PIX Inbound NAT configuration

I've hit a bit of a brick wall trying to configure my new firewall, and I'm looking for some direction, as what I want to do wasn't really covered in the training course.

I want to do an inbound NAT on an IP address which is contained in a subnet which is also on the PIX and turn it into an internal address - but ONLY for selected ports.

It looks something like this {Warning: Bad ASCII drawing follows}

Internet | | Firewall | | | | DMZ | Internal

The DMZ has an IP address range - call it 172.16.78.192/28. The Inside has 10.67.0.0/16. I want to take IP address 172.16.78.199 and translate it to 10.67.97.10 but ONLY if connections come in on ports 25, 110 or 80 directed to this address only {incoming on those ports to other addresses should be sent elsewhere}.

The addresses in the DMZ are non-RFC1918, and match the subnet mask specified.

Basically, I want an inbound connection attempt on port 25 directed to the external .199 address to be translated and connected to the internal .10 address.

Anyone wanna throw a hint my way? I'm being lazy and using the ASDM module to give me a GUI configuration, but I'll dial into the command line if necessary and put the commands in manually if someone can clue me in. PIX 515E in use, running 7.0.1 software, unrestricted license.

Thanks

DaZZa

Reply to
DaZZa
Loading thread data ...

I am currently configuring a client to pix router and I know that I need a vpn that uses isakmp, but the steps that I am using must be wrong so I wonder if anyone have some suggestions.

Reply to
dreday

First you have to deny 10.x.x.x ip from acceslist using on interface after that you have to apply static nat for inbound comnnection. E.g. access-list out_to_in permit tcp any host

172.16.x.x. eq 25

static (inside,outside) 172.16.x.x. 10.x.x.x netmask 255.255.255.255 0 0

access-group out_to_in in interface outside

Try this one..........

Thanks CK-NET

Reply to
NETADMIN

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.