1. Home
  2. Cisco Systems
  3. Cisco PIX Setup Assistance Requested

Cisco PIX Setup Assistance Requested

Hi

I'm attempting to set up a Cisco PIX 506E to replace our old firewall (which was a PC running Linux).

We have a single primary IP address and an additional block of 8 IP addresses which are routed through the primary address.

Our primary IP address is x.y.66.72 and our allocated block of addresses is x.y.77.152 - 158.

We have various machines on our 192.168.1.0 LAN which need to have visiblity on x.y.77.153 and x.y.77.154.

I can't for the life of me get it working.

ACL's are all set up and allowing traffic - I cannot work out how to set up the NAT though.

No matter what I do, I get "no translation group found" errors. I'm using the GUI to manage the setup procedure but I'm not afraid of using the CLI if necessary.

I'm having difficulty understanding where the .x.y.77.153 addresses fall in the scheme of things as well - they are "outside" addresses but I can't see where to specify them in the context of the NAT rules. They are not source addresses, rather they are destination addresses. I don't understand how to specify NAT rules based upon these destination addresses.

I apologise in advance if I've been extremely dim and missed the point.

Thanks for your help.

Steve

Reply to
stevelup
Loading thread data ...

You have an uncommon setup. I'd try like this:

no fixup protocol smtp 25 access-list Incoming permit tcp any host x.y.77.153 eq smtp access-list Incoming permit tcp any host x.y.77.154 eq http access-list Outgoing permit ip 192.168.1.0 255.255.255.0 any ip address outside x.y.66.72 255.255.255.??? ip address inside 192.168.1.1 255.255.255.0 global (outside) 1 interface nat (inside) 1 192.168.0.0 255.255.255.0 0 0 static (inside,outside) x.y.77.153 192.168.1.X netmask 255.255.255.255 0 0 static (inside,outside) x.y.77.154 192.168.1.Y netmask 255.255.255.255 0 0 access-group Incoming in interface outside access-group Outgoing in interface inside route outside 0.0.0.0 0.0.0.0 x.y.66.??? 1

If you need to share the same public IP between several inside hosts then you have to do the static lines like this:

static (inside,outside) tcp x.y.77.153 25 192.168.1.X 25 netmask 255.255.255.255

static (inside,outside) tcp x.y.77.153 80 192.168.1.Y 80 netmask 255.255.255.255

And if you want to use one of the x.y.77.15z addresses as the PAT address then the global line should be:

global (outside) 1 x.y.77.15z netmask 255.255.255.?

(Hmm, are you sure that the range is x.y.77.152 - 158 ? That's only seven IPs and cannot be correctly masked.)

Reply to
Jyri Korhonen

Many thanks - I'll give that a try today.

That was indeed a typo. The range is 152 - 159 (/29)

I appreciate your help and I'll get back to you and let you know how I got on.

Cheers,

Steve

Reply to
stevelup

Hi

Many thanks - everything is working fine now.

I was being confused by the (to my view anyway!) backwards way that translation rules seem to work in PDM. I now understand it.

Cheers,

Steve

Reply to
stevelup

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.