[nsp] NAT translations in IOS 12.2 on pix 515

Voll, Scott Scott.Voll at wesd.org
Tue Jan 13 13:00:31 EST 2004


We have setup a little notepad to paste back into the Pix

Looks something like this--

Conf t
!
No access-list Outside
!
access-list Outside permit tcp any host x.x.x.x eq 25
access-list Outside permit tcp any host x.x.x.x eq dns
access-list Outside permit tcp any host x.x.x.x eq 443
access-group Outside in interface OUTSIDE
access-list Outside permit tcp any host x.x.x.x eq 8080
access-list Outside permit tcp any host x.x.x.x eq ftp
access-list Outside permit tcp any host x.x.x.x eq www
access-list Outside deny any any


So long as you assign the ACL to the interface after the first line of
the ACL You can't really notice the ACL is being changed.

We have been known to do it during normal business hours in a pinch and
get no complaints.  And our ACL is around a hundred lines.

Scott


-----Original Message-----
From: Mussie [mailto:mussieg at comcast.net] 
Sent: Tuesday, January 13, 2004 9:41 AM
To: 'Pete Templin'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515

While we are on the topic...

Is there way to re-order the ACLs or insert new ACLs entries? If so, is
this
supported on all versions [PIX & IOS].  The only reason I leverage
'implied
deny' is so that I can tac one more entry at the bottom without having
to
re-edit the entire ACL.  I do prefer using 'deny any any' at the end.
[sorry, I'm still stuck on the old versions of IOS]. 

- MGG


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pete Templin
Sent: Tuesday, January 13, 2004 12:25 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] NAT translations in IOS 12.2 on pix 515

Good point.

However, I do see the logic on both sides.  An explicit deny means that 
new entries are ignored.  In the context of security policies, it can be

advantageous to force an administrator to think through the sequence of 
their access list structure.  The explicit deny forces the admin to 
write a new access list and change the reference, or delete the access 
list and re-enter it (assuming they won't lose connectivity in the
middle).

Hudson Delbert J Contr 61 CS/SCBN wrote:
> excuse me for being a old router head but dont cisco acls implicitly
deny
> everything not explicitly anotated.
> 
> the firstline would be enuf.
> 
> simplicity is bliss.
> 
> economy of motion.
> 
> i like to let machines do the work.
> 
> i'd write the deny statement to log at the bottom or its just a habit
to
> remind you its there.
> 
> dont flame. its not a big deal. its just the only thing my feeble eyes
saw. 
> 
> sorry if it seems trivial. it is. hope everyone had a great holiday
season.
> glad its over.
> 
> bummer. starbucks was out scones. go figure.
> 
> 
> ~v/r
> Del Hudson
> 61CS/SCBN - LAAFB NCC
> Network Architecture & Engineering Group
> delbert.hudson at losangeles.af.mil
> 
> 
> 
> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: Tuesday, January 13, 2004 7:18 AM
> To: Voll, Scott; daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
> Sorry the ACL was wrong.  Going to fast to early in the morning. :-)
> 
> access-list test permit tcp any host x.x.x.x  eq smtp
> access-list test deny ip any host x.x.x.x
> 
> Scott
> 
> -----Original Message-----
> From: Voll, Scott 
> Sent: Tuesday, January 13, 2004 7:14 AM
> To: daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> The static nat would look something like this:
> 
> static (INSIDE,OUTSIDE) x.x.x.x 10.1.8.x netmask 255.255.255.255 0 0
> 
> Then you will use your ACL to only allow SMTP
> 
> access-list test permit udp any host x.x.x.x  eq snmp
> access-list test deny any host x.x.x.x
> 
> access-group test in interface OUTSIDE
> 
> Like daryl said you need the PDM for the web, but I have never used
it.
> 
> Scott
> 
> -----Original Message-----
> From: daryl at introspect.net [mailto:daryl at introspect.net] 
> Sent: Monday, January 12, 2004 6:53 PM
> To: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net 
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kanee
>>Sent: Monday, January 12, 2004 9:20 PM
>>To: cisco-nsp at puck.nether.net
>>Subject: [nsp] NAT translations in IOS 12.2 on pix 515
>>
>>
>>Guys,
>>
>>Can I configure a NAT statement on a pix 515 Version 6.2 IOS 
>>via its web interface. How do I enable web server on a pix 515.
> 
> 
> Absolutely...but you don't really "enable" the web interface like you
do
> with an IOS router....you need to have PDM installed.  3.0(1) is the
> current version, I belive (that will work with 6.2).  Then you just
> https://<inside_address_of_pix> and it should work, providing you have
> the appropriate "http <address> <netmask> inside (or outside if you're
> not to security conscious) in place.
> 
> 
>>I want smtp traffic coming on x.x.x.x IP to be nat'd to a 
>>10.1.8.x address. What is the correct syntax for this NAT statement.
> 
> 
> I can't remember off the top of my head, because I'm lazy and always
use
> PDM now.  Give it a try...
> 
> Daryl G. Jurbala
> BMPC Network Operations
> Tel: +1 215 825 8401 x235
> Fax: +1 508 526 8500
> INOC-DBA: 26412*DGJ
> 
> PGP Key: http://www.introspect.net/pgp 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list