Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Passthrough/Redirect ????

Status
Not open for further replies.
popotech

popotech

IS-IT--Management
Joined
Dec 5, 2001
Messages
169
Location
US
Well if any of you can help me in this that would be outstanding. i have very little experience with cisco prodcuts, my setup is as follows:
Cisco 827 Router (for our ISP/Static IP)
Cisco 512E Pix (Firewall)

My Dilema:
I have to allow our spamming software provider access to my spam server inside our network, so if i am explaing this correctly, i will need to open port 22 on our firewall and setup a pass through or redirect on our router. So the flow of traffic would process as followed. Our spamming software provider would hit port 22 our Cisco 827 router and send them through the firewall directly to the ip address of our spamming server??

Internet ----> 827 Router ---> 515e PIX ---> Spammer Server 10.1.1.9


My question is how will i have to set this up? If the message is too vague please forgive me i am very novice in this aspect.

popotech

 
Sort by date Sort by votes
ok.. so we have established you are using the 10.1.1.0 network on the inside LAN..

What network is between your PIX and Router?

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
on the 827, you need to do a simple static 1 to 1 nat

ip nat inside source static A.A.A.A N.N.N.N 10.1.1.9 255.255.255.255

I am not sure how your firewall/internet config is set up. Like why you are using an 827 and a PIX. An 827 is a firewall router, and it sounds like it is being used that way. So you have 2 firewalls. But whatever back to the point.

on the PIX you would do an access list to allow port 22 in from the software company only. you may need to do another 1 to 1 nat here too, depending on how your PIX is set up.

eddie venus
 
Upvote 0 Downvote
Thank you both for your replies in such a timely manner, the network between my pix and fire wall is a 192.168.99.X. and my internal network is 10.1.1.X. As for our 827 router it was provided by our isp as our dsl router, and up till this very moment we only thought that is was a simple router. thank you for the heads up. my biggest problem is i have no idea how to create an access list or 1 to 1 nat. i believe the 1 to 1 nat'ing was covered on the second reply but i still have no idea how to setup a access list. Here is what i have gathered thus far, i need to make a nat statement that takes there ip address what ever it may be and nat it to 10.1.1.9, that will be done ip nat inside statement and once it gets thorugh the 827 i'll need to setup access list that will allow 10.1.1.9 to be shipped through port 22? correct? here is my pix firewall config. i assume that the ip nat inside source static 10.1.1.9 will be on 827 and access list will be on the PIX. anyways.

CONFIG:
: Written by enable_15 at 06:20:50.230 UTC Fri Oct 17 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ld6DVxvAO8nC.u7. encrypted
passwd nBV3hXpsXv8FxEAW encrypted
hostname pixfirewall
domain-name internal.epd.org
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip host 10.1.1.2 192.168.88.0 255.255.255.0
access-list nonat permit ip host 10.1.1.2 host 192.168.99.1
access-list 100 permit ip 192.168.88.0 255.255.255.0 host 10.1.1.2
pager lines 24
logging on
logging timestamp
logging buffered informational
logging trap informational
logging facility 16
logging host inside 10.1.1.8
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 192.168.99.2 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.9 255.255.255.255 inside
pdm location 192.168.88.0 255.255.255.0 outside
pdm location 192.168.99.1 255.255.255.255 outside
pdm location 192.198.88.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
access-group 100 in interface outside
conduit permit icmp any any
outbound 5 permit 10.1.1.0 255.255.255.0 80 tcp
outbound 5 permit 10.1.1.0 255.255.255.0 21 tcp
outbound 5 permit 10.1.1.0 255.255.255.0 443 tcp
outbound 5 permit 10.1.1.0 255.255.255.0 53 udp
outbound 5 permit 10.1.1.0 255.255.255.0 25 tcp
outbound 5 permit 10.1.1.0 255.255.255.0 110 tcp
route outside 0.0.0.0 0.0.0.0 192.168.99.1 1
route outside 192.168.88.0 255.255.255.0 0.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.1.1.8 255.255.255.255 inside
no snmp-server location
no snmp-server contact
route outside 192.168.88.0 255.255.255.0 0.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.1.1.8 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.1.1.8 255.255.255.255 inside
telnet 10.1.1.9 255.255.255.255 inside
telnet timeout 5
ssh 10.1.1.8 255.255.255.255 inside
ssh timeout 5
terminal width 80
Cryptochecksum:3c86b148c08384eabe68cea046abded5

Thank you so very much,

popotech
 
Upvote 0 Downvote
EddieVenus was partially correct, in that you need a simple 1 to 1 NAT on the 827. However, that needs to be pointing to the static address that will be placed on the PIX.

Regardless of how the PIX is setup..
Use these on the PIX:

static (inside,outside) 192.168.99.10 10.1.1.9 netmask 255.255.255.255 0 0

This will effectively put the spam machine on the network between the router and pix using the IP 192.168.99.10

Then you need to change your ACLs..

access-list 100 permit tcp <spam company network range> host 192.168.99.10 eq 22

Then of course, you need to put a 1 to 1 NAT (or IPMap) on the 827 to give your 192.168.99.10 address access from the internet.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
how do i go about enabling ping, right now i think it is disabled on my pix firewall? if i can enable ping on the firewall i'll be able to accomplish what i need!

thanks,
popotech
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

markd885
  • Locked
  • Question Question
PAC file redirect web page to another gateway
Replies
0
Views
352
markd885
markd885
pbxnkey
  • Locked
  • Question Question
Redirect DNS traffic from the inside to the outside
Replies
2
Views
298
pbxnkey
pbxnkey
xylax
  • Locked
  • Question Question
Redirecting HTTP traffic from INSIDE to OUTSIDE using ASA NATs
Replies
0
Views
218
xylax
xylax
smokey7244521
  • Locked
  • Question Question
Redirect Internet Traffic
Replies
4
Views
282
smokey7244521
smokey7244521
arell12
  • Locked
  • Question Question
IPSec passthrough
Replies
0
Views
127
arell12
arell12

Part and Inventory Search

Sponsor

Back
Top