[nsp] RE: cisco-nsp Digest, Vol 14, Issue 26

Jordan Pilchman JPilchman at mnrc.com
Tue Jan 13 13:24:35 EST 2004


Sven - 
Do you have part numbers?
I can help.

Jordan Pilchman
Director of Memory and Server Option Sales
Monarch Technology
Jpilchman at mnrc.com
800-487-7604 Ext. 231
949-487-7604 Ext.231
949-487-7610 Fax
AOL IM JordanMNRC

" An 8(a) and SDB Company"






-----Original Message-----
From: cisco-nsp-request at puck.nether.net
[mailto:cisco-nsp-request at puck.nether.net]
Sent: Tuesday, January 13, 2004 10:12 AM
To: cisco-nsp at puck.nether.net
Subject: cisco-nsp Digest, Vol 14, Issue 26


Send cisco-nsp mailing list submissions to
	cisco-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
	cisco-nsp-request at puck.nether.net

You can reach the person managing the list at
	cisco-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."


Today's Topics:

   1. Router sizing (Sven Huster)
   2. Re: NAT translations in IOS 12.2 on pix 515 (Pete Templin)
   3. RE: NAT translations in IOS 12.2 on pix 515 (Voll, Scott)
   4. RE: NAT translations in IOS 12.2 on pix 515 (Mussie)
   5. RE: NAT translations in IOS 12.2 on pix 515 (Voll, Scott)


----------------------------------------------------------------------

Message: 1
Date: Tue, 13 Jan 2004 17:19:19 +0000
From: Sven Huster <sven at huster.me.uk>
Subject: [nsp] Router sizing
To: cisco-nsp at puck.nether.net
Message-ID: <20040113171919.GA31819 at gate.huster.me.uk>
Content-Type: text/plain; charset=us-ascii

Hello

I'm looking into upgrading some of our routers.

We need:
- Unit 1
  -- 2 Gi to our core network (both fibre)
  -- 1 Gi to upstream/peers (fibre), 
     which will then be split in 2 Fa 
     (one upstream, one peering) at the far end.
  -- 1 Fa to OoB mgmt network
- Unit 2
  -- 2 Gi to our core network (both fibre)
  -- 2 Fa to upstream/peers (1 copper/1 fibre)
  -- 1 Fa to OoB mgmt network

Unit 1 receives 1 full and 80 partial BGP views.
Unit 2 receives 1 full and 20 partial BGP views.

Currently we are doing 150Mb/s peak.

As these will be our main upstream/peering 
connections I'm especially looking for the pps
and support of uRPF, ACL and obviously BGP. 
Furthermore OSPF but no need for MPLS.

Of course, we need some room for growth like
another upstream (1 Fa) on each with full views.

Any suggestion on with Cisco kit would do this?
Any more information I need to provide?

Thanks
Cheers
Sven


------------------------------

Message: 2
Date: Tue, 13 Jan 2004 11:25:06 -0600
From: Pete Templin <petelists at templin.org>
Subject: Re: [nsp] NAT translations in IOS 12.2 on pix 515
To: cisco-nsp at puck.nether.net
Message-ID: <400429F2.3060009 at templin.org>
Content-Type: text/plain; charset=us-ascii; format=flowed

Good point.

However, I do see the logic on both sides.  An explicit deny means that 
new entries are ignored.  In the context of security policies, it can be 
advantageous to force an administrator to think through the sequence of 
their access list structure.  The explicit deny forces the admin to 
write a new access list and change the reference, or delete the access 
list and re-enter it (assuming they won't lose connectivity in the middle).

