Please help with PIX command

Please also comment on the following pix commands:

global (outside) 1 109.978.196.220-209.178.196.221 global (outside) 1 109.978.196.219 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 alias (inside) sfg 109.978.196.216 255.255.255.255

-It means that the inside PC with the IP address [trig1] , will be statically translated and be seen on the outside with the address

109.978.196.213

-the ip address of trig1 is defined with the command

name [ip address] trig1

-109.978.196.213 is not a valid address , so i guess you have a typo here

This command will configure a NAT translation such that you can reach inside server trig1 from the outside Interface using 109.978.196.213. Think of an inside web server trig1 that you want to make accessible from outside using 109.978.196.213 address.

But then that web server should really be in a DMZ :-) static (dmz, outside)

oops 978 is an invalid IP number; does not fit in 8 bits. :-)

it would have a corresponding command such as

name 172.21.14.14 trig1

Our resident expert says that without an access-list directive outsiders cannot access this IP. So my questions, is there any reason to have static entries when the intention is not to provide outside access? BTW, I checked out the Cisco web site, where they say after declaring an alias (DNS doctoring) one MUST provide static entries followed by an access-list. Why can't Cisco combine all these and give us a single command where we want to: a) resolve DNS, and b)provide access

I know the max has to be 255. My error. Thanks!

On what port does the connection happen? IOW, do we need an access-list entry corresponding to this server. If so, what IP would be used (inside or outside)?

Thanks

Also, some things needs to be said about the syntax static (inside, outside) would notmally imply the first ip is the inside ip. Alas, that is not how Cisco designed it. Can we switch inside and outside as follows:

static (outside, inside) ?

Many thanks

Yes, you need an access -list to permit access to the interior server

In fact, three general configuration statements are always needed.

1) NAT translation or NAT exemption configuration 2) access-list configuration 3) Configured route table with necessary route information

static entries are generally used to provide NAT translation needed to traverse from lower to higher security interfaces

global and nat commands are generally used when traversing from higher to lower security interfaces or zones

If you do not intend to provide access from outside to inside there is generally no reason to configure static translations.

The static command works the following way... think pre-nat and post-nat

static (pre-nat interface, post-nat interface) post-nat interface pre-nat interface

static (outside, inside)

static (inside, outside)

Many thanks to jrguent. I have the following entries in PIX firewall. I referred to the Cisco's online documentation but it is still not clear to me. In particular what are crypto and isakmp meant for? timeout xlate 3:00:00 timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http corp-smtp2 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt ipsec pl-compatible no sysopt route dnat crypto ipsec transform-set iexpect esp-des esp-md5-hmac crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map corp 1 ipsec-isakmp crypto map corp 1 match address ipsec crypto map corp 1 set peer 216.74.138.157 crypto map corp 1 set transform-set iexpect crypto map corp 10 ipsec-isakmp dynamic dynmap crypto map corp client configuration address initiate crypto map corp client configuration address respond crypto map corp interface outside isakmp enable outside isakmp key ******** address 216.74.138.157 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup corphome address-pool corp-home vpngroup corphome dns-server 192.168.1.6 vpngroup corphome wins-server 192.168.1.6 vpngroup corphome default-domain corp.iexpect.com vpngroup corphome idle-time 1800 vpngroup corphome password ******** telnet corp-smtp 255.255.255.255 inside telnet 192.168.5.2 255.255.255.255 inside telnet 192.168.11.0 255.255.255.0 inside telnet 192.168.5.0 255.255.255.0 inside telnet njrep1 255.255.255.255 inside telnet corp-smtp2 255.255.255.255 inside telnet timeout 5 ssh njrep1 255.255.255.255 inside ssh timeout 5 terminal width 80 Cryptochecksum:1b6c721c7410cc1105ef778107541f

Short answer ... VPN config.