Re: Cisco 501 Configuration help.
- From: roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson)
- Date: Thu, 22 Sep 2005 22:38:31 +0000 (UTC)
In article <1127425980.595422.45760@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
Kunal Keshav <kkeshav@xxxxxxxxx> wrote:
:I am new to the CISCO IOS, need help configuring a 501 pix firewall.
For future reference, the PIX series run an operating system
named Finesse. Finesse's existance is nearly undocumented by Cisco,
and you don't get to talk to it directly: it's the real-time kernel
but the user interaction is a different layer that has no name that
I've ever seen.
IOS is the operating system of Cisco's routers and modern switches
and a few other devices, but not the operating system of PIX.
:This is what my network looks like.
:On the lan segment I have 6 machines that need to connect to a server
:of our business partner on the WAN side. The Server on the WAN has a
:service running on port 6666. All the clients need to connect to the
:server on this port. IP address is as follows:
:Server Wan side: 192.168.13.5/24
:PIX WAN : 192.168.13.6/24
:PIX LAN: 192.168.230.1/24
:Workstations: 192.168.230.2-.7/24
:The server needs to have a one to one NAT to the Workstations
:i.e 192.168.13.12= 192.168.230.2
: 192.168.13.13= 192.168.230.3
: ..........
: ..........
: 192.168.13.17= 192.168.230.7
You didn't post any question ;-)
Configuration #1:
names
name 192.168.13.5 BP
name 192.168.13.12 BP_1
name 192.168.13.13 BP_2
name 192.168.13.14 BP_3
name 192.168.13.15 BP_4
name 192.168.13.16 BP_5
name 192.168.13.17 BP_6
name 192.168.230.2 WS_1
name 192.168.230.3 WS_2
name 192.168.230.4 WS_3
name 192.168.230.5 WS_4
name 192.168.230.6 WS_5
name 192.168.203.7 WS_6
object-group service BP_tcp tcp
description the TCP ports used by the business partner server
port-object eq 6666
access-list BS_acl_1 permit tcp host WS_1 host BP object-group BP_tcp
access-list BS_acl_2 permit tcp host WS_2 host BP object-group BP_tcp
access-list BS_acl_3 permit tcp host WS_3 host BP object-group BP_tcp
access-list BS_acl_4 permit tcp host WS_4 host BP object-group BP_tcp
access-list BS_acl_5 permit tcp host WS_5 host BP object-group BP_tcp
access-list BS_acl_6 permit tcp host WS_6 host BP object-group BP_tcp
static (inside,outside) BP_1 access-list BS_acl_1
static (inside,outside) BP_2 access-list BS_acl_2
static (inside,outside) BP_3 access-list BS_acl_3
static (inside,outside) BP_4 access-list BS_acl_4
static (inside,outside) BP_5 access-list BS_acl_5
static (inside,outside) BP_6 access-list BS_acl_6
Configuration #2:
names
name 192.168.13.5 BP
name 192.168.13.12 BP_1
name 192.168.13.13 BP_2
name 192.168.13.14 BP_3
name 192.168.13.15 BP_4
name 192.168.13.16 BP_5
name 192.168.13.17 BP_6
name 192.168.230.2 WS_1
name 192.168.230.3 WS_2
name 192.168.230.4 WS_3
name 192.168.230.5 WS_4
name 192.168.230.6 WS_5
name 192.168.203.7 WS_6
object-group service BP_tcp tcp
description the TCP ports used by the business partner server
port-object eq 6666
access-list BS_acl_1 permit tcp host WS_1 host BP object-group BP_tcp
access-list BS_acl_2 permit tcp host WS_2 host BP object-group BP_tcp
access-list BS_acl_3 permit tcp host WS_3 host BP object-group BP_tcp
access-list BS_acl_4 permit tcp host WS_4 host BP object-group BP_tcp
access-list BS_acl_5 permit tcp host WS_5 host BP object-group BP_tcp
access-list BS_acl_6 permit tcp host WS_6 host BP object-group BP_tcp
nat (inside) 101 access-list BS_acl_1
nat (inside) 102 access-list BS_acl_2
nat (inside) 103 access-list BS_acl_3
nat (inside) 104 access-list BS_acl_4
nat (inside) 105 access-list BS_acl_5
nat (inside) 106 access-list BS_acl_6
global (outside) 101 BP_1
global (outside) 102 BP_2
global (outside) 103 BP_3
global (outside) 104 BP_4
global (outside) 105 BP_5
global (outside) 106 BP_6
The difference between these two configurations is
a) in the first configuration, the original source port from the
workstation will arrive intact at the server
b) in the second configuration, the PIX will PAT (Port Address Translate)
the original workstation source port, but uniquely for each IP
c) in the first configuration, if the outside access-list permits, the
server would be able to initiate connections to -any- TCP port on
the workstation, as long as the server used source port 6666 when it did so
d) in the second configuration, the server would not be able to initiate
connections to the workstation.
e) in the first configuration, if the protocol should be UDP instead of TCP,
then the server will be able to send UDP replies back to the workstation
after longer than 30 seconds idleness, as long as the server used port
6666 to send the replies.
f) in the second configuration, if the protocol should be UDP instead of TCP,
then the server will be able to send UDP replies back to the workstation
[using source port 6666] only if the connection has not been idle for more
than 30 seconds; after 30 seconds, the replies would be blocked until
the inside formed a new UDP stream. [The 30 second figure is a
globally configurable parameter.]
--
Many food scientists have reported chocolate to be the single most
craved food. -- Northwestern University, 2001
.
- References:
- Cisco 501 Configuration help.
- From: Kunal Keshav
- Cisco 501 Configuration help.
- Prev by Date: Redirect Public IP to Private IP behind the Pix firewall.
- Next by Date: Re: Redirect Public IP to Private IP behind the Pix firewall.
- Previous by thread: Cisco 501 Configuration help.
- Next by thread: Re: Cisco 501 Configuration help.
- Index(es):
Relevant Pages
|
|
