its the outside interface.

access-group incoming in interface outside


This link gives you all the information you need. Configuration examples and a complete command reference.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 13998287
Okay.  I see how to do private to public ip.  But how about private ip bypassing the firewall?  Let's say I got a bunch of ip's like 192.168.85.201, 204, 209 that I want to bypass the firewall?  I'm doing this because I have Websense that does website filtering and to my understanding if I bypass the firewall then those IPs won't get website filtering.
0
 
LVL 2

Expert Comment

by:martyboy
ID: 14001510
Those ip will not avoid getting filtered by websense.  To bypass your firewall rules you have to configure acl´s.

To bypass websense you need a statement like this

filter url except 192.168.85.201 255.255.255.255 0.0.0.0 0.0.0.0
If you dont have this statemtent all traffic will pass the websense databas
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 14002009
Okay, I understand how to make an IP to bypass the websense.  Let's say I have a websense server having IP of 192.168.85.8.  How would I make a statement so all internet traffic gets the websense service?
0
 
LVL 2

Accepted Solution

by:
martyboy earned 2000 total points
ID: 14002952
url-server (inside)  host 192.168.85.8 timeout 10 protocol TCP
version 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow ( makes all traffic go thru websense )

Pix and websense have a small issue wich makes some sites unavaible. Use these statements to avoid that problem.

url-block url-mempool 1500
url-block url-size 4
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month20 days, 12 hours left to enroll

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question