using the NAT 0 command will allow the inside systems to go through the PIX unaltered.
- Jon -----Original Message----- From: Michael J. Doherty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 18, 2001 11:56 AM To: [EMAIL PROTECTED] Subject: Re: how to disable NAT in PIX firewall (both insid [7:29408] Since the PIX is a native NAT device, built around it, subsistent on it, you cannot turn it off and allow the PIX to function in its correct manner. The example that you mention (VPNs) is a special scenario. Once VPN clients are authenticated by the PIX, they are treated as if they exist on the inside of the PIX, therefore we have to disable NAT to allow the VPN tunnel to work properly. If NAT is setup according to the Best Practices, your inside hosts will be able to see ALL external hosts while shielding them from being seen by the outside hosts (the fact that they are using the NAT translation is what accomplishes this). The fact that you are using Publ;ished IP addresses for your hosts is a moot point (it is also not a recommendation in Best Practices). Therefore, you still need to correctly setup the NAT statements, in the manner illustrated by Cisco's website, in order to make the PIX function appropriately. ----- Original Message ----- From: "David Tran" To: Sent: Monday, December 17, 2001 16:13 Subject: how to disable NAT in PIX firewall (both inside an [7:29303] > Hi Everyone, > > I am having problem setting up a network in this scenario > > with my PIX515-UR firewall running version 6.1(1) with pdm > > version 1.1(2). > > I have a network with REGISTERED IP addresses. The > > "inside" interface of the PIX is on the 129.174.1.0/24 > > network with IP address of 129.174.1.254. The "outside" > > interface of the PIX is on the 66.61.46.0/24 network with > > IP address of 66.61.46.120. The "inside" interface has > > a security level of 100 and the "outside" interface has > > security level of 0. On the "inside" internal network, I > > have 10 workstations range from 129.174.1.1-10. These > > workstations have the default gateway point to the > > "inside" interface of the PIX. > > I understand that for machines from the "inside" > > network to access the Internet, the command "nat" > > and global must be used. However, since I all of my > > machines have valid (aka registered IP addresses), I > > want to disabe NAT completely. For, example, > > I want machine 129.174.1.1 to be able to browse and > > ping any machines on the Internet. At the same time, > > I don't want users from the Internet to be able to access > > any of the workstations on the "inside" interface. I have > > been searching for documentation on Cisco website > > but it seems likemost of the example have to do with NAT > > enable. There are a few examples that will disable NAT > > but it is relatedto VPN which is something I don't want. > > Furthermore, most of the examples fill with errors and > > pretty worthless (for PIX anyway). If anyone has done > > this before, let me know. I also include a copy of the config. > > Thanks. > > David > > PIX Version 6.1(1) > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > nameif ethernet2 dmz security50 > > enable password sdfkjfdjjdfjksdf encrypted > > passwd sdfjksdfkjsdfjksjf encrypted > > hostname ciscopix > > fixup protocol ftp 21 > > fixup protocol http 80 > > fixup protocol h323 1720 > > fixup protocol rsh 514 > > fixup protocol rtsp 554 > > fixup protocol smtp 25 > > fixup protocol sqlnet 1521 > > fixup protocol sip 5060 > > fixup protocol skinny 2000 > > names > > access-list no-nat-list permit ip any any > > access-list no-nat-list permit icmp any any > > pager lines 24 > > interface ethernet0 auto > > interface ethernet1 auto > > interface ethernet2 auto > > mtu outside 1500 > > mtu inside 1500 > > mtu dmz 1500 > > ip address outside 66.61.46.120 255.255.255.0 > > ip address inside 129.174.1.254 255.255.255.0 > > ip address dmz 127.0.0.1 255.255.255.255 > > ip audit info action alarm > > ip audit attack action alarm > > no failover > > failover timeout 0:00:00 > > failover poll 15 > > failover ip address outside 0.0.0.0 > > failover ip address inside 0.0.0.0 > > failover ip address dmz 0.0.0.0 > > pdm history enable > > arp timeout 14400 > > nat (inside) 0 129.174.1.0 255.255.255.0 > > static (inside, outside) 129.174.1.0 129.174.1.0 > > conduit permit ip any any > > conduit permit icmp any any > > route outside 0.0.0.0 0.0.0.0 66.61.46.254 1 > > timeout xlate 3:00:00 > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 > sip > > 0:30:00 sip_media 0:02:00 > > timeout uauth 0:05:00 absolute > > aaa-server TACACS+ protocol tacacs+ > > aaa-server RADIUS protocol radius > > no snmp-server location > > no snmp-server contact > > snmp-server community public > > no snmp-server enable traps > > floodguard enable > > no sysopt route dnat > > telnet timeout 5 > > ssh timeout 5 > > terminal width 80 _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29500&t=29408 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
