3620 NAT and Access-Lists 3

[nix45]

I have a Cisco 3620 with dual T1's that we're going to use for our Internet connection. We have an address pool of about 15 public IPs that we'll use for our internal servers. Can someone please send me a link to a good howto on setting up NAT and access-lists, or maybe just a good explanation here.

Thanks,
Chris

 

[nix45]

...I found the following doc, but its for PIX firewalls. Is there a similar doc for routers?

http://www.cisco.com/warp/customer/707/28.html

Chris

 

[mtashiro]

Try this:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

 

[nix45]

Thanks.

 

[nix45]

here's another one...

http://www.cisco.com/en/US/customer...s_configuration_example09186a0080093e51.shtml

 

[ChrisAC]

Chris,

Why try and do all your NATing and security on the router when you have a perfectly good PIX firewall sitting there doing nothing? That could be protecting your servers and doing one to one static translations from the LAN address to a live IP address.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[nix45]

Your right, how about this?

T1 T1
| |
| |
Cisco 3620
|
|
PIX 515
|
switch
| | | | |
4 servers Cisco 2621
|
Internal LAN


Chris

 

[mtashiro]

Are the servers web servers that the "outside" world see? If so, you could put all the servers in a DMZ off the PIX. This may be what your diagram is trying to depict, not sure.

 

[nix45]

Are you saying to add a third interface to the PIX and put the servers inside of that? Yes, the 4 servers are web servers.

Chris

 

[mtashiro]

Exactly. The PIX will have three, or more, interfaces. One that connects to the "outside", one "inside" and one "DMZ". This will isolate your servers from the internal network.

 

[techdesigner]

dear nix45

i think these urls & related informations may help you on your problem

1-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml

2-

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml

 

[nix45]

Here's the 'show version' output on the PIX 515. On the bottom, its says "Port Allowed: 2", under the "Licensed Options". I'm not sure what this means, but my guess is that we're only licensed to use 2 interfaces?


PIX# show ver

PIX Version 4.4(4)
Compiled on Thu 06-Jan-00 16:07 by pixbuild
PIX BIOS Cisco Secure PIX Firewall BIOS

PIX up 10 days 14 hours

Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash strata @ base 0x300
0: ethernet0: address is 0050.54ff.5baa, irq 10
1: ethernet1: address is 0050.54ff.5bab, irq 7

Licensed Options:
Failover: Disabled
IPSec: Disabled
Ports allowed: 2

Serial Number: 480160311


Thanks,
Chris

 

[mtashiro]

First off I would upgrade the software on this PIX. Next, on the 515 and above, depending on what version of the license you have will determine how many interface will work. On the "restricted" license you can use three. "Unrestricted" gets you 6 on the 515.

SO long story short you should be able to put another NIC in the PIX and be good to go.

 

[nix45]

Which version of the software should I upgrade to? We have the restricted license, and I was told that you can only use two interfaces with this license? Where can I find info on this?

Chris

 

[techdesigner]

dear nix45
take a look to this url and related information
it's very usefull for Cisco PIX® Firewall
Licensing

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a00800b0d85.html

 

[nix45]

Thanks for the link. Looks like I need to upgrade to the 5.1+ software.

Quick question....I already know that we have a restricted license, but if I didn't know this, how could I tell? The show version command doesn't tell you.

Chris

 

[mtashiro]

Once you upgrade a show ver will give you a little more info.