Solved

Cisco PIX Configuration - One Internal Network (public IPs - No NAT)

Posted on 2006-10-31
4
227 Views
Last Modified: 2013-11-16
I am working on a PIX 500 series firewall with one internal network (class c - public) address space.

I can get the internal (inside) hosts to access the internet with no problem.  I cannot seem to have outside hosts access any internal hosts.

I have added:

access-list acl_out permit ip any any
access-group acl_out in interface outside
nat (inside) 0 x.x.x.x 255.255.255.0 0 0

Every sample pix config I see on the net assumes you want to use NAT.  We don't want to use private addresses on the internal network.
0
Comment
Question by:teksavers
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17846982
Don't use nat 0, rather use a static

no nat (inside) 0
clear xlate
static (inside,outside) 12.34.5.0 12.34.5.0 netmask 255.255.255.0

Which model PIX? If you have a 515 or better you can upgrade to version 7.x which allows you to disable nat control. Any 6.x versions require nat in one form or another. Using the above static, you are natting same/same which is equal to not natting at all.
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 17849005
you have to use static to let outside users access internal network. however it is not a good idea to do this unless you restrict what services you want them to access.
although you restrict your services, it's not a good idea. i suggest you use a dmz to give outsiders some kind of service.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to best troubleshoot slow internet connections via proxy server? 2 71
NSD FAIL 2 94
Root STP in Cisco switch maintenance 2 46
Cisco ASDM migration 2 18
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now