RE: [nsp] REG: Cisco PIX Configuration

From: Raj Bansal (rbansal@aol.net)
Date: Thu Jul 05 2001 - 11:14:13 EDT


Version 5.2.4 or later, had a feature that allows you to map different PAT
address for NAT pools. SO in essence what you will do is create separate NAT
pools,

nat (inside) 1 10.1.0.0. 255.255.0.0
nat (inside) 2 10.2.0.0 255.255.0.0

global (outside) 1 <public address 1>
global (outside) 2 <puiblic address 2>

The overload is the nat parameter when doing Pating with Cisco Routers. The
acl works differently in PIX, they are more for restricting outbound
traffic.

Raj

  -----Original Message-----
  From: Vinod Anthony Joseph Cherunni [mailto:vac@dsqworld.com]
  Sent: Thursday, July 05, 2001 10:23 AM
  To: cisco-nsp@puck.nether.net
  Subject: [nsp] REG: Cisco PIX Configuration

  Dear All,

  I have a few queries in regard to the Cisco PIX 525 configuration.

  I would be very greatful if the configuration could be checked & I could
be enlightened on whether I am on the right path.

   nameif ethernet0 inside security100
  nameif ethernet1 outside security0
  nameif ethernet2 dmz security60
   nameif ethernet3 dmz1 security40

   ip address inside 10.1.1.1 255.0.0.0
  ip address outside 204.31.17.1 255.255.255.0
   ip address dmz 204.31.16.1 255.255.255.0
   ip address dmz1 204.31.15.1 255.255.255.0

  nat (inside) 1 10.0.0.5 255.0.0.0
  global (outside) 1 204.31.14.25

  Question: How would I only allow a group og hosts to use an Overload NAT
address. Is it possible by only listing them one by one.

  outbound 11 permit 10.1.1.1 255.255.255.255
  outbound 11 deny 0 0
  apply (inside) 11 outgoing_src

  inbound 12 permit 0 0 204.31.16.0 255.255.255.0
  inbound 12 deny 0 0
  apply (outside) 12 incoming_src

  Question: Are these two access lists correct?. Also can the access lists
replace the static & conduit statements.

  Kindly enlighten me,

  With warm regards,

  Vinod.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:44 EDT