pix
Hello,
I have question:
Is possible configure on PIX 506E PAT and NAT together ?
My problem
I have connection from my local network to internet by PIX 506E (PAT dynamic on external interface)
I need add connection from internet to dedicated computer in my local network thru PIX.
I configured translation 1-1 outside ip 209.xx.xx.xx to inside 192.168.xx.xx and I forwarded port
But, doesn't work.
I can't use telnet to this computer and port.
Maybe I have to add global NAT for this outside IP.
thx
henry
I have question:
Is possible configure on PIX 506E PAT and NAT together ?
My problem
I have connection from my local network to internet by PIX 506E (PAT dynamic on external interface)
I need add connection from internet to dedicated computer in my local network thru PIX.
I configured translation 1-1 outside ip 209.xx.xx.xx to inside 192.168.xx.xx and I forwarded port
But, doesn't work.
I can't use telnet to this computer and port.
Maybe I have to add global NAT for this outside IP.
thx
henry
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
global (outside) 1 interface
nat (inside) 1 0 0 0
static (inside,outside) 209.x.x.x 192.168.10.100 netmask 255.255.255.255
As long as 209.x.x.x is not the same IP as the one assigned to the outside interface, this will work just fine - assuming that you also have the proper acl applied.
nat (inside) 1 0 0 0
static (inside,outside) 209.x.x.x 192.168.10.100 netmask 255.255.255.255
As long as 209.x.x.x is not the same IP as the one assigned to the outside interface, this will work just fine - assuming that you also have the proper acl applied.
ASKER
Building configuration...
: Saved
:
hello again:
one more thing:
1.When I put "global (outside) 1 interface I have" from telnet console I have:
type ? for display all optiona, something wrong
2.After nat (inside) 1 0 0 0 - NAT entry dupilicated
Below is my configuration:
Can you look ?
thx henry
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Ukmo5i.XUVFUnPym encrypted
passwd vfwNtDb5h6RVFg72 encrypted
hostname xxx-pix
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name XX.xx.xx.xx Router
name 192.168.1.0 test2
access-list acl_out permit ip any any
pager lines 24
logging trap debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 209.xx.xx.xx 255.xx.xx.xx
ip address inside 192.168.xx.xx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.xx.xx 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface inside
route outside 0.0.0.0 0.0.0.0 Router 1
route inside test2 255.255.255.0 192.168.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.xx.xx 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
service resetoutside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:cbea7b7d495
: end
[OK]
: Saved
:
hello again:
one more thing:
1.When I put "global (outside) 1 interface I have" from telnet console I have:
type ? for display all optiona, something wrong
2.After nat (inside) 1 0 0 0 - NAT entry dupilicated
Below is my configuration:
Can you look ?
thx henry
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Ukmo5i.XUVFUnPym encrypted
passwd vfwNtDb5h6RVFg72 encrypted
hostname xxx-pix
domain-name xxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name XX.xx.xx.xx Router
name 192.168.1.0 test2
access-list acl_out permit ip any any
pager lines 24
logging trap debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 209.xx.xx.xx 255.xx.xx.xx
ip address inside 192.168.xx.xx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.xx.xx 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface inside
route outside 0.0.0.0 0.0.0.0 Router 1
route inside test2 255.255.255.0 192.168.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.xx.xx 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
service resetoutside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:cbea7b7d495
: end
[OK]
>PIX Version 6.1(4)
OK. This old version does not support the "interface" keyword
Use:
global (outside) 1 209.x.x.x <= same IP as outside interface
static (inside,outside) 209.x.x.y 192.168.X.Y <== not same as either outside or inside interface IP
>access-list acl_out permit ip any any
>access-group acl_out in interface inside
You really don't want to do this. It sort of defeats the whole purpose for having a firewall.
OK. This old version does not support the "interface" keyword
Use:
global (outside) 1 209.x.x.x <= same IP as outside interface
static (inside,outside) 209.x.x.y 192.168.X.Y <== not same as either outside or inside interface IP
>access-list acl_out permit ip any any
>access-group acl_out in interface inside
You really don't want to do this. It sort of defeats the whole purpose for having a firewall.
ASKER
Ok.
What is another way to establish this connection ?
Upgrade this firewal or I don't know (add one more interface for this firewall if possible) ?
Configure VPN ?
Is possible configure VPN on this firewall ?
In my company I have also ISA 2004 firewall, but now is not connected.
In the future I'll connect these two firewalls (PIX and ISA) together in back-to-back configuration.
How you think ? It is good idea connect these firewalls together or better is connect only ISA 2004 firewall as edge firewall ?
henry
What is another way to establish this connection ?
Upgrade this firewal or I don't know (add one more interface for this firewall if possible) ?
Configure VPN ?
Is possible configure VPN on this firewall ?
In my company I have also ISA 2004 firewall, but now is not connected.
In the future I'll connect these two firewalls (PIX and ISA) together in back-to-back configuration.
