Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Cisco PIX 501 NAT config issue (http://www.velocityreviews.com/forums/t35660-cisco-pix-501-nat-config-issue.html)

Binner 10-05-2004 11:27 AM
Cisco PIX 501 NAT config issue
 
Here is the situation.

We are putting a subcontractor on our WAN and want to control their
access to our network.

The subcontractors network is on the outside interface and our
internal networks are on the inside interface.

They need access to lots of our subnets but we are restricting the
ports they can access.

i do not want any NAT to happen on any interface but I cannot work out
how to do this for traffic inbound from the outside interface

Any ideas gratefully received

Martin Bilgrav 10-05-2004 12:33 PM
Re: Cisco PIX 501 NAT config issue
 
add the command:
static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

where 192.168.0.0 represent your inside network.
This way the nat is turned of, so to speak

Then add the acl on the outside interface permitting the external access to
the inside hosts.

HTH
Martin Bilgrav


"Binner" <binner@talk21.com> skrev i en meddelelse
news:f5f3698a.0410050327.40fb4c62@posting.google.c om...
> Here is the situation.
>
> We are putting a subcontractor on our WAN and want to control their
> access to our network.
>
> The subcontractors network is on the outside interface and our
> internal networks are on the inside interface.
>
> They need access to lots of our subnets but we are restricting the
> ports they can access.
>
> i do not want any NAT to happen on any interface but I cannot work out
> how to do this for traffic inbound from the outside interface
>
> Any ideas gratefully received

Binner 10-06-2004 07:35 AM
Re: Cisco PIX 501 NAT config issue
 
"Martin Bilgrav" <SoddOff@Baldric.co.uk> wrote in message news:<41629482$0$22682$d40e179e@nntp04.dk.telia.ne t>...
> add the command:
> static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
>
> where 192.168.0.0 represent your inside network.
> This way the nat is turned of, so to speak
>
> Then add the acl on the outside interface permitting the external access to
> the inside hosts.
>
> HTH
> Martin Bilgrav
>
>
> "Binner" <binner@talk21.com> skrev i en meddelelse
> news:f5f3698a.0410050327.40fb4c62@posting.google.c om...
> > Here is the situation.
> >
> > We are putting a subcontractor on our WAN and want to control their
> > access to our network.
> >
> > The subcontractors network is on the outside interface and our
> > internal networks are on the inside interface.
> >
> > They need access to lots of our subnets but we are restricting the
> > ports they can access.
> >
> > i do not want any NAT to happen on any interface but I cannot work out
> > how to do this for traffic inbound from the outside interface
> >
> > Any ideas gratefully received

Thanks for the response but in the time it took to post this message I
fixed the problem.

I setup the PIX to allow all inbound traffic using the following (the
ip addresses have been changed to protect the innocent)

access-list outside_in permit ip 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0
access-group outside_in in interface outside
access-list no_nat permit 192.168.0.0 255.255.255.0 192.168.1.0
255.255.255.0
nat(inside) 0 access-list no_nat

I then set up an ojbect-group containing the ports I wanted to allow
through and created an access list using this object-group with the
same identifier as first access list above. I then removed the
unrestricted access list and this worked just fine.

it allows the ports in the access group and drops everything else

Martin Bilgrav 10-07-2004 11:31 AM
Re: Cisco PIX 501 NAT config issue
 

"Binner" <binner@talk21.com> skrev i en meddelelse
news:f5f3698a.0410052335.1eb3f37b@posting.google.c om...
> "Martin Bilgrav" <SoddOff@Baldric.co.uk> wrote in message
news:<41629482$0$22682$d40e179e@nntp04.dk.telia.ne t>...
> > add the command:
> > static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
> >
> > where 192.168.0.0 represent your inside network.
> > This way the nat is turned of, so to speak
> >
> > Then add the acl on the outside interface permitting the external access
to
> > the inside hosts.
> >
> > HTH
> > Martin Bilgrav
> >
>
> I setup the PIX to allow all inbound traffic using the following (the
> ip addresses have been changed to protect the innocent)
>
> access-list outside_in permit ip 192.168.0.0 255.255.255.0 192.168.1.0
> 255.255.255.0
> access-group outside_in in interface outside
> access-list no_nat permit 192.168.0.0 255.255.255.0 192.168.1.0
> 255.255.255.0
> nat(inside) 0 access-list no_nat
>
> I then set up an ojbect-group containing the ports I wanted to allow
> through and created an access list using this object-group with the
> same identifier as first access list above. I then removed the
> unrestricted access list and this worked just fine.



You should seriouly consider not running nat 0, since this config you have
now opens up for EVERYTHING to ALL HOSTS !!
But its your call.

HTH
Martin


All times are GMT. The time now is 01:35 AM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.