In article , Kunal Keshav wrote: :I am new to the CISCO IOS, need help configuring a 501 pix firewall.
For future reference, the PIX series run an operating system named Finesse. Finesse's existance is nearly undocumented by Cisco, and you don't get to talk to it directly: it's the real-time kernel but the user interaction is a different layer that has no name that I've ever seen.
IOS is the operating system of Cisco's routers and modern switches and a few other devices, but not the operating system of PIX.
:This is what my network looks like.
:On the lan segment I have 6 machines that need to connect to a server :of our business partner on the WAN side. The Server on the WAN has a :service running on port 6666. All the clients need to connect to the :server on this port. IP address is as follows:
:Server Wan side: 192.168.13.5/24 :PIX WAN : 192.168.13.6/24 :PIX LAN: 192.168.230.1/24 :Workstations: 192.168.230.2-.7/24
:The server needs to have a one to one NAT to the Workstations :i.e 192.168.13.12= 192.168.230.2 : 192.168.13.13= 192.168.230.3 : .......... : .......... : 192.168.13.17= 192.168.230.7
You didn't post any question ;-)
Configuration #1:
names name 192.168.13.5 BP name 192.168.13.12 BP_1 name 192.168.13.13 BP_2 name 192.168.13.14 BP_3 name 192.168.13.15 BP_4 name 192.168.13.16 BP_5 name 192.168.13.17 BP_6 name 192.168.230.2 WS_1 name 192.168.230.3 WS_2 name 192.168.230.4 WS_3 name 192.168.230.5 WS_4 name 192.168.230.6 WS_5 name 192.168.203.7 WS_6
object-group service BP_tcp tcp description the TCP ports used by the business partner server port-object eq 6666
access-list BS_acl_1 permit tcp host WS_1 host BP object-group BP_tcp access-list BS_acl_2 permit tcp host WS_2 host BP object-group BP_tcp access-list BS_acl_3 permit tcp host WS_3 host BP object-group BP_tcp access-list BS_acl_4 permit tcp host WS_4 host BP object-group BP_tcp access-list BS_acl_5 permit tcp host WS_5 host BP object-group BP_tcp access-list BS_acl_6 permit tcp host WS_6 host BP object-group BP_tcp
static (inside,outside) BP_1 access-list BS_acl_1 static (inside,outside) BP_2 access-list BS_acl_2 static (inside,outside) BP_3 access-list BS_acl_3 static (inside,outside) BP_4 access-list BS_acl_4 static (inside,outside) BP_5 access-list BS_acl_5 static (inside,outside) BP_6 access-list BS_acl_6
Configuration #2:
names name 192.168.13.5 BP name 192.168.13.12 BP_1 name 192.168.13.13 BP_2 name 192.168.13.14 BP_3 name 192.168.13.15 BP_4 name 192.168.13.16 BP_5 name 192.168.13.17 BP_6 name 192.168.230.2 WS_1 name 192.168.230.3 WS_2 name 192.168.230.4 WS_3 name 192.168.230.5 WS_4 name 192.168.230.6 WS_5 name 192.168.203.7 WS_6
object-group service BP_tcp tcp description the TCP ports used by the business partner server port-object eq 6666
access-list BS_acl_1 permit tcp host WS_1 host BP object-group BP_tcp access-list BS_acl_2 permit tcp host WS_2 host BP object-group BP_tcp access-list BS_acl_3 permit tcp host WS_3 host BP object-group BP_tcp access-list BS_acl_4 permit tcp host WS_4 host BP object-group BP_tcp access-list BS_acl_5 permit tcp host WS_5 host BP object-group BP_tcp access-list BS_acl_6 permit tcp host WS_6 host BP object-group BP_tcp
nat (inside) 101 access-list BS_acl_1 nat (inside) 102 access-list BS_acl_2 nat (inside) 103 access-list BS_acl_3 nat (inside) 104 access-list BS_acl_4 nat (inside) 105 access-list BS_acl_5 nat (inside) 106 access-list BS_acl_6
global (outside) 101 BP_1 global (outside) 102 BP_2 global (outside) 103 BP_3 global (outside) 104 BP_4 global (outside) 105 BP_5 global (outside) 106 BP_6
The difference between these two configurations is
a) in the first configuration, the original source port from the workstation will arrive intact at the server
b) in the second configuration, the PIX will PAT (Port Address Translate) the original workstation source port, but uniquely for each IP
c) in the first configuration, if the outside access-list permits, the server would be able to initiate connections to -any- TCP port on the workstation, as long as the server used source port 6666 when it did so
d) in the second configuration, the server would not be able to initiate connections to the workstation.
e) in the first configuration, if the protocol should be UDP instead of TCP, then the server will be able to send UDP replies back to the workstation after longer than 30 seconds idleness, as long as the server used port
6666 to send the replies.
f) in the second configuration, if the protocol should be UDP instead of TCP, then the server will be able to send UDP replies back to the workstation [using source port 6666] only if the connection has not been idle for more than 30 seconds; after 30 seconds, the replies would be blocked until the inside formed a new UDP stream. [The 30 second figure is a globally configurable parameter.]