Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Configure NAT on PIX 515e

Posted on 2015-01-22
6
725 Views
Last Modified: 2015-01-31
I have a Cisco PIX 515e.  It has software 6.3(5).  I need to open incoming port to an internal range of IP addresses.  Is this possible on this software version? If so, how might this be done?
0
Comment
Question by:DaveKall42
  • 3
  • 3
6 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 40565708
Yes, it is possible. Depending on what else you have configured you need to allow the traffic using the "access-list" command, apply the ACL to the outside interface using the "access-group" command and provide NAT using the "static (outside,inside)" command.

Do you need more info? Please post a scrubbed running-config.
0
 

Author Comment

by:DaveKall42
ID: 40565735
Sure.  Here it is:



PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100basetx
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
domain-name wr
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 110 permit udp any host 50.96.44.216 eq 4780
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq ftp-data
access-list 110 permit tcp any host 50.96.44.214 eq www
access-list 110 permit tcp any host 50.96.44.214 eq 8080
access-list 110 permit tcp any host 50.96.44.215 eq 8080
access-list 110 permit tcp any host 50.96.44.215 eq pop3
access-list 110 permit tcp any host 50.96.44.215 eq imap4
access-list 110 permit tcp any host 50.96.44.215 eq smtp
access-list 110 permit tcp any host 50.96.44.215 eq www
access-list 110 permit tcp any host 50.96.44.216 eq 3389
access-list 110 permit tcp any host 50.96.44.210 eq 3389
access-list 110 permit tcp any host 50.96.44.217 eq www
access-list 110 permit tcp any host 50.96.44.218 eq 3389
access-list 110 permit udp any host 10.0.3.240 eq 47808
access-list 110 permit tcp any host 10.0.1.106 eq www
access-list 110 permit tcp any host 10.0.1.106 eq https
access-list 110 permit tcp any host 10.0.1.106 eq 8080
access-list 110 permit tcp any host 10.0.1.119 eq 8080
access-list 110 permit tcp any host 10.0.1.119 eq pop3
access-list 110 permit tcp any host 10.0.1.119 eq imap4
access-list 110 permit tcp any host 10.0.1.119 eq smtp
access-list 110 permit tcp any host 10.0.1.119 eq www
access-list 110 permit tcp any host 10.0.3.240 eq 3389
access-list 110 permit tcp any host 10.0.1.112 eq www
access-list 110 permit tcp any host 10.0.1.108 eq 3389
access-list 110 permit tcp any host 10.0.1.119 eq https
access-list 110 permit tcp any host 10.0.1.109 eq 3389
access-list 110 permit tcp any host 10.0.1.104 eq www
access-list 110 permit tcp any host 10.0.1.109 eq www
access-list 110 permit gre host 201.225.61.63 any log
access-list 110 permit tcp host 201.225.61.63 any log
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.4.50 255.255.255.254
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.4.52 255.255.255.252
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.4.56 255.255.255.248
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.4.64 255.255.255.224
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.4.96 255.255.255.252
access-list split permit ip 10.0.0.0 255.0.0.0 10.0.4.50 255.255.255.254
access-list split permit ip 10.0.0.0 255.0.0.0 10.0.4.52 255.255.255.252
access-list split permit ip 10.0.0.0 255.0.0.0 10.0.4.56 255.255.255.248
access-list split permit ip 10.0.0.0 255.0.0.0 10.0.4.64 255.255.255.224
access-list split permit ip 10.0.0.0 255.0.0.0 10.0.4.96 255.255.255.252
access-list 120 permit ip host 50.96.44.216 any
access-list 120 permit ip any host 50.96.44.216
access-list 130 permit ip host 10.0.1.109 any
access-list 130 permit ip any host 10.0.1.109
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xxx.xxx.xxx 255.255.255.252
ip address inside 10.0.1.5 255.255.0.0
ip address intf2 10.10.10.10 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 10.0.4.50-10.0.4.99
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside xxx.xxx.xxx.xxx
failover ip address inside 10.0.1.6
failover ip address intf2 10.10.10.11
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
failover link intf2
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.0.3.240 10.0.3.240 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.109 10.0.1.109 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.106 10.0.1.106 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.112 10.0.1.112 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.108 10.0.1.108 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.119 10.0.1.119 netmask 255.255.255.255 0 0
access-group 110 in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 172.16.0.101 1
route inside 10.1.0.0 255.255.0.0 10.0.0.1 1
route inside 10.1.16.0 255.255.255.0 10.0.0.1 1
route inside 10.2.0.0 255.255.0.0 10.0.0.1 1
route inside 10.3.0.0 255.255.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp log 25
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnclient idle-time 1800
vpngroup cubavpn address-pool VPNpool
vpngroup cubavpn dns-server 10.0.1.111
vpngroup cubavpn split-tunnel split
vpngroup cubavpn idle-time 1800
vpngroup cubavpn password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:dd9eba38019a855998c9176c44dd5d06
0
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
ID: 40568858
When you say: "I need to open incoming port to an internal range of IP addresses." I am assuming you need to allow access to an address inside your network for a specific port from addresses outside of your network. If not, please advise.

Having said that:

1. These internal addresses need to be accessible from outside using NAT. So, follow what you have already:
      static (inside,outside) your_public_address internal_address_of_your_server for every internal address that needs access from outside.

2. Allow access from outside using ACL. Don't use "conduit". You have access-list 110 applied to the outside interface. So, use the same. You have to remember that ACLs should be written to include more specific first and general last.

access-list 110 permit udp_or_tcp any ip_network mask eq port_number

The ip_network and mask above refer to where you define the "range of IP addresses". The network and mask depend on how many addresses you have and how many have to be allowed access. This is where you define the range. For example: 192.168.10.32  255.255.255.248  means 192.168.10.32 - 192.168.10.39
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:DaveKall42
ID: 40569949
Yes, that's exactly what I am trying to do.  
Your help is much appreciated!  
What subnet mask would you use for a range of 10.0.6.1 - 10.0.8.255?
0
 

Author Comment

by:DaveKall42
ID: 40569956
Are you saying I would need to make a NAT statement for each of those 700+ address on the PIX?
0
 
LVL 11

Expert Comment

by:naderz
ID: 40574152
10.0.6.1 to 10.0.8.255. That's many addresses!

So, all these need to be accessible from the outside (internet) on one port?

Will they be accessed individually and on their own?

One thought for the ACL is this:

access-list 110 permit udp_or_tcp any 10.0.6.0 255.255.255.0 eq port_number
access-list 110 permit udp_or_tcp any 10.0.7.0 255.255.255.0 eq port_number
access-list 110 permit udp_or_tcp any 10.0.8.0 255.255.255.0 eq port_number

Not knowing whay you have to do this: NAT depends on whether they need to be addressed directly.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question