Hi all,
I'm setting up a shiny new (to me) PIX 501, and I need it set up as
follows:
1. I have 64 usable public IP's
2. I'll need one internal NAT subnet, 192.168.1.0/24, with the router
using one of the public IP's
3. Outbound traffic from NAT LAN clients will be PAT'd through the
router's WAN address (I'm used to calling this NAT, but it seems PAT is
the correct term in the cisco lexicon)
4. DHCP pool on the LAN, starting at 192.168.1.100
5. Two servers computers on the LAN, for which I'd like to set up a few
one-to-one mappings, using two of my 64 public IP's. I want to deny all
trafiic except that necessary for server processes (mail, web, etc).
So, for example, 11.22.33.44 maps to 192.168.1.10, but only allows
inbound traffic on ports 25, 110, and 143. And 11.22.33.45 maps to
192.168.1.11, but only allows inbound traffic on ports 80 and 443.
6. I'd also like to have some commands at the ready to set up and
remove future one-to-one mappings and rules for allowing/denying
network traffic.
I grabbed a sample config file from the cisco support website, modified
it, as shown below. Can anyone tell me if I've got this right? I'm not
sure of the syntax for the inbound server services (not the '?'s, nor
do I know how to create the DHCP pool.
Any help appreciated!!
My Config file:
=====
Building configuration...
: Saved
:
PIX Version 5.3(1)
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif ethernet0 intf2 security10
nameif ethernet1 intf3 security15
enable password <myPassword_here> encrypted
passwd <myPassword_here> encrypted
hostname firewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
!--- Create an access list to allow pings out
!--- and return packets back in.
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
!--- Allows anyone on the Internet to connect to
!--- servers for listed services only.
access-list 100 permit tcp any host 11.22.33.44 eq smtp, pop3, imap,
???
access-list 100 permit tcp any host 11.22.33.45 eq www, ???
pager lines 24
!--- Enable logging.
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
!--- Enable error and more severe syslog messages
!--- to be saved to the local buffer.
logging buffered errors
!--- Send notification and more severe syslog messages
!--- to the syslog server.
logging trap notifications
no logging history
logging facility 20
logging queue 512
!--- Send syslog messages to a syslog server
!--- on the inside interface.
logging host inside 192.168.1.220
!--- All interfaces are shutdown by default.
interface gb-ethernet0 1000auto
interface gb-ethernet1 1000auto
interface ethernet0 auto shutdown
interface ethernet1 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
!--- set up PIX interfaces:
ip address outside 208.176.183.66 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
arp timeout 14400
!--- Define a Network Address Translation (NAT) pool that
!--- internal hosts use when going out to the Internet.
!--- commented out for now, using PAT only, below:
!--- global (outside) 1 204.69.198.15-204.69.198.253
!--- Define a Port Address Translation (PAT) address:
global (outside) 1 208.176.183.72
!--- Allow all internal hosts to use
!--- the NAT or PAT addresses specified above.
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
!--- Define a static translation for the mailserver
!--- to be accessible from the Internet.
static (inside,outside) 11.22.33.44 192.168.1.10
netmask 255.255.255.255 0 0
!--- Define a static translation for the
!--- webserver to be accessible from the Internet.
static (inside,outside) 11.22.33.45 192.168.1.11
netmask 255.255.255.255 0 0
!--- Apply access list 100 to the outside interface.
access-group 100 in interface outside
!--- Define a default route to the ISP's router.
route outside 0.0.0.0 0.0.0.0 208.176.183.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
!--- Allow the host 192.168.1.254 to be able to
!--- Telnet to the inside of the PIX.
telnet 192.168.1.254 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3e7ba2f76bf9a6b42ff656d31ebda5c5
: end
[OK]
