Nating help

[J001]

Hello,

We hava a testlab that is separatd by a pix firewall from the production network.

The testlab is running on a same network (i.e 10.131.x.x) as the production.

If a user in the testlab wants to connect and print to a printer on the production network can this be done ?

Whats rules and nating need to be put in place ?

Any help appreciated.

 

[mmkcia]

first of all would u send the configuration

you can make static nat by the following CLI
static (inside,outside) outside ip mask inside ip mask
for example you want clint 192.168.20.20 to go out with 192.168.30.30

static (inside,outside) 192.168.30.30 255.255.255.255 192.168.20.20 255.255.255.255

or dynamic nat
global (outside) 1 interface
nat (inside) 1 0 0 (or specify the natted ip range)

then you have to make access-list to permit ldp port to go inbound your inside network
back to you if need any think

moustafa m kaid
ccna
commium group
iraq

 

[J001]

Please see attached config :-

Correction to my previous statement !

The printer is located on the 10.134.x.x (Production) and the virtual PC is located on the test network 10.99.99.x.

I need to allow the virtual PC on the testlab interface to access any printer on the Production network (10.134.x.x).

If I set up a static nat for example :-
Static (inside,outside) 10.99.99.30 255.255.255.255 10.134.245.10 255.255.255.255

Printer : 10.134.245.30
Virtual PC : 10.99.99.10

Is this correct ?


-------------------------Config-------------------------
PIX Version 7.0(5)
!
hostname TestLab-DC-Pix
dns-guard
!
interface Ethernet0
description TestLab Interface on Test Lab Network
speed 100
duplex full
nameif TestLab
security-level 0
ip address 10.99.99.253 255.255.255.0
!
interface Ethernet1
description Inside Interface on Prod Network
speed 100
duplex full
nameif inside
security-level 100
ip address 10.134.245.249 255.255.255.0
!

no ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns name-server 10.134.202.3
dns name-server 10.131.202.1
dns name-server 10.134.202.2

object-group network DW-Networks
description Grouping for FP-CL
network-object FP-1 255.255.0.0
network-object CL-5 255.255.0.0
network-object CL-124 255.255.0.0
network-object CL-1 255.255.0.0
network-object DC-1 255.255.255.0

object-group network TestLab-networks
description Grouping for testLab networks
network-object TestLab-Nat-ReturnAdd 255.255.255.0

object-group service FTP-Access tcp
description Ports to allow FTP access
port-object eq ftp-data
port-object eq ftp

access-list TestLab_access_in remark 22/02/07 Rule to allow TestLab devices to reply to ping requests from DWS networks.
access-list TestLab_access_in extended permit icmp any any echo-reply
access-list TestLab_access_in remark 26/02/07 - Cleanup Rule.
access-list TestLab_access_in extended deny ip any any log
access-list inside_access_in remark 07/12/06 - Rule to allow DWS networks VNC access to Testlab devices.
access-list inside_access_in extended permit tcp any 10.134.245.0 255.255.255.0 range 5900 5900
access-list inside_access_in remark 26/02/06 - Rule to allow DWS networks FTP access to Testlab devices.
access-list inside_access_in extended permit tcp any host 10.134.245.245 object-group FTP-Access
access-list inside_access_in remark 22/02/07 - Rule to allow DWS networks to ping Testlab devices.
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in remark 26/02/07 - Cleanup Rule.
access-list inside_access_in extended deny ip any any log

pager lines 24
logging enable
logging buffer-size 16384
logging asdm-buffer-size 200
logging trap informational
logging asdm informational
logging facility 23
logging host inside 10.133.31.250
logging debug-trace

mtu TestLab 1500
mtu inside 1500
asdm image flash:/asdm
asdm history enable
arp timeout 14400

nat-control
global (TestLab) 1 10.99.99.1-10.99.99.33
nat (inside) 1 0.0.0.0 0.0.0.0
static (TestLab,inside) 10.134.245.150 10.99.99.99 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.110 10.99.99.110 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.111 10.99.99.111 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.112 10.99.99.112 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.113 10.99.99.113 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.114 10.99.99.114 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.115 10.99.99.115 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.116 10.99.99.116 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.117 10.99.99.117 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.118 10.99.99.118 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.119 10.99.99.119 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.120 10.99.99.120 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.121 10.99.99.121 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.122 10.99.99.122 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.123 10.99.99.123 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.124 10.99.99.124 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.125 10.99.99.125 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.126 10.99.99.126 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.127 10.99.99.127 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.128 10.99.99.128 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.129 10.99.99.129 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.130 10.99.99.130 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.131 10.99.99.131 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.132 10.99.99.132 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.133 10.99.99.133 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.134 10.99.99.134 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.135 10.99.99.135 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.136 10.99.99.136 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.137 10.99.99.137 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.138 10.99.99.138 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.139 10.99.99.139 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.140 10.99.99.140 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.141 10.99.99.141 netmask 255.255.255.255
static (TestLab,inside) 10.134.245.245 10.99.99.250 netmask 255.255.255.255

access-group TestLab_access_in in interface TestLab
access-group inside_access_in in interface inside

route inside 0.0.0.0 0.0.0.0 10.134.245.253 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 10.133.32.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside

snmp-server host inside 10.133.31.250 community XXXXX
snmp-server location TestLab
snmp-server contact XXXXX
snmp-server community XXXXX
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change

telnet 10.133.32.0 255.255.255.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.133.32.0 255.255.255.0 inside
ssh timeout 5
console timeout 5
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
!
service-policy global_policy global
ntp server 10.133.31.240 source inside prefer
smtp-server 192.168.255.10 192.168.250.10
Cryptochecksum:03f9f9f9dce2bdd5fe701925e59d2d5d
: end

TestLab-DC-Pix#

 

[J001]

Appologies Correction to ip addresses for devices :-

Printer : 10.133.32.203
Virtual PC : 10.99.99.10

 

[mmkcia]

10.133.32.203
u have no such subnet in the pix interfaces
take this hint for you
if you have static nat to the printer from the inside of pix to the outside
you have to permit lpd port for incoming traffic to the natted ip not the real (that is a common mistake)
if need any help send me config with sure clients ip and where r they inside the pix or outside

moustafa m. kaid
ccna
commium group
iraq

 

[J001]

This is the static Nat I have setup :-

static (TestLab,inside) 10.134.245.142 10.99.99.10 netmask 255.255.255.255

Real Printer Address is : 10.133.32.203
Translated addr : 10.134.245.142
Testlab will use addr : 10.99.99.10

If I permit 10.99.99.10 to 10.134.245.142 how does it know to go to real printer ?