Book Excerpt: Cisco Secure Internet Security Solutions - part 3 - Page 2
You now have three major design changes to make to your system. You must first allow WWW traffic to access the Web server, whose IP address is 10.1.1.30. This IP address needs to be statically translated to a routable address on the Internet. One of the easiest ways to keep track of static IP translations is to use the same last octet in both addresses. In the case of the Web server, you will use 30 as the last octet. The second change is to allow e-mail through to the mail server. The third change is to allow FTP traffic to the FTP server. All of these servers need a static translation because you cannot be guaranteed what host will be using a given outside IP address at any given time if you simply rely on the default NAT settings on the PIX and allow traffic into the LAN.
Issue a write erase command on the PIX. This erases the saved configuration. Turn the PIX power off and then back on to arrive at a clean state. Enter the following commands while in enable mode on the PIX. This section covers each change after the lines are entered. Again, the lines are separated for clarity.
enable password enablepass encrypted passwd password encrypted nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 10baset interface ethernet1 10baset ip address outside 192.168.1.1 255.255.255.0 ip address inside 172.30.1.2 255.255.255.252 global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0 global (outside) 1 192.168.1.254 255.255.255.0 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 static (inside, outside) 192.168.1.30 10.1.1.30 netmask 255.255.255.255 0 0 static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0 static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.30 eq http any conduit permit tcp host 192.168.1.35 eq ftp any conduit permit tcp host 192.168.1.49 eq smtp any route outside 0 0 192.168.1.2 1 route inside 10.1.1.0 255.255.255.0 172.30.1.1 1 arp timeout 7200 write mem