The latest network routers, software, management tools and information for enterprise IT administrators.

Book Excerpt: Cisco Secure Internet Security Solutions - part 3 - Page 2

By Cisco Press

Page 2 of 6 | Back to Page 1

You now have three major design changes to make to your system. You must first allow WWW traffic to access the Web server, whose IP address is 10.1.1.30. This IP address needs to be statically translated to a routable address on the Internet. One of the easiest ways to keep track of static IP translations is to use the same last octet in both addresses. In the case of the Web server, you will use 30 as the last octet. The second change is to allow e-mail through to the mail server. The third change is to allow FTP traffic to the FTP server. All of these servers need a static translation because you cannot be guaranteed what host will be using a given outside IP address at any given time if you simply rely on the default NAT settings on the PIX and allow traffic into the LAN.

Issue a write erase command on the PIX. This erases the saved configuration. Turn the PIX power off and then back on to arrive at a clean state. Enter the following commands while in enable mode on the PIX. This section covers each change after the lines are entered. Again, the lines are separated for clarity.

  enable password enablepass encrypted
  passwd password encrypted

  nameif ethernet0 outside security0
  nameif ethernet1 inside security100

  interface ethernet0 10baset
  interface ethernet1 10baset

  ip address outside 192.168.1.1 255.255.255.0
  ip address inside 172.30.1.2 255.255.255.252

  global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0
  global (outside) 1 192.168.1.254 255.255.255.0
  nat (inside) 1 10.1.1.0 255.255.255.0 0 0

  static (inside, outside) 192.168.1.30 10.1.1.30 netmask 255.255.255.255 0 0
  static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0
  static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0

  conduit permit tcp host 192.168.1.30 eq http any
  conduit permit tcp host 192.168.1.35 eq ftp any
  conduit permit tcp host 192.168.1.49 eq smtp any

  route outside 0 0 192.168.1.2 1
  route inside 10.1.1.0 255.255.255.0 172.30.1.1 1

  arp timeout 7200

  write mem

This article was originally published on Sep 20, 2001

jfreund@internet.com

Get the Latest Scoop with Networking Update Newsletter

Thanks for your registration, follow us on our social networks to keep up-to-date