Hudson Delbert J Contr 61 CS/SCBN wrote:
> excuse me for being a old router head but dont cisco acls implicitly deny
> everything not explicitly anotated.
> 
> the firstline would be enuf.
> 
> simplicity is bliss.
> 
> economy of motion.
> 
> i like to let machines do the work.
> 
> i'd write the deny statement to log at the bottom or its just a habit to
> remind you its there.
> 
> dont flame. its not a big deal. its just the only thing my feeble eyes saw. 
> 
> sorry if it seems trivial. it is. hope everyone had a great holiday season.
> glad its over.
> 
> bummer. starbucks was out scones. go figure.
> 
> 
> ~v/r
> Del Hudson
> 61CS/SCBN - LAAFB NCC
> Network Architecture & Engineering Group
> delbert.hudson at losangeles.af.mil
> 
> 
> 
> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: Tuesday, January 13, 2004 7:18 AM
> To: Voll, Scott; daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
> Sorry the ACL was wrong.  Going to fast to early in the morning. :-)
> 
> access-list test permit tcp any host x.x.x.x  eq smtp
> access-list test deny ip any host x.x.x.x
> 
> Scott
> 
> -----Original Message-----
> From: Voll, Scott 
> Sent: Tuesday, January 13, 2004 7:14 AM
> To: daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> The static nat would look something like this:
> 
> static (INSIDE,OUTSIDE) x.x.x.x 10.1.8.x netmask 255.255.255.255 0 0
> 
> Then you will use your ACL to only allow SMTP
> 
> access-list test permit udp any host x.x.x.x  eq snmp
> access-list test deny any host x.x.x.x
> 
> access-group test in interface OUTSIDE
> 
> Like daryl said you need the PDM for the web, but I have never used it.
> 
> Scott
> 
> -----Original Message-----
> From: daryl at introspect.net [mailto:daryl at introspect.net] 
> Sent: Monday, January 12, 2004 6:53 PM
> To: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net 
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kanee
>>Sent: Monday, January 12, 2004 9:20 PM
>>To: cisco-nsp at puck.nether.net
>>Subject: [nsp] NAT translations in IOS 12.2 on pix 515
>>
>>
>>Guys,
>>
>>Can I configure a NAT statement on a pix 515 Version 6.2 IOS 
>>via its web interface. How do I enable web server on a pix 515.
> 
> 
> Absolutely...but you don't really "enable" the web interface like you do
> with an IOS router....you need to have PDM installed.  3.0(1) is the
> current version, I belive (that will work with 6.2).  Then you just
> https://<inside_address_of_pix> and it should work, providing you have
> the appropriate "http <address> <netmask> inside (or outside if you're
> not to security conscious) in place.
> 
> 
>>I want smtp traffic coming on x.x.x.x IP to be nat'd to a 
>>10.1.8.x address. What is the correct syntax for this NAT statement.
> 
> 
> I can't remember off the top of my head, because I'm lazy and always use
> PDM now.  Give it a try...
> 
> Daryl G. Jurbala
> BMPC Network Operations
> Tel: +1 215 825 8401 x235
> Fax: +1 508 526 8500
> INOC-DBA: 26412*DGJ
> 
> PGP Key: http://www.introspect.net/pgp 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 


------------------------------

Message: 3
Date: Tue, 13 Jan 2004 09:33:32 -0800
From: "Voll, Scott" <Scott.Voll at wesd.org>
Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
To: <cisco-nsp at puck.nether.net>
Message-ID: <A85EF8C2C10DA6499807D44B7FDFEB4F0120D77B at venus.wesd.org>
Content-Type: text/plain;	charset="us-ascii"

If you look at the ACL my goal was only to insert these two lines into
the current Outside ACL.  

The deny statement at the end was only to deny all other traffic to that
one server.

Scott

-----Original Message-----
From: Pete Templin [mailto:petelists at templin.org] 
Sent: Tuesday, January 13, 2004 9:25 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] NAT translations in IOS 12.2 on pix 515

Good point.

However, I do see the logic on both sides.  An explicit deny means that 
new entries are ignored.  In the context of security policies, it can be

advantageous to force an administrator to think through the sequence of 
their access list structure.  The explicit deny forces the admin to 
write a new access list and change the reference, or delete the access 
list and re-enter it (assuming they won't lose connectivity in the
middle).

