Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

General NAT question

Status
Not open for further replies.
neutec

neutec

Technical User
Apr 26, 2003
343
0
0
Hello Everyone,
Im have issues with nat and a server which is behind my PIX firewall. I only have one static ip address which is being used by the PIX. I've created a access-list of:

access-list acl_inside permit ip 192.168.0.0 255.255.255.0
access-list acl_outside permit tcp any host 10.0.0.20 eq smtp
access-list acl_outside permit tcp any host 10.0.0.20 eq www
access-list acl_outside permit tcp any host 10.0.0.20 eq 443
access-list acl_outside deny icmp any any

access-group acl_outside in interface outside
access-group acl_inside in interface inside


I then add a Static route of:
static (inside,outside) 66.215.146.1xx 192.168.0.20 netmask 255.255.255.255 0 0

66.215.146.1xx is my outside static ip. After adding this I can not longer access the internet from any other workstation other them 192.168.0.20.
I need to allow access to the entire 192.168.0.xxx network. any one know what I need to add to this config to make this work?

Thanks
 
Sort by date Sort by votes
You must use PAT(port address translation). Remove your static mapping and use the list below. Also on your access-list, specify the public address instead of 10.0.0.20.



static (inside,outside) tcp 66.215.146.1xx 25 192.168.0.20 25 netmask 255.255.255.255
static (inside,outside) tcp 66.215.146.1xx 80 192.168.0.20 80 netmask 255.255.255.255
static (inside,outside) tcp 66.215.146.1xx 443 192.168.0.20 443 netmask 255.255.255.255
 
Upvote 0 Downvote
Thanks for the help. That was the problem, everything seems to be fine now. I have one more question, Where should I place my PIX firewall. Before the router or after the router? I always thought that the firewall should be the first device from the internet then the router but I have heard of doind it the other way around.

Thanks
 
Upvote 0 Downvote
Hmmm, what is your internet connection..T1,DSL,cable,etc? Remember that the PIX handles an ethernet handoff, so if you have a T1, you will generally have a router in front of the PIX. If your provider is giving you an ethernet handoff such as cable, then a PIX will work without a router. As far as your LAN to LAN traffic, a router is a must. (sorry for the longwinded speech)
 
Upvote 0 Downvote
Rudeboy,
Would you know what I need to add to deny all echo ICMP request. I basically want to have a stealth firewall that will not responsed to pings. I cant remember of find the command I used last time to disable it.

Thanks
 
Upvote 0 Downvote
remove the static command.
use nat and global commands.

nat 1 192.168.0.0
global 1 66.215.146.1xx

Regds,
Kaushal Vashisht
I Am from INDIA. LAND teach the world about Mathamatics & started Universities to educate the world.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
68
Zero6
Zero6
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
52
burtsbees
burtsbees
darktriad
  • Locked
  • Question
Cisco ASA 9.4: Configuring NAT
Replies
0
Views
43
darktriad
darktriad
netguy2000
  • Locked
  • Question
Cisco router 1841 NAT/PAT problem
Replies
0
Views
25
netguy2000
netguy2000
mkc1962
  • Locked
  • Question
Cisco 2602e connection question
Replies
0
Views
39
mkc1962
mkc1962

Part and Inventory Search

Sponsor

Back
Top