Solved

pix

Posted on 2006-10-24
12
701 Views
Last Modified: 2013-11-16
Hello,
I have question:
Is possible configure on PIX 506E PAT and NAT together ?
My problem
I have connection from my local network to internet by PIX 506E (PAT dynamic on external interface)
I need add connection from internet to dedicated computer in my local network thru PIX.
I configured translation 1-1 outside ip 209.xx.xx.xx to inside 192.168.xx.xx and I forwarded port
But, doesn't work.
I can't use telnet to this computer and port.
Maybe I have to add global NAT for this outside IP.
thx
henry
0
Comment
Question by:henryk123
  • 6
  • 6
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17797346
If you only get 1 public IP address then you cannot do both a 1-1 nat and PAT for other outbound traffic.
You can simply use static port-forwarding, with corresponding acl.
For example - you have a web server and an email server:

static (inside,outside) tcp interface http 192.168.10.100 http netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.10.202 smtp netmask 255.255.255.255
access-list outside_ in permit tcp any interface outside eq http
access-list outside_ in permit tcp any interface outside eq smtp
access-group outside_in in interface outside

0
 

Author Comment

by:henryk123
ID: 17797604
I have 5 public IP adresses.
I need only add rule with nat  from one external IP to one internal IP and I need don't change exists PAT configuartion
I'm new in firewall, so maybe is very easy but I can't do that.
thx
henry
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17797764
global (outside) 1 interface
nat (inside) 1 0 0 0
static (inside,outside) 209.x.x.x 192.168.10.100 netmask 255.255.255.255

As long as 209.x.x.x is not the same IP as the one assigned to the outside interface, this will work just fine - assuming that you also have the proper acl applied.
0
 

Author Comment

by:henryk123
ID: 17798142
Building configuration...
: Saved
:
hello again:
one more thing:
1.When I put  "global (outside) 1 interface I have" from telnet console I have:
type ? for display all optiona, something wrong
2.After nat (inside) 1 0 0 0 - NAT entry dupilicated
Below is my configuration:
Can you look ?
thx henry


PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Ukmo5i.XUVFUnPym encrypted
passwd vfwNtDb5h6RVFg72 encrypted
hostname xxx-pix
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name XX.xx.xx.xx Router
name 192.168.1.0 test2
access-list acl_out permit ip any any
pager lines 24
logging trap debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 209.xx.xx.xx 255.xx.xx.xx
ip address inside 192.168.xx.xx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.xx.xx 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface inside
route outside 0.0.0.0 0.0.0.0 Router 1
route inside test2 255.255.255.0 192.168.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.xx.xx 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
service resetoutside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:cbea7b7d4952f1e1017774753a1afaf6
: end
[OK]

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17798320
>PIX Version 6.1(4)
OK. This old version does not support the "interface" keyword

Use:
 global (outside) 1 209.x.x.x  <= same IP as outside interface
 static (inside,outside) 209.x.x.y 192.168.X.Y  <== not same as either outside or inside interface IP

>access-list acl_out permit ip any any
>access-group acl_out in interface inside
You really don't want to do this. It sort of defeats the whole purpose for having a firewall.



0
 

Author Comment

by:henryk123
ID: 17798614
Ok.

What is another way to establish this connection ?
Upgrade this firewal or I don't  know (add one more interface for this firewall if possible) ?
Configure VPN ?
Is possible configure VPN on this firewall ?

In my company I have also ISA 2004 firewall, but now is not connected.
In the future I'll connect these two firewalls (PIX and ISA) together in back-to-back configuration.
How you think ? It is good idea connect these firewalls together or better is connect only ISA 2004 firewall as edge firewall ?
henry
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 79

Expert Comment

by:lrmoore
ID: 17798775
>What is another way to establish this connection
You have not exactly spelled out what this connection is supposed to do/be.

You said that you have more than 1 IP address to use. Then you can do just as I demonstrated above using 1 IP for the interface/global and another one for the 1-1 NAT.
You just have to adjust the acl. If you must permit all ip to this one host, through nat, then adjust the acl like this (although I still wouldn't recommend it):
access-list ouside_in permit ip any host 209.x.x.y
access-group otuside_in in interface outside

Else, yes, you can create a client VPN scenario to this PIX, VPN in from the client, then have full wonderful -secure- access to the internal server.

I would, however, suggest upgrading 6.1(4) to the latest 6.3(5) before doing that.
As far as utilizing both the PIX and the ISA, I would never use any system running MS Windows that has to be patched often and unfailingly, without time to test out the patches, and rebooted often as my edge firewall. The PIX is absolutely the better Edge firewall. Use the ISA as a one-legged cache-only proxy to control user outbound access, provide reports, and enhance user experience.
I see no viable reason to connect these two firewalls back-back



0
 

Author Comment

by:henryk123
ID: 17798954
Ok.
I try configure what you recommend.
VPN on cisco firewall + ISA as proxy inside my network
Maybe you have link to latest cisco software ?
Is this upgrade safe or I have to expect suprises ?
henry
 
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17798983
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
You'll have to have CCO account login to get the upgrade
The upgrade is safe and painless and "fixes" a lot of things. If you also get the PDM3.04 that goes with it, it wraps a nice Java based GUI around it with VPN wizards that make it a snap to configure VPN's.
0
 

Author Comment

by:henryk123
ID: 17799077
Thanks.

See'ya next time. I'm sure.:)
0
 

Author Comment

by:henryk123
ID: 17802946
Hello again,
I have one more question about ISA 2004 server.
I have Isa installed on win2003 server.
If I want configure ISA as proxy server and machine to control  internet access (for inside network, control users (for example) access to internet only in "lunch time" what I need ? Custom scenerio ?
When I check templates on ISA i have option to choose:
1. Edge Firewall
2. 3-Leg Perimeter
3.Front Friewall
4.Back Firewall
5. Single Network Adapter
If I choose option "5"  I'll can configure proxy server but probably I won't can install "firewall clients"
How can I manage internet access on loclal computers from ISA ?
henry
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17805053
You set the ISA with Single Adapter - in cache only mode.
Set the PIX to only allow the ISA's IP address out to www
Set the client's IE to use a proxy setting. This can be set in Domain policies, or through DHCP.
No firewall client needed.
ISA can control who gets out and when.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now