Hudson Delbert J Contr 61 CS/SCBN wrote:
> excuse me for being a old router head but dont cisco acls implicitly
deny
> everything not explicitly anotated.
> 
> the firstline would be enuf.
> 
> simplicity is bliss.
> 
> economy of motion.
> 
> i like to let machines do the work.
> 
> i'd write the deny statement to log at the bottom or its just a habit
to
> remind you its there.
> 
> dont flame. its not a big deal. its just the only thing my feeble eyes
saw. 
> 
> sorry if it seems trivial. it is. hope everyone had a great holiday
season.
> glad its over.
> 
> bummer. starbucks was out scones. go figure.
> 
> 
> ~v/r
> Del Hudson
> 61CS/SCBN - LAAFB NCC
> Network Architecture & Engineering Group
> delbert.hudson at losangeles.af.mil
> 
> 
> 
> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: Tuesday, January 13, 2004 7:18 AM
> To: Voll, Scott; daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
> Sorry the ACL was wrong.  Going to fast to early in the morning. :-)
> 
> access-list test permit tcp any host x.x.x.x  eq smtp
> access-list test deny ip any host x.x.x.x
> 
> Scott
> 
> -----Original Message-----
> From: Voll, Scott 
> Sent: Tuesday, January 13, 2004 7:14 AM
> To: daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> The static nat would look something like this:
> 
> static (INSIDE,OUTSIDE) x.x.x.x 10.1.8.x netmask 255.255.255.255 0 0
> 
> Then you will use your ACL to only allow SMTP
> 
> access-list test permit udp any host x.x.x.x  eq snmp
> access-list test deny any host x.x.x.x
> 
> access-group test in interface OUTSIDE
> 
> Like daryl said you need the PDM for the web, but I have never used
it.
> 
> Scott
> 
> -----Original Message-----
> From: daryl at introspect.net [mailto:daryl at introspect.net] 
> Sent: Monday, January 12, 2004 6:53 PM
> To: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net 
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kanee
>>Sent: Monday, January 12, 2004 9:20 PM
>>To: cisco-nsp at puck.nether.net
>>Subject: [nsp] NAT translations in IOS 12.2 on pix 515
>>
>>
>>Guys,
>>
>>Can I configure a NAT statement on a pix 515 Version 6.2 IOS 
>>via its web interface. How do I enable web server on a pix 515.
> 
> 
> Absolutely...but you don't really "enable" the web interface like you
do
> with an IOS router....you need to have PDM installed.  3.0(1) is the
> current version, I belive (that will work with 6.2).  Then you just
> https://<inside_address_of_pix> and it should work, providing you have
> the appropriate "http <address> <netmask> inside (or outside if you're
> not to security conscious) in place.
> 
> 
>>I want smtp traffic coming on x.x.x.x IP to be nat'd to a 
>>10.1.8.x address. What is the correct syntax for this NAT statement.
> 
> 
> I can't remember off the top of my head, because I'm lazy and always
use
> PDM now.  Give it a try...
> 
> Daryl G. Jurbala
> BMPC Network Operations
> Tel: +1 215 825 8401 x235
> Fax: +1 508 526 8500
> INOC-DBA: 26412*DGJ
> 
> PGP Key: http://www.introspect.net/pgp 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



------------------------------

Message: 4
Date: Tue, 13 Jan 2004 12:41:00 -0500
From: "Mussie" <mussieg at comcast.net>
Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
To: "'Pete Templin'" <petelists at templin.org>,
	<cisco-nsp at puck.nether.net>
Message-ID:
	<FD1B6DC5FFF43C4888DCC155FE8C1FFE224E67 at 7xch10ka.sevenspace.local>
Content-Type: text/plain;	charset="us-ascii"

While we are on the topic...

Is there way to re-order the ACLs or insert new ACLs entries? If so, is this
supported on all versions [PIX & IOS].  The only reason I leverage 'implied
deny' is so that I can tac one more entry at the bottom without having to
re-edit the entire ACL.  I do prefer using 'deny any any' at the end.
[sorry, I'm still stuck on the old versions of IOS]. 

- MGG


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pete Templin
Sent: Tuesday, January 13, 2004 12:25 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] NAT translations in IOS 12.2 on pix 515

Good point.

However, I do see the logic on both sides.  An explicit deny means that 
new entries are ignored.  In the context of security policies, it can be 
advantageous to force an administrator to think through the sequence of 
their access list structure.  The explicit deny forces the admin to 
write a new access list and change the reference, or delete the access 
list and re-enter it (assuming they won't lose connectivity in the middle).

