Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Cisco PIX Setup Assistance Requested (http://www.velocityreviews.com/forums/t39704-cisco-pix-setup-assistance-requested.html)

stevelup 06-20-2005 04:46 PM

Cisco PIX Setup Assistance Requested
 
Hi

I'm attempting to set up a Cisco PIX 506E to replace our old firewall (which
was a PC running Linux).

We have a single primary IP address and an additional block of 8 IP
addresses which are routed through the primary address.

Our primary IP address is x.y.66.72 and our allocated block of addresses is
x.y.77.152 - 158.

We have various machines on our 192.168.1.0 LAN which need to have visiblity
on x.y.77.153 and x.y.77.154.

I can't for the life of me get it working.

ACL's are all set up and allowing traffic - I cannot work out how to set up
the NAT though.

No matter what I do, I get "no translation group found" errors. I'm using
the GUI to manage the setup procedure but I'm not afraid of using the CLI if
necessary.

I'm having difficulty understanding where the .x.y.77.153 addresses fall in
the scheme of things as well - they are "outside" addresses but I can't see
where to specify them in the context of the NAT rules. They are not source
addresses, rather they are destination addresses. I don't understand how to
specify NAT rules based upon these destination addresses.

I apologise in advance if I've been extremely dim and missed the point.

Thanks for your help.

Steve



Jyri Korhonen 06-20-2005 08:56 PM

Re: Cisco PIX Setup Assistance Requested
 
"stevelup" <do.not.spam@me> wrote:

> We have a single primary IP address and an additional block of 8 IP
> addresses which are routed through the primary address.
>
> Our primary IP address is x.y.66.72 and our allocated block of
> addresses is x.y.77.152 - 158.
>
> We have various machines on our 192.168.1.0 LAN which need to have
> visiblity on x.y.77.153 and x.y.77.154.


You have an uncommon setup. I'd try like this:

no fixup protocol smtp 25
access-list Incoming permit tcp any host x.y.77.153 eq smtp
access-list Incoming permit tcp any host x.y.77.154 eq http
access-list Outgoing permit ip 192.168.1.0 255.255.255.0 any
ip address outside x.y.66.72 255.255.255.???
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,outside) x.y.77.153 192.168.1.X netmask 255.255.255.255 0 0
static (inside,outside) x.y.77.154 192.168.1.Y netmask 255.255.255.255 0 0
access-group Incoming in interface outside
access-group Outgoing in interface inside
route outside 0.0.0.0 0.0.0.0 x.y.66.??? 1

If you need to share the same public IP between several
inside hosts then you have to do the static lines
like this:

static (inside,outside) tcp x.y.77.153 25 192.168.1.X 25 netmask 255.255.255.255

static (inside,outside) tcp x.y.77.153 80 192.168.1.Y 80 netmask 255.255.255.255

And if you want to use one of the x.y.77.15z addresses
as the PAT address then the global line should be:

global (outside) 1 x.y.77.15z netmask 255.255.255.?

(Hmm, are you sure that the range is x.y.77.152 - 158 ?
That's only seven IPs and cannot be correctly masked.)


stevelup 06-21-2005 06:45 AM

Re: Cisco PIX Setup Assistance Requested
 
"Jyri Korhonen" <korhojy@POISSPAMMIThotmail.com> wrote in message
news:d97aij$aoi$1@phys-news1.kolumbus.fi...
> "stevelup" <do.not.spam@me> wrote:
> You have an uncommon setup. I'd try like this:


Many thanks - I'll give that a try today.

> (Hmm, are you sure that the range is x.y.77.152 - 158 ?
> That's only seven IPs and cannot be correctly masked.)


That was indeed a typo. The range is 152 - 159 (/29)

I appreciate your help and I'll get back to you and let you know how I got
on.

Cheers,

Steve



stevelup 06-23-2005 12:12 PM

Re: Cisco PIX Setup Assistance Requested
 
"stevelup" <sdrawkcab.ten.2ku@ekolbemag> wrote in message
news:yICdnVdcXabpKirfRVnyuQ@giganews.com...
> "Jyri Korhonen" <korhojy@POISSPAMMIThotmail.com> wrote in message
> news:d97aij$aoi$1@phys-news1.kolumbus.fi...
> > "stevelup" <do.not.spam@me> wrote:
> > You have an uncommon setup. I'd try like this:


Hi

Many thanks - everything is working fine now.

I was being confused by the (to my view anyway!) backwards way that
translation rules seem to work in PDM. I now understand it.

Cheers,

Steve




All times are GMT. The time now is 04:19 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.