Security Basics mailing list archives
Some Cisco PIX newbie questions
From: "ALLEN, DONALD S (AIT)" <da1295 () sbc com>
Date: Wed, 23 Jul 2003 10:55:27 -0500
Glenn, When configuring the Pix there are some simple rules to follow. Static commands are written with this format: For Nat use: static (HIGH security level interface, LOW security level interface) LOW interface IP HIGH interface IP For Non NAT use: Static (HIGH security level interface, LOW security level interface) HIGH interface IP HIGH interface IP These security levels are set by default Outside security0, inside security100. 100 is considered High. As an example: static (inside,outside) 172.16.0.1 192.168.1.1 (nat static) static (inside,outside) 192.168.1.1 192.168.1.1 (one to one translation) Access-list acl_outside permit tcp host any host 172.16.0.1 eq 23 Access-group acl_outside in interface outside (applies the access list to inbound traffic of the outside interface) The command NAT (inside) 0 0 (allows connections to start from any IP on the inside, and is used for Non NAT. the first 0 tells NAT not to use a global address pool.) with out a NAT entry in either format the pix will not send traffic out of an interface, inside interface included. To establish a NAT to global IP use: NAT (inside) 1 192.168.1.0 The 1 is the global pool #. You can have multiples Global (outside) 1 interface ( this is a many to one NAT/Pat) For many to many translations: Global (outside) 1 172.16.1.100-172.16.1.250 netmask 255.255.255.248 Global (outside) 1 172.16.1.254 netmask 255.255.255.248 (this is the PAT address) Hope this helps. - -----Original Message----- From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] Sent: Tuesday, July 22, 2003 7:26 PM To: Glenn English Cc: 'Security-Basics' Subject: Re: Some Cisco PIX newbie questions Glenn, do you have something like this: static (inside,outside) 172.16.0.149 192.168.82.42 netmask 255.255.255.255 access-list acl_outside permit tcp 172.16.0.0 255.255.0.0 host 172.16.0.149 eq 80 access-list acl_outside permit tcp 172.16.0.0 255.255.0.0 host 172.16.0.149 eq 23 access-list acl_outside permit icmp 172.16.0.0 255.255.0.0 host 172.16.0.149 echo access-list acl_outside permit icmp 172.16.0.0 255.255.0.0 host 172.16.0.149 echo-reply access-group acl_outside in interface outside The above assumes the following: your mac se/30 = 192.168.82.42 you have 172.16.0.149 available as a free IP on the 'internet' This allows tcp port 80 http and tcp port 23 telnet to the published IP of 172.16.0.149 it also allows pinging. the access-group command applies the access-list to the outside interface. If you have further questions, send me your lab config (strip passwords and such). - -James At 17:50 7/22/2003, Glenn English wrote:
I got a 506E (first experience with Cisco) last Friday, and I'm learning how to use it with the 172.16.0.146/28 (a LAN around the building) as the Internet and 192.168.82.40/29 (my workstation) as the protected LAN. (And an old Mac SE/30 as the terminal.) Configuring from the terminal works, telnet works, https works, tftp works, the Java PDM pretty much works, and connecting from inside to outside works. But I can't figure out how to get through the firewall in the other direction. There's a static map from an "Internet" IP to my workstation, and the PIX' log shows a connection attempt. But what I specifically permit is being denied. Is the anti-spoofing blocking it? If so, why is it not blocking packets returning to the PAT address? -- Glenn English ghe () slsware com --------------------------------------------------------------------- -- ---- --------------------------------------------------------------------- -------
- ---------------------------------------------------------------------- - ----- - ---------------------------------------------------------------------- - ------ -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBPx6ufm5K7GIhja4mEQInDwCg961+GHYS+eI42b0UofeE9Q/pFxMAoOTj KFpm92672XxvZlCR0Q163x/n =S1aM -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Some Cisco PIX newbie questions ALLEN, DONALD S (AIT) (Jul 23)
- <Possible follow-ups>
- RE: Some Cisco PIX newbie questions Glenn English (Jul 23)
- RE: Some Cisco PIX newbie questions ALLEN, DONALD S (AIT) (Jul 23)