Book Excerpt: Cisco Secure Internet Security Solutions - part 3 - Page 2

By  Cisco Press | Sep 20, 2001
Page 2 of 6   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

You now have three major design changes to make to your system. You must first allow WWW traffic to access the Web server, whose IP address is 10.1.1.30. This IP address needs to be statically translated to a routable address on the Internet. One of the easiest ways to keep track of static IP translations is to use the same last octet in both addresses. In the case of the Web server, you will use 30 as the last octet. The second change is to allow e-mail through to the mail server. The third change is to allow FTP traffic to the FTP server. All of these servers need a static translation because you cannot be guaranteed what host will be using a given outside IP address at any given time if you simply rely on the default NAT settings on the PIX and allow traffic into the LAN.

Issue a write erase command on the PIX. This erases the saved configuration. Turn the PIX power off and then back on to arrive at a clean state. Enter the following commands while in enable mode on the PIX. This section covers each change after the lines are entered. Again, the lines are separated for clarity. 

  enable password enablepass encrypted
  passwd password encrypted

  nameif ethernet0 outside security0
  nameif ethernet1 inside security100

  interface ethernet0 10baset
  interface ethernet1 10baset

  ip address outside 192.168.1.1 255.255.255.0
  ip address inside 172.30.1.2 255.255.255.252

  global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0
  global (outside) 1 192.168.1.254 255.255.255.0
  nat (inside) 1 10.1.1.0 255.255.255.0 0 0

  static (inside, outside) 192.168.1.30 10.1.1.30 netmask 255.255.255.255 0 0
  static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0
  static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0

  conduit permit tcp host 192.168.1.30 eq http any
  conduit permit tcp host 192.168.1.35 eq ftp any
  conduit permit tcp host 192.168.1.49 eq smtp any

  route outside 0 0 192.168.1.2 1
  route inside 10.1.1.0 255.255.255.0 172.30.1.1 1

  arp timeout 7200

  write mem

jfreund@internet.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >