Protect inside and control outside

Discussion in 'Cisco' started by Jeroen, Nov 18, 2003.

  1. Jeroen

    Jeroen Guest

    Hi Folks,
    I need to seperate a small part of my LAN; for this I've got myself a
    nice pix 501.
    This is what I need:
    4 hosts will be behind this pix. These hosts will need to access a few
    pc in my lan, as well as the oustide world:

    4hosts ------- pix501-----my lan-----pix 515---outside

    in 'my lan' there are about 100 hosts, but the 4 only need to access a
    few of them.
    So, I came up with this:


    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    access-list outside_access_in permit icmp any any
    access-list inside_access_in permit ip any host 10.0.0.7
    access-list inside_access_in permit ip any host 10.0.0.6
    access-list inside_access_in permit ip any host 10.0.0.5
    access-list inside_access_in permit ip any interface outside
    access-list inside_access_in permit ip any host 10.0.0.4
    access-list inside_access_in deny ip any 192.168.0.0 255.255.0.0
    ip address outside 192.168.20.22 255.255.0.0
    ip address inside 10.0.0.1 255.255.255.0
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0 norandomseq
    static (outside,inside) 10.0.0.4 192.168.1.2 netmask 255.255.255.255 0 0
    norand
    omseq
    static (outside,inside) 10.0.0.5 192.168.1.4 netmask 255.255.255.255 0 0
    static (outside,inside) 10.0.0.6 192.168.1.3 netmask 255.255.255.255 0 0
    static (outside,inside) 10.0.0.7 192.168.0.3 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 192.168.0.3 1
    route outside 192.168.20.22 255.255.255.255 192.168.0.3 1

    So, the hosts they need to see are 192.168.1.4/1.3/1.2, and they see
    them as 10.0.0.5/6/4 They can't access any other machine, which is good.

    Now, 192.168.0.3 is the default gateway on our lan (my lan) to the
    outside world. I've tried to buid that one as default route, but it
    won't work. No matter what I do, I can't seem to get it to reach the
    internet at all.

    Am I going the correct way with this? Or are there easier methodes?
    What am i doing wrong with the default routes?
    Any insights are greatly appreciated!
    --
    Jeroen
     
    Jeroen, Nov 18, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dan Rice
    Replies:
    9
    Views:
    938
    Dan Rice
    Feb 4, 2005
  2. Replies:
    1
    Views:
    619
  3. Yogz
    Replies:
    1
    Views:
    3,039
  4. Jack
    Replies:
    0
    Views:
    681
  5. kyoo
    Replies:
    22
    Views:
    2,069
    Aceman
    Apr 12, 2008
Loading...

Share This Page