07-12-2015 09:15 AM - edited 03-11-2019 11:15 PM
Hi Guys,
I'm new in Firewall environment and I'm trying to make me an experience.
Basically, I have a cisco 887 router where I have connected a PIX 515e firewall. Behind that I have a server. My cisco router does NAT 192.168.0.0/24 and my PIX's eth0 interface (outside) has 192.168.0.3. On eht1 PIX interface (inside) I have 172.16.0.1 where I have a server with IP 172.16.0.3. Below the diagram:
SERVER --------------------PIX-------------------CISCO
172.16.0.3 ----172.16.0.1/192.168.0.3----192.168.0.1
Basically, I would that ALL requests from devices in 192.168.0.0/24 subnet to 192.168.0.3 (eth0 PIX interface) are redirect to my server 172.16.0.3 (NATone-to-one)
I thought that the conf was similar to cisco router but it isn't
Any suggestion?
Thanks!
07-12-2015 05:38 PM
You can do that, however it is not a good practice.
It is suggested to do Port address translation on the interface of the firewall.
For eg:
Static PAT Example:
In order to redirect Telnet traffic from the outside interface (10.1.2.14) to the inside host at 10.1.1.15, enter this command:
hostname(config)#static (inside, outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 255.255.255.255
Similarly, you can use any port instead of telnet in the above example.
The static PAT command is the same as static NAT, except it allows for the specification of the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP) and the port for the real and mapped addresses.
The static PAT feature can identify the same mapped address across many different static statements, so long as the port is different for each statement.
Regards,
Puneesh
If you find the answer helpful, please mark it as correct so others can benefit from the discussion.
07-13-2015 04:55 AM
Hi Puneesh.
Thank you very much for your reply.
Do you know what it changes if instead to write (inside, outside) I write (outside,inside)?
Why the first description is "inside" and it refers to the outside IP?
I don't know if I gave been clear
Thank You
Federico
07-13-2015 08:31 AM
Here's the syntax:
static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
So, if you do static (outside,inside), you will have real IP and than mapped IP
Eg:
To NAT the outside host to an inside address::
static (outside,inside) 10.10.10.10 1.1.1.1
To NAT the inside host to outside IP:
static (inside,outside) 1.1.1.1 10.10.10.10
And most importantly, static NAT is bidirectional
Regards,
Puneesh
07-13-2015 03:17 PM
Hi Puneesh.
Unfortunatelly, if I configure a NAT for single service (interface ssh ipaddr ssh) I' m not able to get access to the default gateway 192.168.0.1. It seems that PIX doesn't perform NAT from 172.16.0.3 (eth1) to 192.168.0.3 (eth0) . It works only with NAT one-to-one. Most probably there is something wrong with my configuration and double NAT.
Thank you for your time,
Federico
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide