[nsp] NAT translations in IOS 12.2 on pix 515

Mussie mussieg at comcast.net
Tue Jan 13 12:41:00 EST 2004


While we are on the topic...

Is there way to re-order the ACLs or insert new ACLs entries? If so, is this
supported on all versions [PIX & IOS].  The only reason I leverage 'implied
deny' is so that I can tac one more entry at the bottom without having to
re-edit the entire ACL.  I do prefer using 'deny any any' at the end.
[sorry, I'm still stuck on the old versions of IOS]. 

- MGG


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pete Templin
Sent: Tuesday, January 13, 2004 12:25 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] NAT translations in IOS 12.2 on pix 515

Good point.

However, I do see the logic on both sides.  An explicit deny means that 
new entries are ignored.  In the context of security policies, it can be 
advantageous to force an administrator to think through the sequence of 
their access list structure.  The explicit deny forces the admin to 
write a new access list and change the reference, or delete the access 
list and re-enter it (assuming they won't lose connectivity in the middle).

Hudson Delbert J Contr 61 CS/SCBN wrote:
> excuse me for being a old router head but dont cisco acls implicitly deny
> everything not explicitly anotated.
> 
> the firstline would be enuf.
> 
> simplicity is bliss.
> 
> economy of motion.
> 
> i like to let machines do the work.
> 
> i'd write the deny statement to log at the bottom or its just a habit to
> remind you its there.
> 
> dont flame. its not a big deal. its just the only thing my feeble eyes
saw. 
> 
> sorry if it seems trivial. it is. hope everyone had a great holiday
season.
> glad its over.
> 
> bummer. starbucks was out scones. go figure.
> 
> 
> ~v/r
> Del Hudson
> 61CS/SCBN - LAAFB NCC
> Network Architecture & Engineering Group
> delbert.hudson at losangeles.af.mil
> 
> 
> 
> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: Tuesday, January 13, 2004 7:18 AM
> To: Voll, Scott; daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
> Sorry the ACL was wrong.  Going to fast to early in the morning. :-)
> 
> access-list test permit tcp any host x.x.x.x  eq smtp
> access-list test deny ip any host x.x.x.x
> 
> Scott
> 
> -----Original Message-----
> From: Voll, Scott 
> Sent: Tuesday, January 13, 2004 7:14 AM
> To: daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> The static nat would look something like this:
> 
> static (INSIDE,OUTSIDE) x.x.x.x 10.1.8.x netmask 255.255.255.255 0 0
> 
> Then you will use your ACL to only allow SMTP
> 
> access-list test permit udp any host x.x.x.x  eq snmp
> access-list test deny any host x.x.x.x
> 
> access-group test in interface OUTSIDE
> 
> Like daryl said you need the PDM for the web, but I have never used it.
> 
> Scott
> 
> -----Original Message-----
> From: daryl at introspect.net [mailto:daryl at introspect.net] 
> Sent: Monday, January 12, 2004 6:53 PM
> To: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net 
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kanee
>>Sent: Monday, January 12, 2004 9:20 PM
>>To: cisco-nsp at puck.nether.net
>>Subject: [nsp] NAT translations in IOS 12.2 on pix 515
>>
>>
>>Guys,
>>
>>Can I configure a NAT statement on a pix 515 Version 6.2 IOS 
>>via its web interface. How do I enable web server on a pix 515.
> 
> 
> Absolutely...but you don't really "enable" the web interface like you do
> with an IOS router....you need to have PDM installed.  3.0(1) is the
> current version, I belive (that will work with 6.2).  Then you just
> https://<inside_address_of_pix> and it should work, providing you have
> the appropriate "http <address> <netmask> inside (or outside if you're
> not to security conscious) in place.
> 
> 
>>I want smtp traffic coming on x.x.x.x IP to be nat'd to a 
>>10.1.8.x address. What is the correct syntax for this NAT statement.
> 
> 
> I can't remember off the top of my head, because I'm lazy and always use
> PDM now.  Give it a try...
> 
> Daryl G. Jurbala
> BMPC Network Operations
> Tel: +1 215 825 8401 x235
> Fax: +1 508 526 8500
> INOC-DBA: 26412*DGJ
> 
> PGP Key: http://www.introspect.net/pgp 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list