Hudson Delbert J Contr 61 CS/SCBN wrote:
> excuse me for being a old router head but dont cisco acls implicitly deny
> everything not explicitly anotated.
> 
> the firstline would be enuf.
> 
> simplicity is bliss.
> 
> economy of motion.
> 
> i like to let machines do the work.
> 
> i'd write the deny statement to log at the bottom or its just a habit to
> remind you its there.
> 
> dont flame. its not a big deal. its just the only thing my feeble eyes
saw. 
> 
> sorry if it seems trivial. it is. hope everyone had a great holiday
season.
> glad its over.
> 
> bummer. starbucks was out scones. go figure.
> 
> 
> ~v/r
> Del Hudson
> 61CS/SCBN - LAAFB NCC
> Network Architecture & Engineering Group
> delbert.hudson at losangeles.af.mil
> 
> 
> 
> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: Tuesday, January 13, 2004 7:18 AM
> To: Voll, Scott; daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
> Sorry the ACL was wrong.  Going to fast to early in the morning. :-)
> 
> access-list test permit tcp any host x.x.x.x  eq smtp
> access-list test deny ip any host x.x.x.x
> 
> Scott
> 
> -----Original Message-----
> From: Voll, Scott 
> Sent: Tuesday, January 13, 2004 7:14 AM
> To: daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> The static nat would look something like this:
> 
> static (INSIDE,OUTSIDE) x.x.x.x 10.1.8.x netmask 255.255.255.255 0 0
> 
> Then you will use your ACL to only allow SMTP
> 
> access-list test permit udp any host x.x.x.x  eq snmp
> access-list test deny any host x.x.x.x
> 
> access-group test in interface OUTSIDE
> 
> Like daryl said you need the PDM for the web, but I have never used it.
> 
> Scott
> 
> -----Original Message-----
> From: daryl at introspect.net [mailto:daryl at introspect.net] 
> Sent: Monday, January 12, 2004 6:53 PM
> To: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net 
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kanee
>>Sent: Monday, January 12, 2004 9:20 PM
>>To: cisco-nsp at puck.nether.net
>>Subject: [nsp] NAT translations in IOS 12.2 on pix 515
>>
>>
>>Guys,
>>
>>Can I configure a NAT statement on a pix 515 Version 6.2 IOS 
>>via its web interface. How do I enable web server on a pix 515.
> 
> 
> Absolutely...but you don't really "enable" the web interface like you do
> with an IOS router....you need to have PDM installed.  3.0(1) is the
> current version, I belive (that will work with 6.2).  Then you just
> https://<inside_address_of_pix> and it should work, providing you have
> the appropriate "http <address> <netmask> inside (or outside if you're
> not to security conscious) in place.
> 
> 
>>I want smtp traffic coming on x.x.x.x IP to be nat'd to a 
>>10.1.8.x address. What is the correct syntax for this NAT statement.
> 
> 
> I can't remember off the top of my head, because I'm lazy and always use
> PDM now.  Give it a try...
> 
> Daryl G. Jurbala
> BMPC Network Operations
> Tel: +1 215 825 8401 x235
> Fax: +1 508 526 8500
> INOC-DBA: 26412*DGJ
> 
> PGP Key: http://www.introspect.net/pgp 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




------------------------------

Message: 5
Date: Tue, 13 Jan 2004 10:00:31 -0800
From: "Voll, Scott" <Scott.Voll at wesd.org>
Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
To: "Mussie" <mussieg at comcast.net>, "Pete Templin"
	<petelists at templin.org>,	<cisco-nsp at puck.nether.net>
Message-ID: <A85EF8C2C10DA6499807D44B7FDFEB4F01681340 at venus.wesd.org>
Content-Type: text/plain;	charset="us-ascii"

We have setup a little notepad to paste back into the Pix

Looks something like this--

Conf t
!
No access-list Outside
!
access-list Outside permit tcp any host x.x.x.x eq 25
access-list Outside permit tcp any host x.x.x.x eq dns
access-list Outside permit tcp any host x.x.x.x eq 443
access-group Outside in interface OUTSIDE
access-list Outside permit tcp any host x.x.x.x eq 8080
access-list Outside permit tcp any host x.x.x.x eq ftp
access-list Outside permit tcp any host x.x.x.x eq www
access-list Outside deny any any


So long as you assign the ACL to the interface after the first line of
the ACL You can't really notice the ACL is being changed.

We have been known to do it during normal business hours in a pinch and
get no complaints.  And our ACL is around a hundred lines.

Scott


-----Original Message-----
From: Mussie [mailto:mussieg at comcast.net] 
Sent: Tuesday, January 13, 2004 9:41 AM
To: 'Pete Templin'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515

While we are on the topic...

