PIX address translation

[pirateclem]

I am setting up address translation for a device which will be placed in my network. I want to do this as securly as possible, but will not be able to place the device in the DMZ. I thought I had this figured out a couple months ago, but the project died and I forgot about it. Well, the project is back and I just heard the device will be here soon. Surprise! Here is my conundrum:

I am relatively new to the PIX 515 we are using. I need to forward data as securly as possible from: (Ip's masked to hide the innocent)

their network:

1.1.1.2 /27
1.1.1.3 /28

to my network:

I will use this as the outside routable address for this device:

2.2.2.3 /27

Need to then send this data to inside:

192.1.1.3 /24 ports 15000 and 15001 only


the firewalls ouside address is:

2.2.2.2 /27

firewall inside:

192.1.1.2 /24

should be routes for everything above. (hopefully, where should I double check this?)

as i understand it I need to:
1.) create a static address translation for the incoming traffic
static (outside, inside) 2.2.2.3 15000 192.1.1.3 15000 netmask 255.255.255.255
static (outside, inside) 2.2.2.3 15001 192.1.1.3 15001 netmask 255.255.255.255

2.)lock down the access list to only allow traffic from the other network
access-list inbound permit tcp host 1.1.1.2 host 192.1.1.3 eq 15000
access-list inbound permit tcp host 1.1.1.2 host 192.1.1.3 eq 15001
access-list inbound permit tcp host 1.1.1.3 host 192.1.1.3 eq 15000
access-list inbound permit tcp host 1.1.1.3 host 192.1.1.3 eq 15001

Am I correct? Am I missing anything? Does this make sense? What would the syntax for the changes be specifically?

 

[ChrisAC]

The static statement should be as follows;

If 192.1.1.3 is the inside host and x.x.x.y is the global outside address ..

static (inside,outside) x.x.x.y 192.1.1.3 netmask 255.255.255.255

You would then use an access list to tie down access to that device.

access-list inbound permit tcp host 1.1.1.2 host x.x.x.y re 15000
access-list inbound permit tcp host 1.1.1.2 host x.x.x.y re 15001

access-group inbound in interface outside.

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************

 

[pirateclem]

Guess I had the static statement backwards, and need to lock down packets at the outside address level rather than inside correct?

Thanks!

 

[ChrisAC]

Correct.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[pirateclem]

Thank you for the assistance. One more question. Our firewall currently has some address translation entries for the DMZ and have additional info tagged onto the end of the statme as such:

static (dmz, outside) box1 box1 netmask 255.255.255.255 5000 2500

What does 5000 and 2500 denote?

 

[ChrisAC]

The first number is the maximum number of connections allowed to that box, ie 5000. The second number is called the 'embryonic limit'. Basically it's the number of half open TCP connections allowed. ie. The client sends a SYN packet to the server and the server responds back with a SYN-ACK. At this point the connection is half open. Once the client sends back an ACK to the server the three way handshake is complete and the connection is open.

The 'embryonic limit' protects servers against syn flood attacks and one the limit is reached then the pix steps in and starts to proxy three-way handshakes on behalf of the server until the embryonic limit drops below it's threshold again.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[pirateclem]

Thanks again. Wow, lots to learn.