At 08:24 AM 11/20/01 -0500, Ramesh c wrote: >1) I got a pix in test(all internal) environment (configured as >outside,inside and DMZ).Do I need to use NAT to connect to the outside >segment from inside or vice versa.Since Pix can act as a router ,will >enabling routing solve this purpose without use of NAT.Applying access list >later for security. > >2)I want to open all the ports of TCP connection for a particular host.How >do I go about? > > >cheers >Ramesh No, you do not. If you want to do a No Nat configuration, make an acl for no nat (using id 0) for the ips you do not want to translate. Of course, this is only sensible if you have registered ips on the inside. If not, you really should use NAT.
The pix is generally a horrible router, it only supports rip. A "router" in the most generic sense of a multihomed host that can move from interface a to interface b is barely a router. Heck, Windows NT can do that. (shudder) You have not defined what security policy you want. access-lists for what? Inbound or outbound? If you use PAT (which is really a misnamed ciscoism), you have some light level of security for inbound conneciton. By default, no one can hit your inside from the outside unless you have statics + access lists. If you use "static NATs", you WILL open a security hole for sure unless you got ACLs blocking on the outside interface. Remember, the inflexible Cisco pix can only do inbound ACLs to any interface. (However, you can still simulate the "inbound" "outbound" security policy by putting it on the other interfaces). You have not mentioned inbound or outbound. If you mean inbound, use a static (from the outside to the inside) and write an acl that allows him access through. I know you said this is a test environment. However, I think you should review some of the pix's basic configurations on Cisco's web site to get a better understanding and should definitely get a consultant to review your final configuration before deployment. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26839&t=26832 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
