Though I am not a PIX pro, if you don't want nat, are you sure you got the right product for your needs??
Brian "Sonic" Whalen Success = Preparation + Opportunity On Mon, 17 Dec 2001, David Tran wrote: > Hi Everyone, > > I am having problem setting up a network in this scenario > > with my PIX515-UR firewall running version 6.1(1) with pdm > > version 1.1(2). > > I have a network with REGISTERED IP addresses. The > > "inside" interface of the PIX is on the 129.174.1.0/24 > > network with IP address of 129.174.1.254. The "outside" > > interface of the PIX is on the 66.61.46.0/24 network with > > IP address of 66.61.46.120. The "inside" interface has > > a security level of 100 and the "outside" interface has > > security level of 0. On the "inside" internal network, I > > have 10 workstations range from 129.174.1.1-10. These > > workstations have the default gateway point to the > > "inside" interface of the PIX. > > I understand that for machines from the "inside" > > network to access the Internet, the command "nat" > > and global must be used. However, since I all of my > > machines have valid (aka registered IP addresses), I > > want to disabe NAT completely. For, example, > > I want machine 129.174.1.1 to be able to browse and > > ping any machines on the Internet. At the same time, > > I don't want users from the Internet to be able to access > > any of the workstations on the "inside" interface. I have > > been searching for documentation on Cisco website > > but it seems likemost of the example have to do with NAT > > enable. There are a few examples that will disable NAT > > but it is relatedto VPN which is something I don't want. > > Furthermore, most of the examples fill with errors and > > pretty worthless (for PIX anyway). If anyone has done > > this before, let me know. I also include a copy of the config. > > Thanks. > > David > > PIX Version 6.1(1) > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > nameif ethernet2 dmz security50 > > enable password sdfkjfdjjdfjksdf encrypted > > passwd sdfjksdfkjsdfjksjf encrypted > > hostname ciscopix > > fixup protocol ftp 21 > > fixup protocol http 80 > > fixup protocol h323 1720 > > fixup protocol rsh 514 > > fixup protocol rtsp 554 > > fixup protocol smtp 25 > > fixup protocol sqlnet 1521 > > fixup protocol sip 5060 > > fixup protocol skinny 2000 > > names > > access-list no-nat-list permit ip any any > > access-list no-nat-list permit icmp any any > > pager lines 24 > > interface ethernet0 auto > > interface ethernet1 auto > > interface ethernet2 auto > > mtu outside 1500 > > mtu inside 1500 > > mtu dmz 1500 > > ip address outside 66.61.46.120 255.255.255.0 > > ip address inside 129.174.1.254 255.255.255.0 > > ip address dmz 127.0.0.1 255.255.255.255 > > ip audit info action alarm > > ip audit attack action alarm > > no failover > > failover timeout 0:00:00 > > failover poll 15 > > failover ip address outside 0.0.0.0 > > failover ip address inside 0.0.0.0 > > failover ip address dmz 0.0.0.0 > > pdm history enable > > arp timeout 14400 > > nat (inside) 0 129.174.1.0 255.255.255.0 > > static (inside, outside) 129.174.1.0 129.174.1.0 > > conduit permit ip any any > > conduit permit icmp any any > > route outside 0.0.0.0 0.0.0.0 66.61.46.254 1 > > timeout xlate 3:00:00 > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 > sip > > 0:30:00 sip_media 0:02:00 > > timeout uauth 0:05:00 absolute > > aaa-server TACACS+ protocol tacacs+ > > aaa-server RADIUS protocol radius > > no snmp-server location > > no snmp-server contact > > snmp-server community public > > no snmp-server enable traps > > floodguard enable > > no sysopt route dnat > > telnet timeout 5 > > ssh timeout 5 > > terminal width 80 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29405&t=29405 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]