Solved

Configure NAT on PIX 515e

Posted on 2015-01-22
6
627 Views
Last Modified: 2015-01-31
I have a Cisco PIX 515e.  It has software 6.3(5).  I need to open incoming port to an internal range of IP addresses.  Is this possible on this software version? If so, how might this be done?
0
Comment
Question by:DaveKall42
  • 3
  • 3
6 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 40565708
Yes, it is possible. Depending on what else you have configured you need to allow the traffic using the "access-list" command, apply the ACL to the outside interface using the "access-group" command and provide NAT using the "static (outside,inside)" command.

Do you need more info? Please post a scrubbed running-config.
0
 

Author Comment

by:DaveKall42
ID: 40565735
Sure.  Here it is:



PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100basetx
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
domain-name wr
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 110 permit udp any host 50.96.44.216 eq 4780
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq ftp-data
access-list 110 permit tcp any host 50.96.44.214 eq www
access-list 110 permit tcp any host 50.96.44.214 eq 8080
access-list 110 permit tcp any host 50.96.44.215 eq 8080
access-list 110 permit tcp any host 50.96.44.215 eq pop3
access-list 110 permit tcp any host 50.96.44.215 eq imap4
access-list 110 permit tcp any host 50.96.44.215 eq smtp
access-list 110 permit tcp any host 50.96.44.215 eq www
access-list 110 permit tcp any host 50.96.44.216 eq 3389
access-list 110 permit tcp any host 50.96.44.210 eq 3389
access-list 110 permit tcp any host 50.96.44.217 eq www
access-list 110 permit tcp any host 50.96.44.218 eq 3389
access-list 110 permit udp any host 10.0.3.240 eq 47808
access-list 110 permit tcp any host 10.0.1.106 eq www
access-list 110 permit tcp any host 10.0.1.106 eq https
access-list 110 permit tcp any host 10.0.1.106 eq 8080
access-list 110 permit tcp any host 10.0.1.119 eq 8080
access-list 110 permit tcp any host 10.0.1.119 eq pop3
access-list 110 permit tcp any host 10.0.1.119 eq imap4
access-list 110 permit tcp any host 10.0.1.119 eq smtp
access-list 110 permit tcp any host 10.0.1.119 eq www
access-list 110 permit tcp any host 10.0.3.240 eq 3389
access-list 110 permit tcp any host 10.0.1.112 eq www
access-list 110 permit tcp any host 10.0.1.108 eq 3389
access-list 110 permit tcp any host 10.0.1.119 eq https
access-list 110 permit tcp any host 10.0.1.109 eq 3389
access-list 110 permit tcp any host 10.0.1.104 eq www
access-list 110 permit tcp any host 10.0.1.109 eq www
access-list 110 permit gre host 201.225.61.63 any log
access-list 110 permit tcp host 201.225.61.63 any log
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.4.50 255.255.255.254
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.4.52 255.255.255.252
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.4.56 255.255.255.248
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.4.64 255.255.255.224
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.4.96 255.255.255.252
access-list split permit ip 10.0.0.0 255.0.0.0 10.0.4.50 255.255.255.254
access-list split permit ip 10.0.0.0 255.0.0.0 10.0.4.52 255.255.255.252
access-list split permit ip 10.0.0.0 255.0.0.0 10.0.4.56 255.255.255.248
access-list split permit ip 10.0.0.0 255.0.0.0 10.0.4.64 255.255.255.224
access-list split permit ip 10.0.0.0 255.0.0.0 10.0.4.96 255.255.255.252
access-list 120 permit ip host 50.96.44.216 any
access-list 120 permit ip any host 50.96.44.216
access-list 130 permit ip host 10.0.1.109 any
access-list 130 permit ip any host 10.0.1.109
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xxx.xxx.xxx 255.255.255.252
ip address inside 10.0.1.5 255.255.0.0
ip address intf2 10.10.10.10 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 10.0.4.50-10.0.4.99
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside xxx.xxx.xxx.xxx
failover ip address inside 10.0.1.6
failover ip address intf2 10.10.10.11
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
failover link intf2
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.0.3.240 10.0.3.240 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.109 10.0.1.109 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.106 10.0.1.106 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.112 10.0.1.112 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.108 10.0.1.108 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.119 10.0.1.119 netmask 255.255.255.255 0 0
access-group 110 in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 172.16.0.101 1
route inside 10.1.0.0 255.255.0.0 10.0.0.1 1
route inside 10.1.16.0 255.255.255.0 10.0.0.1 1
route inside 10.2.0.0 255.255.0.0 10.0.0.1 1
route inside 10.3.0.0 255.255.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp log 25
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnclient idle-time 1800
vpngroup cubavpn address-pool VPNpool
vpngroup cubavpn dns-server 10.0.1.111
vpngroup cubavpn split-tunnel split
vpngroup cubavpn idle-time 1800
vpngroup cubavpn password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:dd9eba38019a855998c9176c44dd5d06
0
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
ID: 40568858
When you say: "I need to open incoming port to an internal range of IP addresses." I am assuming you need to allow access to an address inside your network for a specific port from addresses outside of your network. If not, please advise.

Having said that:

1. These internal addresses need to be accessible from outside using NAT. So, follow what you have already:
      static (inside,outside) your_public_address internal_address_of_your_server for every internal address that needs access from outside.

2. Allow access from outside using ACL. Don't use "conduit". You have access-list 110 applied to the outside interface. So, use the same. You have to remember that ACLs should be written to include more specific first and general last.

access-list 110 permit udp_or_tcp any ip_network mask eq port_number

The ip_network and mask above refer to where you define the "range of IP addresses". The network and mask depend on how many addresses you have and how many have to be allowed access. This is where you define the range. For example: 192.168.10.32  255.255.255.248  means 192.168.10.32 - 192.168.10.39
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:DaveKall42
ID: 40569949
Yes, that's exactly what I am trying to do.  
Your help is much appreciated!  
What subnet mask would you use for a range of 10.0.6.1 - 10.0.8.255?
0
 

Author Comment

by:DaveKall42
ID: 40569956
Are you saying I would need to make a NAT statement for each of those 700+ address on the PIX?
0
 
LVL 11

Expert Comment

by:naderz
ID: 40574152
10.0.6.1 to 10.0.8.255. That's many addresses!

So, all these need to be accessible from the outside (internet) on one port?

Will they be accessed individually and on their own?

One thought for the ACL is this:

access-list 110 permit udp_or_tcp any 10.0.6.0 255.255.255.0 eq port_number
access-list 110 permit udp_or_tcp any 10.0.7.0 255.255.255.0 eq port_number
access-list 110 permit udp_or_tcp any 10.0.8.0 255.255.255.0 eq port_number

Not knowing whay you have to do this: NAT depends on whether they need to be addressed directly.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now