Question

Locked

PIX Firewall PAT & Static Translations

By mvhurley ·
Hi,

This weekend I?m migrating a Netscreen?s firewall rules to a PIX .

I was hoping someone can take a look at what I plan on doing and let me know if there are any possible issues. I am not so much concerned with the issues of in-bound security. More in the use of PAT and the statics overlapping the PAT range. In examples I?ve seen the NAT or PAT range/pool is separate from the in-bound IPs.

The config is listed below.

I will be using a single PAT address to allow the office network out-bound access to the internet. I will be implementing static translations and access lists to allow in-bound traffic reach some servers on the office LAN.

I was wondering if there could be any issues because my PAT statement is for the whole class C (the office LAN) and the in-bound static translations are to various IPs in that same class C range.

I was told the internal servers will not initiate out-bound requests, but I?m not sure of that. If the servers were to attempt an outside connection, would they use the static translations or the PAT statement?

Thanks,

Michael


interface Ethernet0
nameif outside_net
security-level 0
ip address 2.100.211.40 255.255.255.0


interface Ethernet1
nameif internal_net
security-level 100
ip address 10.11.28.100 255.255.255.0


PAT FOR THE OFFICE LAN IPs
nat (internal_net) 1 0.0.0.0 0.0.0.0

global (outside_net) 1 interface


access-list internal_net_access_in extended permit ip any any

access-list outside_net_access_in extended permit udp any host 2.100.211.44 eq pptp
access-list outside_net_access_in extended permit tcp any host 2.100.211.44 eq https
access-list outside_net_access_in extended permit tcp any host 2.100.211.45 eq https
access-list outside_net_access_in extended permit tcp any host 2.100.211.76 eq ssh
access-list outside_net_access_in extended permit tcp any host 2.100.211.54 eq ssh


STATIC?s for in-bound server access
static (internal_net, outside_net) 2.100.211.44 10.11.28.10
static (internal_net, outside_net) 2.100.211.45 10.11.28.23
static (internal_net, outside_net) 2.100.211.76 10.11.28.240
static (internal_net, outside_net) 2.100.211.54 10.11.28.14

route outside_net 0.0.0.0 0.0.0.0 2.100.211.1


access-group outside_net_access_in in interface outside_net
access-group internal_net_access_in in interface internal_net

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Share your knowledge
Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums