Filter
Top Products
Copyright © 2001 Cisco Systems, Inc. Page 7 of 11
Table 1: Two Interface PIX with NAT Configuration
Configuration
Description
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 10baset
interface ethernet1 10baset
PIX Firewall provides nameif and interface command
statements for the interfaces in the default configuration. Change
the default auto option in the interface command to the specific
line speed for the interface card.
Fixup protocol h323 1720
The fixup protocol commands let you view, change, enable, or
disable the use of a service or protocol through the PIX Firewall.
This command will show up in configuration by default.
ip address outside 209.165.201.5 255.255.255.224
ip address inside 10.1.1.5 255.255.255.0
Identify the IP addresses for both interfaces.
arp timeout 14400
Set the ARP timeout to 14,400 seconds (four hours). Entries are
kept in the ARP table for four hours before they are flushed.
nat (inside) 1 0 0
Permit all inside users to start outbound connections using the
translated IP addresses from the global pool.
global (outside) 1 209.165.201.10-209.165.201.30
global (outside) 1 209.165.201.8
Create a pool of global addresses for use when they exiting the
firewall from the protected networks to the unprotected
networks. The global command statement is associated with a
nat command statement by the NAT ID, which in this example is
1. Because there are limited IP addresses in the pool, a PAT (Port
Address Translation) global is added to handle overflow.
Route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
Sets the outside default route to the router attached to the
Internet.
static (inside,outside) 209.165.201.10 10.1.1.10 netmask
255.255.255.255 0 0
static (inside,outside) 209.165.201.20 10.1.1.20 netmask
255.255.255.255 0 0
static (inside,outside) 209.165.201.30 10.1.1.30 netmask
255.255.255.255 0 0
The static command creates a permanent mapping (called a
static translation slot or "xlate") between a local IP address and a
global IP address. Needed in a NAT environment to allow
inbound H.323 Calls.
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00
udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
Sets default values for the maximum duration that PIX Firewall
resources can remain idle until being freed. Additional users
cannot make connections until a connection resource is freed
either by a user dropping a connection or by an xlate and conn
timer time out.
access-list acl_out permit icmp any any
access-group acl_out in interrface outside
Allows inbound and outbound pings.
access-list acl_out permit udp any host 209.165.201.10
eq 1719
access-list acl_out permit tcp any host 209.165.201.20
eq h323
access-list acl_out permit tcp any host 209.165.201.30
eq 2720
The access-list command lets you specify if an IP address is
permitted or denied access to a port or protocol. Port 1719 needs
to be opened for Gatekeeper traffic, Port 2720 for the Cisco 3510
MCU, and Port 1820 for the Cisco 3520/3525 Gateway.
no snmp-server location
no snmp-server contact
snmp-server community public
Specifies that SNMP information may be accessed by internal
hosts that know the community string, but PIX Firewall does not
send trap information to any host.
telnet 10.0.0.100 255.255.255.255
telnet timeout 15
Specifies that host 10.0.0.100 is permitted to access the PIX
Firewall console via Telnet and that 15 minutes are allowed
before the idle timer runs out and the session is logged off.
mtu outside 1500
mtu inside 1500
Sets the maximum transmission unit value for Ethernet access.