Cisco PIX Setup Assistance Requested

Discussion in 'Cisco' started by stevelup, Jun 20, 2005.

  1. stevelup

    stevelup Guest

    Hi

    I'm attempting to set up a Cisco PIX 506E to replace our old firewall (which
    was a PC running Linux).

    We have a single primary IP address and an additional block of 8 IP
    addresses which are routed through the primary address.

    Our primary IP address is x.y.66.72 and our allocated block of addresses is
    x.y.77.152 - 158.

    We have various machines on our 192.168.1.0 LAN which need to have visiblity
    on x.y.77.153 and x.y.77.154.

    I can't for the life of me get it working.

    ACL's are all set up and allowing traffic - I cannot work out how to set up
    the NAT though.

    No matter what I do, I get "no translation group found" errors. I'm using
    the GUI to manage the setup procedure but I'm not afraid of using the CLI if
    necessary.

    I'm having difficulty understanding where the .x.y.77.153 addresses fall in
    the scheme of things as well - they are "outside" addresses but I can't see
    where to specify them in the context of the NAT rules. They are not source
    addresses, rather they are destination addresses. I don't understand how to
    specify NAT rules based upon these destination addresses.

    I apologise in advance if I've been extremely dim and missed the point.

    Thanks for your help.

    Steve
     
    stevelup, Jun 20, 2005
    #1
    1. Advertising

  2. "stevelup" <do.not.spam@me> wrote:

    > We have a single primary IP address and an additional block of 8 IP
    > addresses which are routed through the primary address.
    >
    > Our primary IP address is x.y.66.72 and our allocated block of
    > addresses is x.y.77.152 - 158.
    >
    > We have various machines on our 192.168.1.0 LAN which need to have
    > visiblity on x.y.77.153 and x.y.77.154.


    You have an uncommon setup. I'd try like this:

    no fixup protocol smtp 25
    access-list Incoming permit tcp any host x.y.77.153 eq smtp
    access-list Incoming permit tcp any host x.y.77.154 eq http
    access-list Outgoing permit ip 192.168.1.0 255.255.255.0 any
    ip address outside x.y.66.72 255.255.255.???
    ip address inside 192.168.1.1 255.255.255.0
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    static (inside,outside) x.y.77.153 192.168.1.X netmask 255.255.255.255 0 0
    static (inside,outside) x.y.77.154 192.168.1.Y netmask 255.255.255.255 0 0
    access-group Incoming in interface outside
    access-group Outgoing in interface inside
    route outside 0.0.0.0 0.0.0.0 x.y.66.??? 1

    If you need to share the same public IP between several
    inside hosts then you have to do the static lines
    like this:

    static (inside,outside) tcp x.y.77.153 25 192.168.1.X 25 netmask 255.255.255.255

    static (inside,outside) tcp x.y.77.153 80 192.168.1.Y 80 netmask 255.255.255.255

    And if you want to use one of the x.y.77.15z addresses
    as the PAT address then the global line should be:

    global (outside) 1 x.y.77.15z netmask 255.255.255.?

    (Hmm, are you sure that the range is x.y.77.152 - 158 ?
    That's only seven IPs and cannot be correctly masked.)
     
    Jyri Korhonen, Jun 20, 2005
    #2
    1. Advertising

  3. stevelup

    stevelup Guest

    "Jyri Korhonen" <> wrote in message
    news:d97aij$aoi$...
    > "stevelup" <do.not.spam@me> wrote:
    > You have an uncommon setup. I'd try like this:


    Many thanks - I'll give that a try today.

    > (Hmm, are you sure that the range is x.y.77.152 - 158 ?
    > That's only seven IPs and cannot be correctly masked.)


    That was indeed a typo. The range is 152 - 159 (/29)

    I appreciate your help and I'll get back to you and let you know how I got
    on.

    Cheers,

    Steve
     
    stevelup, Jun 21, 2005
    #3
  4. stevelup

    stevelup Guest

    "stevelup" <sdrawkcab.ten.2ku@ekolbemag> wrote in message
    news:...
    > "Jyri Korhonen" <> wrote in message
    > news:d97aij$aoi$...
    > > "stevelup" <do.not.spam@me> wrote:
    > > You have an uncommon setup. I'd try like this:


    Hi

    Many thanks - everything is working fine now.

    I was being confused by the (to my view anyway!) backwards way that
    translation rules seem to work in PDM. I now understand it.

    Cheers,

    Steve
     
    stevelup, Jun 23, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. morrissc

    Need assistance with setup

    morrissc, Nov 29, 2005, in forum: Wireless Networking
    Replies:
    4
    Views:
    522
    morrissc
    Nov 30, 2005
  2. Joe F
    Replies:
    2
    Views:
    559
    Joe F
    Jan 29, 2004
  3. Joe Filla
    Replies:
    3
    Views:
    796
  4. Snake-Eyes

    Firewall setup Help requested

    Snake-Eyes, Dec 1, 2003, in forum: Computer Security
    Replies:
    5
    Views:
    1,486
  5. Maximus Prime
    Replies:
    12
    Views:
    1,756
    Walter Roberson
    Jun 27, 2008
Loading...

Share This Page