Table 1: Two Interface PIX with NAT Configuration
Configuration | Description |
|
|
nameif ethernet0 outside security0 | PIX Firewall provides nameif and interface command |
nameif ethernet1 inside security100 | statements for the interfaces in the default configuration. Change |
interface ethernet0 10baset | the default auto option in the interface command to the specific |
interface ethernet1 10baset | line speed for the interface card. |
Fixup protocol h323 1720 | The fixup protocol commands let you view, change, enable, or |
| disable the use of a service or protocol through the PIX Firewall. |
| This command will show up in configuration by default. |
ip address outside 209.165.201.5 255.255.255.224 | Identify the IP addresses for both interfaces. |
ip address inside 10.1.1.5 255.255.255.0 |
|
arp timeout 14400 | Set the ARP timeout to 14,400 seconds (four hours). Entries are |
| kept in the ARP table for four hours before they are flushed. |
nat (inside) 1 0 0 | Permit all inside users to start outbound connections using the |
| translated IP addresses from the global pool. |
global (outside) 1 | Create a pool of global addresses for use when they exiting the |
global (outside) 1 209.165.201.8 | firewall from the protected networks to the unprotected |
| networks. The global command statement is associated with a |
| nat command statement by the NAT ID, which in this example is |
| 1. Because there are limited IP addresses in the pool, a PAT (Port |
| Address Translation) global is added to handle overflow. |
Route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 | Sets the outside default route to the router attached to the |
| Internet. |
static (inside,outside) 209.165.201.10 10.1.1.10 netmask | The static command creates a permanent mapping (called a |
255.255.255.255 0 0 | static translation slot or "xlate") between a local IP address and a |
static (inside,outside) 209.165.201.20 10.1.1.20 netmask | global IP address. Needed in a NAT environment to allow |
255.255.255.255 0 0 | inbound H.323 Calls. |
static (inside,outside) 209.165.201.30 10.1.1.30 netmask |
|
255.255.255.255 0 0 |
|
timeout xlate 3:00:00 | Sets default values for the maximum duration that PIX Firewall |
timeout conn 1:00:00 | resources can remain idle until being freed. Additional users |
udp 0:02:00 rpc 0:10:00 h323 0:05:00 | cannot make connections until a connection resource is freed |
sip 0:30:00 sip_media 0:02:00 | either by a user dropping a connection or by an xlate and conn |
timeout uauth 0:05:00 absolute | timer time out. |
Allows inbound and outbound pings. | |
| |
The | |
eq 1719 | permitted or denied access to a port or protocol. Port 1719 needs |
to be opened for Gatekeeper traffic, Port 2720 for the Cisco 3510 | |
eq h323 | MCU, and Port 1820 for the Cisco 3520/3525 Gateway. |
| |
eq 2720 |
|
no | Specifies that SNMP information may be accessed by internal |
no | hosts that know the community string, but PIX Firewall does not |
send trap information to any host. | |
telnet 10.0.0.100 255.255.255.255 | Specifies that host 10.0.0.100 is permitted to access the PIX |
telnet timeout 15 | Firewall console via Telnet and that 15 minutes are allowed |
| before the idle timer runs out and the session is logged off. |
mtu outside 1500 | Sets the maximum transmission unit value for Ethernet access. |
mtu inside 1500 |
|
Copyright © 2001 Cisco Systems, Inc. | Page 7 of 11 |