[nsp] NAT translations in IOS 12.2 on pix 515

Hudson Delbert J Contr 61 CS/SCBN Delbert.Hudson at LOSANGELES.AF.MIL
Tue Jan 13 11:46:22 EST 2004


excuse me for being a old router head but dont cisco acls implicitly deny
everything not explicitly anotated.

the firstline would be enuf.

simplicity is bliss.

economy of motion.

i like to let machines do the work.

i'd write the deny statement to log at the bottom or its just a habit to
remind you its there.

dont flame. its not a big deal. its just the only thing my feeble eyes saw. 

sorry if it seems trivial. it is. hope everyone had a great holiday season.
glad its over.

bummer. starbucks was out scones. go figure.


~v/r
Del Hudson
61CS/SCBN - LAAFB NCC
Network Architecture & Engineering Group
delbert.hudson at losangeles.af.mil



-----Original Message-----
From: Voll, Scott [mailto:Scott.Voll at wesd.org]
Sent: Tuesday, January 13, 2004 7:18 AM
To: Voll, Scott; daryl at introspect.net; cisco-nsp at puck.nether.net
Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515


Sorry the ACL was wrong.  Going to fast to early in the morning. :-)

access-list test permit tcp any host x.x.x.x  eq smtp
access-list test deny ip any host x.x.x.x

Scott

-----Original Message-----
From: Voll, Scott 
Sent: Tuesday, January 13, 2004 7:14 AM
To: daryl at introspect.net; cisco-nsp at puck.nether.net
Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515

The static nat would look something like this:

static (INSIDE,OUTSIDE) x.x.x.x 10.1.8.x netmask 255.255.255.255 0 0

Then you will use your ACL to only allow SMTP

access-list test permit udp any host x.x.x.x  eq snmp
access-list test deny any host x.x.x.x

access-group test in interface OUTSIDE

Like daryl said you need the PDM for the web, but I have never used it.

Scott

-----Original Message-----
From: daryl at introspect.net [mailto:daryl at introspect.net] 
Sent: Monday, January 12, 2004 6:53 PM
To: cisco-nsp at puck.nether.net
Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kanee
> Sent: Monday, January 12, 2004 9:20 PM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
> Guys,
> 
> Can I configure a NAT statement on a pix 515 Version 6.2 IOS 
> via its web interface. How do I enable web server on a pix 515.

Absolutely...but you don't really "enable" the web interface like you do
with an IOS router....you need to have PDM installed.  3.0(1) is the
current version, I belive (that will work with 6.2).  Then you just
https://<inside_address_of_pix> and it should work, providing you have
the appropriate "http <address> <netmask> inside (or outside if you're
not to security conscious) in place.

> I want smtp traffic coming on x.x.x.x IP to be nat'd to a 
> 10.1.8.x address. What is the correct syntax for this NAT statement.

I can't remember off the top of my head, because I'm lazy and always use
PDM now.  Give it a try...

Daryl G. Jurbala
BMPC Network Operations
Tel: +1 215 825 8401 x235
Fax: +1 508 526 8500
INOC-DBA: 26412*DGJ

PGP Key: http://www.introspect.net/pgp 


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list