Re: PIX with no NAT [7:31353]

Mon, 14 Jan 2002 18:51:56 -0800 

there are different situations when you will want to do what you are doing,
but here's a quick breakdown.

"nat (inside) 0 access-list not-nated" [1]
"nat (inside) 1 0.0.0.0 0.0.0.0 0 0" [2]
"access-list not-nated permit ip IP_not_nated_to_the_Internet
Subnet_Mask_of_device_not_nated any" [3]
"global (outside) 1 IP_Address_used_for_PAT_pool" [4]

[1] Traffic NOT Nat'd defined by the ACL "not-nated"
[2] Traffic Nat'd when outbound to the Internet (0.0.0.0 0.0.0.0 0 0 =
everybody)
[3] Source IP's that are NOT to be NAT'd when sending outbound traffic to the
Internet
[4] Devices on the (inside) Lan will use this IP Address as their Source IP
using PAT
     when accessing the Internet

What this will do is NOT 'NAT' the devices accessing the Internet that are in
the ACL "not-nated", and it
will then NAT everybody else to the IP Address that is PAT (Port Address
Translated) since you will be
allowing everybody else with the "0.0.0.0 0.0.0.0 0 0" of the "nat (inside)
1"
config command.  You also
can use an ACL on the "nat (inside) 1 access-list do-nat", and specify what
devices get NAT'd when sending
outbound traffic to the Internet.  I hope this information helps.  If you
have
any questions feel free to ask.

Thanks and there's my $0.02,

                             - jek


"Allen May"  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> By default all outbound connections are enabled and all inbound are
blocked.
>
> ----- Original Message -----
> From: "Philip Sousa"
> To:
> Sent: Wednesday, January 09, 2002 12:32 AM
> Subject: PIX with no NAT [7:31353]
>
>
> > I've been on Cisco's site for hours, but cannot find a conclusive answer
> to
> > my question.  When you disable NAT (NAT 0) to allow the use of public
IP's
> > behind the PIX, are the internal nodes allowed to start outbound
> connections
> > by default??  I need to selectively allow nodes behind the firewall to
> start
> > outbound connections on certain port....how should I accomplish this?
> > Access-lists?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=31941&t=31353
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to