Sunday, 22 April 2007

Cisco PIX NAT

In this example well deal with using a pool of addresses from 195.184.199.3-6

Define a single outside global address to PAT into:

global (outside) 1 195.184.199.6 netmask 255.255.255.248

Statically Translate the inside hosts to public IP Addresses this will convert the traffic from that NAT address to the public IP you can check that this is working by visiting web sites that display your public IP, but you will not be able to except inbound traffic to the address yet.

static (inside, outside) 195.184.199.3 "internal IP" netmask 255.255.255.255
static (inside, outside) 195.184.199.4 "internal IP" netmask 255.255.255.255
static (inside, outside) 195.184.199.5 "internal IP" netmask 255.255.255.255

Perform the Translation on inbound traffic going out (the statics will occur first and all other hosts will be NAT effected)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Then you need to create an access-list that allows the outside traffic to hit the public addresses of 195.184.199.3, 195.184.199.4 by default PIX boxes do not except traffic to hit the public interface so you have to create the exceptions you need e.g. allows http, smtp and ftp access.

ip access-list Outside_in permit tcp any host 195.184.199.3 eq 80
ip access-list Outside_in permit tcp any host 195.184.199.4 eq 25
ip access-list Outside_in permit tcp any host 195.184.199.3 eq 21

Now Apply the access list to the outside interface for it to take effect access-group Outside_in in interface outsidenow you have access to the servers on those inbound ports and IP’s

No comments: