CompTIA
Exam Vouchers
Save money on CompTIA exams
| Question of the day
Sign up to receive
interactive practice questions
for MCSE, CompTIA
Cisco and other exams
| TestKing
Get MCSE, MCSD, CCNA, CCNP,A+, N+ and many more | * ExamSheets *
Guide for Success!
Actual Questions & Answers
MCSE, MCSD, A+ ,CCNA, CCNP
Oracle 8i, Oracle 9i Online practice tests
Certification sites Online university Online college Online education Distance learning Software forum Server administration forum Programming resources
|
|  |
| Author |
Moving NAT to my Firewall
|
beenframed
Senior Member
Registered: Sep 2000
Location: NYC
Country: USA
State:
Certifications: A+
Working on:
Total Posts: 396
|
|
 Moving NAT to my Firewall
I am currently running NAT on my Border router. I want to move NAT inside of that border router to a pix firewall. I have static inside souce static commands,
a nat overload statement and a few interfaces with NAT enabled.
What are the commands to enable this on a PIX firewall?
1. To enable NAT on a router's interface I would do IP NAT INSIDE, is this the same on the firewall?
2. To use a NATTED ip for my internal users internet connections I used:
ip nat pool natip (Public IP) (Public IP) netmask 255.255.255.248
ip nat inside source list 1 pool natip overload
with the source access list 1 permitting my internal subnet.
Is this done the same way on a PIX?
3. Lastly on my router I have "ip nat inside source static 10.0.0.20 (public IP)" commands. How do convert these to similiar statements that will work for me on the firewall?
Thanks for any info you can provide!!
-bf
__________________
BeenFramed
Report this post to a moderator
|
|
 11-20-01 04:26 PM
|
|
haseeb_eng
Senior Member
M
Registered: Oct 2001
Location: Kuwait City
Country: Kuwait
State:
Certifications: CCNA, CCDA, CCNP, CCDP, CCSP, Content Networking, Wireless LAN Design Spec.
Working on: PMP CCIE (R&S) MBA
Total Posts: 1165
|
|
|
|
11-21-01 07:15 AM
|
|
MadChef
A Huge Fake
Registered: Sep 2000
Location:
Country: USA
State:
Certifications:
Working on: A Sex Farm
Total Posts: 1426
|
|
|
Re: Moving NAT to my Firewall
quote:
Originally posted by beenframed
1. To enable NAT on a router's interface I would do IP NAT INSIDE, is this the same on the firewall?
You would do this:
nat (inside) 1 [network] [mask]
To allow users with the address on the 10.0.0.0 /24 network to be nat'd, it would look like this:
nat (inside) 1 10.0.0.0 255.255.255.0
To allow all users on the inside to start connections (more common):
nat (inside) 1 0 0
The 1 turns nat on using a global pool with the same number(a 0 turns it off). 0.0.0.0 0.0.0.0 is abbreviated 0 0.
quote:
2. To use a NATTED ip for my internal users internet connections I used:
ip nat pool natip (Public IP) (Public IP) netmask 255.255.255.248
ip nat inside source list 1 pool natip overload
with the source access list 1 permitting my internal subnet.
Is this done the same way on a PIX?
Now you combine the global statement with your nat statement. Let's say your outside routable IP addresses are 1.1.1.0 /24. You want to use addresses 1.1.1.10 - 1.1.1.15 for NAT and you want 1.1.1.16 to be used for PAT, or overloaded. You config would look like this:
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 1.1.1.10-1.1.1.15 netmask 255.255.255.0
global (outside) 1 1.1.1.16 netmask 255.255.255.0
The 1 serves to link the nat statement with the global statement. Just as you can have multiple global statements using the "1" identifier (think of it as your natpool name), you can have multiple nat 1 statements identifying several interior networks. You could also create a global 1 pool and a global 2 pool. Networks identified with the nat 1 statement use the global 1 pool. Networks identified with the nat 2 statement will use the global 2 pool, etc.
quote:
3. Lastly on my router I have "ip nat inside source static 10.0.0.20 (public IP)" commands. How do convert these to similiar statements that will work for me on the firewall?
This makes use of the static command. Lets say you want to translate the outside address of 1.1.1.20 to 10.0.0.20.
static (inside, outside) 1.1.1.20 10.0.0.20
Notice the somewhat unusual syntax. It's
static (inside, outside) outside_ip inside_ip
You didn't mention anything about a third interface for a DMZ, so I didn't include anything about that because it complicates the config somewhat depending on how you want to do nat from the interior to the dmz.
I hope this made some sense. Let me if you have any questions.
MadChef
Report this post to a moderator
|
|
|
11-21-01 11:50 AM
|
|
007
Senior Member
Registered: Sep 2000
Location:
Country:
State:
Certifications:
Working on:
Total Posts: 289
|
|
|
I would like to say that this post is great, I have been a member of this forum for a long time,,,,,
And this post is what this forum should be about. Its a shame these days there are more posts about test questions and not enough about learning the technology.
Report this post to a moderator
|
|
|
11-21-01 06:01 PM
|
|
MadChef
A Huge Fake
Registered: Sep 2000
Location:
Country: USA
State:
Certifications:
Working on: A Sex Farm
Total Posts: 1426
|
|
|
|
11-22-01 10:13 AM
|
|
beenframed
Senior Member
Registered: Sep 2000
Location: NYC
Country: USA
State:
Certifications: A+
Working on:
Total Posts: 396
|
|
|
MC thanks for your help with those NAT configs. You hit them all right on the money and that part of my day went as smooth as could be expected. Thanks again.
I did run into one little issue regarding NAT. As you know I originally had NAT on my border router. In my Static NAT mappings (on the router) I had mappings to the the same public address for my internal VPN server and Corporate web site, of course the corp site was mapped to port 80. This config worked fine on the router, however when I tried to play this config on the firewall I found that the static commands don't let you map 2 internals to one external regardless of Port mappings. Not a huge problem, I had extra external IP's and I just reampped the VPN to one of the free ones, also had to place a call to my ISP to get the DNS entry for vpn.bigcompany.com changed. I found it a little weird that I could do the port thing ona router but not the firewall, but hey.
All in all the day was a sucess, I moved nat onto the firewall, replaced the border router with a 2600, replaced an internal router with a 3640, reconfigured an IPSec VPN to work on 1 interface rather then 2 and moved two t1's inside of the Firewall.
The kiddies want to watch "The Crocodile Hunter" with me so I'm calling it a day.
-bf
PS- hey Chef I noticed your coming up on a thousand posts, good work. Maybe they'll give you a keychain or something, ya never know.
Thanks for all the help.
__________________
BeenFramed
Last edited by beenframed on 11-24-01 at 02:28 AM
Report this post to a moderator
|
|
|
11-24-01 12:45 AM
|
|
|
Click here for CCNP study guides
Cisco exam notes
Forum Rules:
Who Can Read The Forum? Any registered user or guest.
Who Can Post New Topics? Any registered user.
Who Can Post Replies? Any registered user.
Changes: Messages can be edited by their author.
Posts: HTML code is OFF. Smilies are ON. vB code is ON. [IMG] code is ON. |
|
ExamNotes forum archive
|
check this site
