PIX Inbound NAT configuration

Discussion in 'Cisco' started by DaZZa, Apr 8, 2006.

  1. DaZZa

    DaZZa Guest

    I've hit a bit of a brick wall trying to configure my new firewall,
    and I'm looking for some direction, as what I want to do wasn't
    really covered in the training course.

    I want to do an inbound NAT on an IP address which is contained
    in a subnet which is also on the PIX and turn it into an internal
    address - but ONLY for selected ports.

    It looks something like this {Warning: Bad ASCII drawing follows}

    Internet
    |
    |
    Firewall
    | |
    | |
    DMZ |
    Internal

    The DMZ has an IP address range - call it 172.16.78.192/28. The
    Inside has 10.67.0.0/16. I want to take IP address 172.16.78.199
    and translate it to 10.67.97.10 but ONLY if connections come in
    on ports 25, 110 or 80 directed to this address only {incoming
    on those ports to other addresses should be sent elsewhere}.

    The addresses in the DMZ are non-RFC1918, and match the subnet
    mask specified.

    Basically, I want an inbound connection attempt on port 25 directed to
    the external .199 address to be translated and connected to the internal
    ..10 address.

    Anyone wanna throw a hint my way? I'm being lazy and using the
    ASDM module to give me a GUI configuration, but I'll dial into
    the command line if necessary and put the commands in manually
    if someone can clue me in. PIX 515E in use, running 7.0.1 software,
    unrestricted license.

    Thanks

    DaZZa


    --
    A rule for life.
    echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlb xq |dc
    Address in header is spamblocked. ROT13 the following for email replies
     
    DaZZa, Apr 8, 2006
    #1
    1. Advertising

  2. DaZZa

    dreday Guest

    I am currently configuring a client to pix router and I know that I
    need a vpn that uses isakmp, but the steps that I am using must be
    wrong so I wonder if anyone have some suggestions.
     
    dreday, Apr 8, 2006
    #2
    1. Advertising

  3. DaZZa

    NETADMIN Guest

    First you have to deny 10.x.x.x ip from acceslist using on interface
    after that
    you have to apply static nat for inbound comnnection.
    E.g.
    access-list out_to_in permit tcp any host
    172.16.x.x. eq 25

    static (inside,outside) 172.16.x.x. 10.x.x.x
    netmask 255.255.255.255 0 0

    access-group out_to_in in interface outside

    Try this one..........

    Thanks
    CK-NET
     
    NETADMIN, Apr 9, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J Bard
    Replies:
    0
    Views:
    6,119
    J Bard
    Jan 9, 2004
  2. Alex

    PIX 501 and inbound NAT/PAT

    Alex, Aug 10, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,113
  3. Replies:
    3
    Views:
    1,926
  4. Sri
    Replies:
    0
    Views:
    465
  5. Replies:
    7
    Views:
    1,961
    Marc Luethi
    Nov 26, 2007
Loading...

Share This Page