Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

506e - Need help with configuration 1

Status
Not open for further replies.
fraustbyte

fraustbyte

MIS
Dec 12, 2002
45
CA
I'm not clear on the need to NAT or not to NAT. I am putting the PIX between my ISP and a number of web/ftp servers that need to be accessible to the public. These web/ftp servers will need to have outbound internet access as well.

Is this enough information for someone to tell me if I need to NAT or not? Can you tell me how it would be configured on the PIX?

I do want to use private IPs for the web servers and I have several public IPs provided by my ISP. I plan to use static mappings for inbound access to the web/ftp servers.

Any help would be appreciated.
 
Sort by date Sort by votes
You should use NAT and only direct the ports that you want to those servers - less attack surface.

Here is the basic formula

Build Access List to allow the traffic in (one line for each port/IP pair)-
access-list outside_access_in permit tcp any host [ExternalIP/interface outside] eq [Port#]

Apply the ACL to the outside interface -
access-group outside_access_in in interface outside

Map incoming port to an IP and port on the inside (one line for each port/IP pair)-
static (inside,outside) tcp [ExternalIP/interface] [Port#] [InteralIP] [Port#] netmask 255.255.255.255



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thanks. In doing that will I be able, from the inside, to access anything externally? For example can browse the web from one of my web servers?
 
Upvote 0 Downvote
Also in addition to the commands you provided do I need to use the "nat" command at all? Thanks
 
Upvote 0 Downvote
Yes, you will need something like this

nat (inside) 1 0.0.0.0 0.0.0.0 - take all these networks on the inside and
global (outside) 1 interface - pat them to the source address of the outside interface and a random port#
route outside 0.0.0.0 0.0.0.0 [GatewayIP]


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Two other questions:

1.) If I want to allow hosts on the inside to be able to browse the web do I need the following?:

access-list access_list_in permit udp any any eq domain

2.) If I want to use an external time source do I need the following?:

access-list access_list_in permit udp any any eq ntp

Thanks,
newbie
 
Upvote 0 Downvote
1.) Yes and also add

access-list access_list_in permit udp any any eq domain
access-list access_list_in permit tcp any any eq www
access-list access_list_in permit tcp any any eq https

2) Yes that should work.



Free Firewall/Network/Systems Support-
 
Upvote 0 Downvote
Ok, so just so I'm clear with reference to "1.)" about DNS traffic did you mean that I need an entry for both "tcp" and "udp" dns traffic?
 
Upvote 0 Downvote
DNS is just UDP.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
267
Sameer258
Sameer258
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
89
PauS0n
PauS0n
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
309
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
67
tklamb
tklamb
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
110
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top