Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

pix without nat

Posted on 2006-06-17
7
Medium Priority
?
489 Views
Last Modified: 2010-03-19
how should i configure a pix 506e firewall so that it does not perform nat and only does routing between its inside and outside network.

 
0
Comment
Question by:sheikham88
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Expert Comment

by:atifawan
ID: 16926759
Use the following command:

nat (inside) 0 0 0

This will pass all IP Addresses on the inside interface to outside without Natting them. If you want to be more specific you can also specify which addresses you do not want to be natted.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16928464
What exactly is the problem right now ? Since if you are using private ip addresses inside and outside interface connected to internet, it will not work.

If you can explain more, we'll be able to understand the problem.

Cheers,
Rajesh
0
 
LVL 1

Expert Comment

by:atifawan
ID: 16928479
He only said he does not want the PIX to nat. He is probably doing NAT on the router and it will work if configured that way.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:sheikham88
ID: 16928710
yes atif awan is write i am doing nat on the router

to further clarify why i dont want nat to happen on the pix is because i have a dmvpn network for which this router is acting as a primary hub now when i do nat on the pix the public ip address range between the router and the pix is required to be published in all the routers in my dmvpn network which i dont want.

now when i will avoid nat happening on the pix then i will have a complete private ip network on the intranet side i hope i have made my self clear


now atifawan if i give this command on the pix it will not do nat and allow all connections from the outside to the inside interface is this correct
0
 
LVL 1

Accepted Solution

by:
atifawan earned 1200 total points
ID: 16928934
If you give this command it will not nat the addresses while going out but it will not allow outside to inside access. The only access that will be allowed is from inside to outside and returning legitimate traffic.

If you want outside to inside access also then you will have to do a static nat on the same range. For example if your internal subnet is 192.168.1.0 then you will configure something like:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

This will allow outside to inside access as controlled by your access-list on the outside interface.
0
 

Author Comment

by:sheikham88
ID: 16929651
one last thing about my question, can i not have any kind of nat on pix to make it work or is it necessary to have some kind of nat to make the pix work as a router and also to have firewall functionality.
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 800 total points
ID: 16929954
No. That is why I wanted to know what you're trying to do. If it had been only for internal hosts all having public ip then the 'nat 0' command would do. But for your scenario which is clear now take a peek at this post, it is same as yours;

http://www.experts-exchange.com/Security/Q_21888521.html

Cheers,
Rajesh
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question