Book Excerpt: Cisco Secure Internet Security Solutions - part 3 - Page 2

By Cisco Press | Posted Sep 20, 2001
Page 2 of 6   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

You now have three major design changes to make to your system. You must first allow WWW traffic to access the Web server, whose IP address is 10.1.1.30. This IP address needs to be statically translated to a routable address on the Internet. One of the easiest ways to keep track of static IP translations is to use the same last octet in both addresses. In the case of the Web server, you will use 30 as the last octet. The second change is to allow e-mail through to the mail server. The third change is to allow FTP traffic to the FTP server. All of these servers need a static translation because you cannot be guaranteed what host will be using a given outside IP address at any given time if you simply rely on the default NAT settings on the PIX and allow traffic into the LAN.

Issue a write erase command on the PIX. This erases the saved configuration. Turn the PIX power off and then back on to arrive at a clean state. Enter the following commands while in enable mode on the PIX. This section covers each change after the lines are entered. Again, the lines are separated for clarity.

  enable password enablepass encrypted
  passwd password encrypted

  nameif ethernet0 outside security0
  nameif ethernet1 inside security100

  interface ethernet0 10baset
  interface ethernet1 10baset

  ip address outside 192.168.1.1 255.255.255.0
  ip address inside 172.30.1.2 255.255.255.252

  global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0
  global (outside) 1 192.168.1.254 255.255.255.0
  nat (inside) 1 10.1.1.0 255.255.255.0 0 0

  static (inside, outside) 192.168.1.30 10.1.1.30 netmask 255.255.255.255 0 0
  static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0
  static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0

  conduit permit tcp host 192.168.1.30 eq http any
  conduit permit tcp host 192.168.1.35 eq ftp any
  conduit permit tcp host 192.168.1.49 eq smtp any

  route outside 0 0 192.168.1.2 1
  route inside 10.1.1.0 255.255.255.0 172.30.1.1 1

  arp timeout 7200

  write mem

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter