outside PAT

Discussion in 'Cisco' started by Christoph Gartmann, Apr 9, 2013.

  1. Hello,

    the following scenario:

    --- net1 --- PIX --- net2
    |
    |
    net3

    The Pix runs OS 7.2. Computers reside in net2 and communicate with the world
    via net1. In net3 are a few hosts. Security levels are from net1 (low) to net2
    (higher) to net3 (highest). Traffic from net2 to net1 will be neither NATed
    nor PATed. From net2 to net3 there should be PAT. The computers in net2 should
    be able to access two servers in net3.


    interface Ethernet0
    nameif net1
    security-level 0
    ip address 192.168.178.2 255.255.255.0
    !
    interface Ethernet1
    nameif net2
    security-level 90
    ip address 192.168.179.1 255.255.255.0
    !
    interface Ethernet5
    nameif net3
    security-level 95
    ip address 192.168.0.3 255.255.248.0
    !
    access-list test extended permit icmp any any log
    access-list test extended permit ip any any
    access-list test-in extended permit icmp any any log
    access-list test-in extended permit ip any any

    nat-control
    global (net3) 1 192.168.0.4
    nat (net2) 1 192.168.179.0 255.255.255.0 outside
    static (net2,net1) 192.168.179.0 192.168.179.0 netmask 255.255.255.0
    access-group test-in in interface net2
    access-group test out interface net3
    route net1 0.0.0.0 0.0.0.0 192.168.178.1 1
    route net3 10.1.0.0 255.255.0.0 192.168.1.254 1


    So far the connections between net1 and net2 are working. But what is required
    to allow net2 to reach host in net3 with PAT?

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -80464
    Immunbiologie und Epigenetik
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
     
    Christoph Gartmann, Apr 9, 2013
    #1
    1. Advertising

  2. * Christoph Gartmann wrote:
    > --- net1 --- PIX --- net2
    > |
    > |
    > net3
    >
    > The Pix runs OS 7.2. Computers reside in net2 and communicate with the world
    > via net1. In net3 are a few hosts. Security levels are from net1 (low) to net2
    > (higher) to net3 (highest). Traffic from net2 to net1 will be neither NATed
    > nor PATed. From net2 to net3 there should be PAT. The computers in net2 should
    > be able to access two servers in net3.


    Your security levels should follow nat. Usually you "nat" from high level to
    low level. From low to high you "static"ally open ports. So your security
    levels should be:

    nameif net1
    security-level 0

    nameif net2
    security-level 100

    nameif net3
    security-level 50

    global (net3) 1 interface ! or pat-ip
    nat (net2) 1 192.168.179.0 255.255.255.0
    static (net2,net1) 192.168.179.0 192.168.179.0 netmask 255.255.255.0
    static (net2,net3) tcp interface 80 192.168.179.12 80 ! server1 port forward
    static (net2,net3) 192.168.179.13 192.168.179.13 ! server2 (prevents PAT)

    HTH
     
    Lutz Donnerhacke, Apr 9, 2013
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    4
    Views:
    6,820
    mostro
    Oct 29, 2005
  2. BinSur
    Replies:
    4
    Views:
    5,880
    BinSur
    Jan 13, 2006
  3. Replies:
    3
    Views:
    497
  4. Ender
    Replies:
    4
    Views:
    532
  5. Jack
    Replies:
    0
    Views:
    724
Loading...

Share This Page