Is there way to re-order the ACLs or insert new ACLs entries? If so, is
this
supported on all versions [PIX & IOS].  The only reason I leverage
'implied
deny' is so that I can tac one more entry at the bottom without having
to
re-edit the entire ACL.  I do prefer using 'deny any any' at the end.
[sorry, I'm still stuck on the old versions of IOS]. 

- MGG


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pete Templin
Sent: Tuesday, January 13, 2004 12:25 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] NAT translations in IOS 12.2 on pix 515

Good point.

However, I do see the logic on both sides.  An explicit deny means that 
new entries are ignored.  In the context of security policies, it can be

advantageous to force an administrator to think through the sequence of 
their access list structure.  The explicit deny forces the admin to 
write a new access list and change the reference, or delete the access 
list and re-enter it (assuming they won't lose connectivity in the
middle).

Hudson Delbert J Contr 61 CS/SCBN wrote:
> excuse me for being a old router head but dont cisco acls implicitly
deny
> everything not explicitly anotated.
> 
> the firstline would be enuf.
> 
> simplicity is bliss.
> 
> economy of motion.
> 
> i like to let machines do the work.
> 
> i'd write the deny statement to log at the bottom or its just a habit
to
> remind you its there.
> 
> dont flame. its not a big deal. its just the only thing my feeble eyes
saw. 
> 
> sorry if it seems trivial. it is. hope everyone had a great holiday
season.
> glad its over.
> 
> bummer. starbucks was out scones. go figure.
> 
> 
> ~v/r
> Del Hudson
> 61CS/SCBN - LAAFB NCC
> Network Architecture & Engineering Group
> delbert.hudson at losangeles.af.mil
> 
> 
> 
> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: Tuesday, January 13, 2004 7:18 AM
> To: Voll, Scott; daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
> Sorry the ACL was wrong.  Going to fast to early in the morning. :-)
> 
> access-list test permit tcp any host x.x.x.x  eq smtp
> access-list test deny ip any host x.x.x.x
> 
> Scott
> 
> -----Original Message-----
> From: Voll, Scott 
> Sent: Tuesday, January 13, 2004 7:14 AM
> To: daryl at introspect.net; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> The static nat would look something like this:
> 
> static (INSIDE,OUTSIDE) x.x.x.x 10.1.8.x netmask 255.255.255.255 0 0
> 
> Then you will use your ACL to only allow SMTP
> 
> access-list test permit udp any host x.x.x.x  eq snmp
> access-list test deny any host x.x.x.x
> 
> access-group test in interface OUTSIDE
> 
> Like daryl said you need the PDM for the web, but I have never used
it.
> 
> Scott
> 
> -----Original Message-----
> From: daryl at introspect.net [mailto:daryl at introspect.net] 
> Sent: Monday, January 12, 2004 6:53 PM
> To: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] NAT translations in IOS 12.2 on pix 515
> 
> 
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net 
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kanee
>>Sent: Monday, January 12, 2004 9:20 PM
>>To: cisco-nsp at puck.nether.net
>>Subject: [nsp] NAT translations in IOS 12.2 on pix 515
>>
>>
>>Guys,
>>
>>Can I configure a NAT statement on a pix 515 Version 6.2 IOS 
>>via its web interface. How do I enable web server on a pix 515.
> 
> 
> Absolutely...but you don't really "enable" the web interface like you
do
> with an IOS router....you need to have PDM installed.  3.0(1) is the
> current version, I belive (that will work with 6.2).  Then you just
> https://<inside_address_of_pix> and it should work, providing you have
> the appropriate "http <address> <netmask> inside (or outside if you're
> not to security conscious) in place.
> 
> 
>>I want smtp traffic coming on x.x.x.x IP to be nat'd to a 
>>10.1.8.x address. What is the correct syntax for this NAT statement.
> 
> 
> I can't remember off the top of my head, because I'm lazy and always
use
> PDM now.  Give it a try...
> 
> Daryl G. Jurbala
> BMPC Network Operations
> Tel: +1 215 825 8401 x235
> Fax: +1 508 526 8500
> INOC-DBA: 26412*DGJ
> 
> PGP Key: http://www.introspect.net/pgp 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



------------------------------

_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp


End of cisco-nsp Digest, Vol 14, Issue 26
*****************************************



More information about the cisco-nsp mailing list