Book Excerpt: Cisco Secure Internet Security Solutions - part 3 - Page 3
There are only a few changes from the basic configuration. You first changed the inside IP address to reflect the separate network between the PIX and the interior router. The two global commands shown next assign both NAT and PAT to be used by the inside hosts. Because you used a range of IP addresses, the first global command allows for each host on the LAN to get a dynamically assigned global address, or NAT. Once all of the available global IP addresses are in use, any hosts attempting to connect to the outside will use PAT. The second global line is critical because it assigns one address for use with PAT. If a single address is not reserved for use by PAT, hosts will simply not be able to get through the PIX.
The users will think that the Internet connection has been dropped, because they will receive no indication of a problem other than a lack of connection.
You might wonder why the range of IP addresses starts at 50 in the first global command. This allows servers to have static IP addresses. The number 50 was arbitrarily chosen. Whatever number is chosen ensures that there are sufficient reserved IP addresses for all servers on the network. You could have also reserved a set of IP addresses on the upper end of the network. The inside and outside routes were also changed to reflect the network as shown in Figure 4-6. You are now actually ready to allow users on the Internet to access your e-mail, FTP, and Web services.
Setting up to allow e-mail to traverse the PIX requires a few new commands. This replaces the mailhost command in previous versions of the PIX. These commands are covered later in this section. Enter the following lines into the PIX configuration.
static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.49 eq smtp anyThat is all that is required to allow SMTP packets to traverse the PIX to the server with the 10.1.1.49 IP address. Users outside the PIX will see this server as 192.168.1.49. Packets sent to 192.168.1.49 will have NAT applied to them and will be forwarded to 10.1.1.49. Only the SMTP commands HELLO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT are allowed through the PIX. The response to all other SMTP commands is an OK packet from the PIX. You added two new commands here, the static and the conduit commands. Each of them will be examined before moving on to the FTP and Web servers.