Pix question [7:26832]

[Ramesh c]

1) I got a pix in test(all internal) environment (configured as
outside,inside and DMZ).Do I need to use NAT to connect to the outside
segment from inside  or vice versa.Since Pix can act as a router ,will
enabling routing solve this purpose without use of NAT.Applying access list
later  for security.

2)I want to open all the ports of TCP connection for a particular host.How
do I go about?


cheers
Ramesh




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26832t=26832
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix question [7:26832]

[Patrick Donlon]

Ramesh

No you don't need to config NAT, secondly to open up all ports for a host,
as a source to any where, try this acl
access-list acl_inside permit tcp host 192.10.1.1 any

For some more info have a look at the CCO
http://www.cisco.com/warp/customer/707/

cheers Pat

Ramesh c  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 1) I got a pix in test(all internal) environment (configured as
 outside,inside and DMZ).Do I need to use NAT to connect to the outside
 segment from inside  or vice versa.Since Pix can act as a router ,will
 enabling routing solve this purpose without use of NAT.Applying access
list
 later  for security.

 2)I want to open all the ports of TCP connection for a particular host.How
 do I go about?


 cheers
 Ramesh




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26833t=26832
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix question [7:26832]

[Carroll Kong]

At 08:24 AM 11/20/01 -0500, Ramesh c wrote:
1) I got a pix in test(all internal) environment (configured as
outside,inside and DMZ).Do I need to use NAT to connect to the outside
segment from inside  or vice versa.Since Pix can act as a router ,will
enabling routing solve this purpose without use of NAT.Applying access list
later  for security.

2)I want to open all the ports of TCP connection for a particular host.How
do I go about?


cheers
Ramesh
No, you do not.  If you want to do a No Nat configuration, make an acl for 
no nat (using id 0) for the ips you do not want to translate.  Of course, 
this is only sensible if you have registered ips on the inside.  If not, 
you really should use NAT.

The pix is generally a horrible router, it only supports rip.A 
router in the most generic sense of a multihomed host that can move from 
interface a to interface b is barely a router.  Heck, Windows NT can do 
that.  (shudder)

You have not defined what security policy you want.  access-lists for 
what?  Inbound or outbound?  If you use PAT (which is really a misnamed 
ciscoism), you have some light level of security for inbound 
conneciton.  By default, no one can hit your inside from the outside unless 
you have statics + access lists.  If you use static NATs, you WILL open a 
security hole for sure unless you got ACLs blocking on the outside 
interface.  Remember, the inflexible Cisco pix can only do inbound ACLs to 
any interface.  (However, you can still simulate the inbound outbound 
security policy by putting it on the other interfaces).

You have not mentioned inbound or outbound.  If you mean inbound, use a 
static (from the outside to the inside) and write an acl that allows him 
access through.

I know you said this is a test environment.  However, I think you should 
review some of the pix's basic configurations on Cisco's web site to get a 
better understanding and should definitely get a consultant to review your 
final configuration before deployment.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26839t=26832
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]