How you think ? It is good idea connect these firewalls together or better is connect only ISA 2004 firewall as edge firewall ?
henry
>What is another way to establish this connection
You have not exactly spelled out what this connection is supposed to do/be.
You said that you have more than 1 IP address to use. Then you can do just as I demonstrated above using 1 IP for the interface/global and another one for the 1-1 NAT.
You just have to adjust the acl. If you must permit all ip to this one host, through nat, then adjust the acl like this (although I still wouldn't recommend it):
access-list ouside_in permit ip any host 209.x.x.y
access-group otuside_in in interface outside
Else, yes, you can create a client VPN scenario to this PIX, VPN in from the client, then have full wonderful -secure- access to the internal server.
I would, however, suggest upgrading 6.1(4) to the latest 6.3(5) before doing that.
As far as utilizing both the PIX and the ISA, I would never use any system running MS Windows that has to be patched often and unfailingly, without time to test out the patches, and rebooted often as my edge firewall. The PIX is absolutely the better Edge firewall. Use the ISA as a one-legged cache-only proxy to control user outbound access, provide reports, and enhance user experience.
I see no viable reason to connect these two firewalls back-back
You have not exactly spelled out what this connection is supposed to do/be.
You said that you have more than 1 IP address to use. Then you can do just as I demonstrated above using 1 IP for the interface/global and another one for the 1-1 NAT.
You just have to adjust the acl. If you must permit all ip to this one host, through nat, then adjust the acl like this (although I still wouldn't recommend it):
access-list ouside_in permit ip any host 209.x.x.y
access-group otuside_in in interface outside
Else, yes, you can create a client VPN scenario to this PIX, VPN in from the client, then have full wonderful -secure- access to the internal server.
I would, however, suggest upgrading 6.1(4) to the latest 6.3(5) before doing that.
As far as utilizing both the PIX and the ISA, I would never use any system running MS Windows that has to be patched often and unfailingly, without time to test out the patches, and rebooted often as my edge firewall. The PIX is absolutely the better Edge firewall. Use the ISA as a one-legged cache-only proxy to control user outbound access, provide reports, and enhance user experience.
I see no viable reason to connect these two firewalls back-back
ASKER
Ok.
I try configure what you recommend.
VPN on cisco firewall + ISA as proxy inside my network
Maybe you have link to latest cisco software ?
Is this upgrade safe or I have to expect suprises ?
henry
I try configure what you recommend.
VPN on cisco firewall + ISA as proxy inside my network
Maybe you have link to latest cisco software ?
Is this upgrade safe or I have to expect suprises ?
henry
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
You'll have to have CCO account login to get the upgrade
The upgrade is safe and painless and "fixes" a lot of things. If you also get the PDM3.04 that goes with it, it wraps a nice Java based GUI around it with VPN wizards that make it a snap to configure VPN's.
You'll have to have CCO account login to get the upgrade
The upgrade is safe and painless and "fixes" a lot of things. If you also get the PDM3.04 that goes with it, it wraps a nice Java based GUI around it with VPN wizards that make it a snap to configure VPN's.
ASKER
Thanks.
See'ya next time. I'm sure.:)
See'ya next time. I'm sure.:)
ASKER
Hello again,
I have one more question about ISA 2004 server.
I have Isa installed on win2003 server.
If I want configure ISA as proxy server and machine to control internet access (for inside network, control users (for example) access to internet only in "lunch time" what I need ? Custom scenerio ?
When I check templates on ISA i have option to choose:
1. Edge Firewall
2. 3-Leg Perimeter
3.Front Friewall
4.Back Firewall
5. Single Network Adapter
If I choose option "5" I'll can configure proxy server but probably I won't can install "firewall clients"
How can I manage internet access on loclal computers from ISA ?
henry
I have one more question about ISA 2004 server.
I have Isa installed on win2003 server.
If I want configure ISA as proxy server and machine to control internet access (for inside network, control users (for example) access to internet only in "lunch time" what I need ? Custom scenerio ?
When I check templates on ISA i have option to choose:
1. Edge Firewall
2. 3-Leg Perimeter
3.Front Friewall
4.Back Firewall
5. Single Network Adapter
If I choose option "5" I'll can configure proxy server but probably I won't can install "firewall clients"
How can I manage internet access on loclal computers from ISA ?
henry
You set the ISA with Single Adapter - in cache only mode.
Set the PIX to only allow the ISA's IP address out to www
Set the client's IE to use a proxy setting. This can be set in Domain policies, or through DHCP.
No firewall client needed.
ISA can control who gets out and when.
Set the PIX to only allow the ISA's IP address out to www
Set the client's IE to use a proxy setting. This can be set in Domain policies, or through DHCP.
No firewall client needed.
ISA can control who gets out and when.
ASKER
I need only add rule with nat from one external IP to one internal IP and I need don't change exists PAT configuartion
I'm new in firewall, so maybe is very easy but I can't do that.
thx
henry