Solved

pix without nat

Posted on 2006-06-17
7
485 Views
Last Modified: 2010-03-19
how should i configure a pix 506e firewall so that it does not perform nat and only does routing between its inside and outside network.

 
0
Comment
Question by:sheikham88
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Expert Comment

by:atifawan
ID: 16926759
Use the following command:

nat (inside) 0 0 0

This will pass all IP Addresses on the inside interface to outside without Natting them. If you want to be more specific you can also specify which addresses you do not want to be natted.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16928464
What exactly is the problem right now ? Since if you are using private ip addresses inside and outside interface connected to internet, it will not work.

If you can explain more, we'll be able to understand the problem.

Cheers,
Rajesh
0
 
LVL 1

Expert Comment

by:atifawan
ID: 16928479
He only said he does not want the PIX to nat. He is probably doing NAT on the router and it will work if configured that way.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 

Author Comment

by:sheikham88
ID: 16928710
yes atif awan is write i am doing nat on the router

to further clarify why i dont want nat to happen on the pix is because i have a dmvpn network for which this router is acting as a primary hub now when i do nat on the pix the public ip address range between the router and the pix is required to be published in all the routers in my dmvpn network which i dont want.

now when i will avoid nat happening on the pix then i will have a complete private ip network on the intranet side i hope i have made my self clear


now atifawan if i give this command on the pix it will not do nat and allow all connections from the outside to the inside interface is this correct
0
 
LVL 1

Accepted Solution

by:
atifawan earned 300 total points
ID: 16928934
If you give this command it will not nat the addresses while going out but it will not allow outside to inside access. The only access that will be allowed is from inside to outside and returning legitimate traffic.

If you want outside to inside access also then you will have to do a static nat on the same range. For example if your internal subnet is 192.168.1.0 then you will configure something like:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

This will allow outside to inside access as controlled by your access-list on the outside interface.
0
 

Author Comment

by:sheikham88
ID: 16929651
one last thing about my question, can i not have any kind of nat on pix to make it work or is it necessary to have some kind of nat to make the pix work as a router and also to have firewall functionality.
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 200 total points
ID: 16929954
No. That is why I wanted to know what you're trying to do. If it had been only for internal hosts all having public ip then the 'nat 0' command would do. But for your scenario which is clear now take a peek at this post, it is same as yours;

http://www.experts-exchange.com/Security/Q_21888521.html

Cheers,
Rajesh
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question