RE: Some Cisco PIX newbie questions

["ALLEN, DONALD S (AIT)" <da1295 () sbc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Glenn,

When configuring the Pix there are some simple rules to follow. 

Static commands are written with this format:

For Nat use: 
static (HIGH security level interface, LOW security level interface)
LOW interface IP HIGH interface IP
For Non NAT use: 
Static (HIGH security level interface, LOW security level interface)
HIGH interface IP HIGH interface IP

These security levels are set by default Outside security0, inside
security100. 100 is considered High. 

As an example:
static (inside,outside) 172.16.0.1 192.168.1.1  (nat static)
static (inside,outside) 192.168.1.1 192.168.1.1 (one to one
translation)

Access-list acl_outside permit tcp host any host 172.16.0.1 eq 23
Access-group acl_outside in interface outside (applies the access
list to inbound traffic of the outside interface)

The command NAT (inside) 0 0 (allows connections to start from any IP
on the inside, and is used for Non NAT. the first 0 tells NAT not to
use a global address pool.) with out a NAT entry in either format the
pix will not send traffic out of an interface, inside interface
included. 

To establish a NAT to global IP use NAT (inside) 1 192.168.1.0
The 1 is the global pool #. You can have multiples
Global (outside) 1 interface ( this is a many to one NAT/Pat)
For many to many translations
Global (outside) 1 172.16.1.100-172.16.1.250 netmask 255.255.255.248
Global (outside) 1 172.16.1.254 netmask 255.255.255.248 (this is the
PAT address)

Hope this helps.


 
- -----Original Message-----
From: jamesworld () intelligencia com
[mailto:jamesworld () intelligencia com] 
Sent: Tuesday, July 22, 2003 7:26 PM
To: Glenn English
Cc: 'Security-Basics'
Subject: Re: Some Cisco PIX newbie questions


Glenn,

do you have something like this:

static (inside,outside) 172.16.0.149 192.168.82.42 netmask
255.255.255.255 access-list acl_outside permit tcp 172.16.0.0
255.255.0.0 host 172.16.0.149 
eq 80
access-list acl_outside permit tcp 172.16.0.0 255.255.0.0 host
172.16.0.149 
eq 23
access-list acl_outside permit icmp 172.16.0.0 255.255.0.0 host 
172.16.0.149 echo
access-list acl_outside permit icmp 172.16.0.0 255.255.0.0 host 
172.16.0.149 echo-reply
access-group acl_outside in interface outside

The above assumes the following:

your mac se/30 = 192.168.82.42
you have 172.16.0.149 available as a free IP on the 'internet'

This allows tcp port 80  http and tcp port 23 telnet to the published
IP of 
172.16.0.149
it also allows pinging.

the access-group command applies the access-list to the outside
interface.

If you have further questions, send me your lab config (strip
passwords and 
such).

- -James



At 17:50 7/22/2003, Glenn English wrote:
> I got a 506E (first experience with Cisco) last Friday, and I'm 
> learning how to use it with the 172.16.0.146/28 (a LAN around the 
> building) as the Internet and 192.168.82.40/29 (my workstation) as
> the  protected LAN. (And an old Mac SE/30 as the terminal.)
>
> Configuring from the terminal works, telnet works, https works, tftp
> works, the Java PDM pretty much works, and connecting from inside
> to  outside works.
>
> But I can't figure out how to get through the firewall in the other 
> direction. There's a static map from an "Internet" IP to my 
> workstation, and the PIX' log shows a connection attempt. But what I
> specifically permit is being denied. Is the anti-spoofing blocking
> it?  If so, why is it not blocking packets returning to the PAT
> address?
>
> --
> Glenn English
> ghe () slsware com
>
>
> ---------------------------------------------------------------------
> -- ----
> ---------------------------------------------------------------------
> -------  


- ----------------------------------------------------------------------
- -----
- ----------------------------------------------------------------------
- ------

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBPx6ufm5K7GIhja4mEQInDwCg961+GHYS+eI42b0UofeE9Q/pFxMAoOTj
KFpm92672XxvZlCR0Q163x/n
=S1aM
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------