Book Excerpt: Cisco Secure Internet Security Solutions - part 3 - Page 2

 By Cisco Press
Page 2 of 6   |  Back to Page 1
Print Article

You now have three major design changes to make to your system. You must first allow WWW traffic to access the Web server, whose IP address is This IP address needs to be statically translated to a routable address on the Internet. One of the easiest ways to keep track of static IP translations is to use the same last octet in both addresses. In the case of the Web server, you will use 30 as the last octet. The second change is to allow e-mail through to the mail server. The third change is to allow FTP traffic to the FTP server. All of these servers need a static translation because you cannot be guaranteed what host will be using a given outside IP address at any given time if you simply rely on the default NAT settings on the PIX and allow traffic into the LAN.

Issue a write erase command on the PIX. This erases the saved configuration. Turn the PIX power off and then back on to arrive at a clean state. Enter the following commands while in enable mode on the PIX. This section covers each change after the lines are entered. Again, the lines are separated for clarity.

  enable password enablepass encrypted
  passwd password encrypted

  nameif ethernet0 outside security0
  nameif ethernet1 inside security100

  interface ethernet0 10baset
  interface ethernet1 10baset

  ip address outside
  ip address inside

  global (outside) 1
  global (outside) 1
  nat (inside) 1 0 0

  static (inside, outside) netmask 0 0
  static (inside, outside) netmask 0 0
  static (inside, outside) netmask 0 0

  conduit permit tcp host eq http any
  conduit permit tcp host eq ftp any
  conduit permit tcp host eq smtp any

  route outside 0 0 1
  route inside 1

  arp timeout 7200

  write mem

This article was originally published on Sep 20, 2001
Get the Latest Scoop with Networking Update Newsletter