Re: Pix v6.3 basic task

From: Marvin Greenlee (marvingreenlee@yahoo.com)
Date: Wed Jul 19 2006 - 20:07:01 ART

• Next message: Alex De Gruiter \(AU\): "RE: sending default with eigrp"
• Previous message: Alex De Gruiter \(AU\): "RE: Auto-RP messages not received"
• Maybe in reply to: Kay D: "Pix v6.3 basic task"
• Next in thread: john matijevic: "Re: Pix v6.3 basic task"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

(syntax and specifics different for 7.0/later)

Basic Pix needs (beyond power, network connectivity
and IP addresses.)
1. Routing
2. Translation
3. Access List

1. Does the PIX have routes for the networks that you
want to translate (Are these directly connected, or
some distant network?)

2. Translation

Translation is done with either a static, or a
nat/global pairing. Below are a few short examples.

In example A, there are two sets of PAT, overloading
to interface addresses.
1 - traffic from the DMZ interface is translated to
the global outside address.
2 - traffic sourced from the internet and dmz
interfaces is translated to the inside interface
address.

*** Begin A ***
global (outside) 1 interface

 global (inside) 2 interface

 global (dmz) 2 interface

 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

 nat (internet) 2 0.0.0.0 0.0.0.0 0 0

**** End A **

In example B, a static is used to translate the inside
address 192.168.11.11 to 63.63.63.63 on the outside
interface.

** Begin B **
static (inside,outside) 63.63.63.63 192.168.11.11
netmask 255.255.255.255 0 0

** End B **

Note: Format of static is (local, global) global
local

static (inside, outside) 63.63.63.63 192.168.11.11
would translate the real device address of
192.168.11.11 (on the inside) to the address
63.63.63.63 on the outside interface.

static (outside, inside) 192.168.11.11 63.63.63.63
would translate the real device address of 63.63.63.63
(on the outside) to 192.168.11.11 on the inside
interface.

3. Access list - is the traffic being permitted "in"
to the interfaces on the PIX.

Check out the examples listed below. With the basic
understanding of the information presented above, the
first one should be pretty easy to understand.

Cisco - Configuring the PIX Firewall with Mail Server
Access on Inside Network -
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Cisco - PIX configuration examples -
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

--- Kay D <krsna83@gmail.com> wrote:

> Hi ,
> I am using Pix 515e with ver 6.3 as a
> replacement to a router .
> Simple task of allowing any
> packets from outside to inside interface is not
> happening :(
> I tried using access-list abc permit any any and
> access-group abc ,
> should i add the static(outside,inside) command
> along with it .
>
> Please help me with this , this is the first time i
> am working on pix .
>
>
> Kay
>
>

• Next message: Alex De Gruiter \(AU\): "RE: sending default with eigrp"
• Previous message: Alex De Gruiter \(AU\): "RE: Auto-RP messages not received"
• Maybe in reply to: Kay D: "Pix v6.3 basic task"
• Next in thread: john matijevic: "Re: Pix v6.3 basic task"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:48 ART