Firewall Wizards mailing list archives
RE: PIX501 PAT and Static NAT problems
From: "Bob Wanamaker - Avant Systems, Inc." <rlw () avantsystems com>
Date: Mon, 2 Jun 2003 16:17:32 -0400
Greetings. I hope I'm opening a can of worms with this honest question: What difference does it make if I use the "interface outside" v. "any host" syntax in this case? Even if the ISP has improper routing, etc. in place so that I see traffic destined for locations outside the subnet assigned to my outside interface, why would I care? Best regards, Bob W. -----Original Message----- From: Dario Calia [mailto:dcalia () cisco com] Sent: Monday, June 02, 2003 4:09 PM To: rlw () avantsystems com Cc: 'Aidan O'Rawe'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] PIX501 PAT and Static NAT problems Hello, For the truly security conscious, with PIX 6.3, you can update your access-list and use the "interface outside" cli syntax instead of "any host". Clearly your SP should not be forwarding you traffic not destined for your outside interface IP, but ... Cheers, Dario At 12:10 PM 6/2/2003 -0400, Bob Wanamaker - Avant Systems, Inc. wrote:
I avoid using conduits; instead, I assign an access-list to outside i/f like: access-list acl_outside permit tcp any host static_outside_ip eq www access-list acl_outside permit tcp any host static_outside_ip eq 443 access-group acl_outside in interface outside For your static, try: static (inside,outside) inside_ip outside_ip netmask 255.255.255.255 Best regards, Bob W -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Aidan O'Rawe Sent: Sunday, June 01, 2003 5:36 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] PIX501 PAT and Static NAT problems Hi, I'm having a bit of trouble with a PIX501, I have issued the following commands to allow all the internal users to connect through the PIX to the outside: nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 interface Everything works fine untill I add a static for an internal web server,
then
all internal users can't get to the outside of the PIX anymore. I configured this with the following commands: static (inside,outside) <External IP> 192.168.1.2 0 8 conduit permit tcp host <External IP> eq 80 any Does anyone know the right way to go about configuring this properly? TIA Arj. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX501 PAT and Static NAT problems Aidan O'Rawe (Jun 01)
- <Possible follow-ups>
- RE: PIX501 PAT and Static NAT problems Smith Bruce (Jun 02)
- Re: PIX501 PAT and Static NAT problems Dave Rinker (Jun 02)
- RE: PIX501 PAT and Static NAT problems Bob Wanamaker - Avant Systems, Inc. (Jun 02)
- RE: PIX501 PAT and Static NAT problems Dario Calia (Jun 03)
- RE: PIX501 PAT and Static NAT problems Bob Wanamaker - Avant Systems, Inc. (Jun 03)
- RE: PIX501 PAT and Static NAT problems Dario Calia (Jun 04)
- RE: PIX501 PAT and Static NAT problems Dario Calia (Jun 03)