[nsp] NAT translations in IOS 12.2 on pix 515

Voll, Scott Scott.Voll at wesd.org
Tue Jan 13 12:33:32 EST 2004 

If you look at the ACL my goal was only to insert these two lines into
the current Outside ACL.  

The deny statement at the end was only to deny all other traffic to that
one server.

Scott

-----Original Message-----
From: Pete Templin [mailto:petelists at templin.org] 
Sent: Tuesday, January 13, 2004 9:25 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] NAT translations in IOS 12.2 on pix 515

Good point.

However, I do see the logic on both sides.  An explicit deny means that 
new entries are ignored.  In the context of security policies, it can be

advantageous to force an administrator to think through the sequence of 
their access list structure.  The explicit deny forces the admin to 
write a new access list and change the reference, or delete the access 
list and re-enter it (assuming they won't lose connectivity in the
middle).

Hudson Delbert J Contr 61 CS/SCBN wrote:
> excuse me for being a old router head but dont cisco acls implicitly
deny
> everything not explicitly anotated.
> 
> the firstline would be enuf.
> 
> simplicity is bliss.
> 
> economy of motion.
> 
> i like to let machines do the work.
> 
> i'd write the deny statement to log at the bottom or its just a habit
to
> remind you its there.
> 
> dont flame. its not a big deal. its just the only thing my feeble eyes
saw. 
> 
> sorry if it seems trivial. it is. hope everyone had a great holiday
season.
> glad its over.
> 
> bummer. starbucks was out scones. go figure.
> 
> 
> ~v/r
> Del Hudson
> 61CS/SCBN - LAAFB NCC
> Network Architecture & Engineering Group
> delbert.hudson at losangeles.af.mil
> 
> 
> 
> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: Tuesday, January 13, 2004 7:18 AM
> To: Voll, Scott; daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
> Sorry the ACL was wrong.  Going to fast to early in the morning. :-)
> 
> access-list test permit tcp any host x.x.x.x  eq smtp
> access-list test deny ip any host x.x.x.x
> 
> Scott
> 
> -----Original Message-----
> From: Voll, Scott 
> Sent: Tuesday, January 13, 2004 7:14 AM
> To: daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> The static nat would look something like this:
> 
> static (INSIDE,OUTSIDE) x.x.x.x 10.1.8.x netmask 255.255.255.255 0 0
> 
> Then you will use your ACL to only allow SMTP
> 
> access-list test permit udp any host x.x.x.x  eq snmp
> access-list test deny any host x.x.x.x
> 
> access-group test in interface OUTSIDE
> 
> Like daryl said you need the PDM for the web, but I have never used
it.
> 
> Scott
> 
> -----Original Message-----
> From: daryl at introspect.net [mailto:daryl at introspect.net] 
> Sent: Monday, January 12, 2004 6:53 PM
> To: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net 
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kanee
>>Sent: Monday, January 12, 2004 9:20 PM
>>To: cisco-nsp at puck.nether.net
>>Subject: [nsp] NAT translations in IOS 12.2 on pix 515
>>
>>
>>Guys,
>>
>>Can I configure a NAT statement on a pix 515 Version 6.2 IOS 
>>via its web interface. How do I enable web server on a pix 515.
> 
> 
> Absolutely...but you don't really "enable" the web interface like you
do
> with an IOS router....you need to have PDM installed.  3.0(1) is the
> current version, I belive (that will work with 6.2).  Then you just
> https://<inside_address_of_pix> and it should work, providing you have
> the appropriate "http <address> <netmask> inside (or outside if you're
> not to security conscious) in place.
> 
> 
>>I want smtp traffic coming on x.x.x.x IP to be nat'd to a 
>>10.1.8.x address. What is the correct syntax for this NAT statement.
> 
> 
> I can't remember off the top of my head, because I'm lazy and always
use
> PDM now.  Give it a try...
> 
> Daryl G. Jurbala
> BMPC Network Operations
> Tel: +1 215 825 8401 x235
> Fax: +1 508 526 8500
> INOC-DBA: 26412*DGJ
> 
> PGP Key: http://www.introspect.net/pgp 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list