Re: PIX and NAT with VPN
Firewalls route packets unless you have some sort of firewalling bridge or proxy server. I'm not even going to get into "eGaps". Wish I could help you with PIX. --- Allen May <[EMAIL PROTECTED]> wrote: > OK maybe this is a terminology misunderstanding on my part, but I have > about > 15 route statements in my PIX and use a pix->pix vpn using IPSec. > route > > One of the VPNs set up here had something a little weird where we had to > set > up statics for VPN to work but that's something I'll be working on > solving > at a later time. Just for grins try setting up a static statement for > one > of the workstations trying to get through and see if it stops using NAT. > > You'll find the IPSec user guide on the cisco website very useful for > more > info on this. > > Allen > - Original Message - > From: "Groupstudy" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, February 16, 2001 2:38 AM > Subject: Re: PIX and NAT with VPN > > > > The PIX does not route. Period. > > > > - Original Message - > > From: Kenneth <[EMAIL PROTECTED]> > > Newsgroups: groupstudy.cisco > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, February 15, 2001 6:35 PM > > Subject: Re: PIX and NAT with VPN > > > > > > > I'm totally foreign to PIX but I'm just wondering, maybe it's > possible > to > > > use policy-based routing on PIX? > > > > > > "Rick Holden" <[EMAIL PROTECTED]> wrote in message > > > 002001c097b6$60c466a0$[EMAIL PROTECTED]">news:002001c097b6$60c466a0$[EMAIL PROTECTED]... > > > > I have a PIX firewall that is being used for a VPN as well. The > problem > > is > > > > all the inside addresses are being translated to public addresses > even > > > when > > > > the traffic is destine for the VPN tunnel. I tried the following > > commands > > > > but this seems to block all translations. > > > > (real IPs have been replaced for security) > > > > > > > > access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 > > > > 255.255.255.0 > > > > nat (inside) 0 access-list nonat > > > > global (outside) 1 172.16.10.1 net 255.255.255.255 > > > > > > > > I also tried using DENY in the access list > > > > access-list nonat deny ip 192.168.2.0 255.255.255.0 192.168.1.0 > > > > 255.255.255.0 > > > > This didn't work either. > > > > > > > > How can I can the traffic destined for the Internet to be > translated > and > > > the > > > > traffic destined for the VPN not be translated? > > > > > > > > _ > > > > FAQ, list archives, and subscription info: > > > http://www.groupstudy.com/list/cisco.html > > > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > > > > > > > > > > _ > > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > > > > _ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and NAT with VPN
OK maybe this is a terminology misunderstanding on my part, but I have about 15 route statements in my PIX and use a pix->pix vpn using IPSec. route One of the VPNs set up here had something a little weird where we had to set up statics for VPN to work but that's something I'll be working on solving at a later time. Just for grins try setting up a static statement for one of the workstations trying to get through and see if it stops using NAT. You'll find the IPSec user guide on the cisco website very useful for more info on this. Allen - Original Message - From: "Groupstudy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, February 16, 2001 2:38 AM Subject: Re: PIX and NAT with VPN > The PIX does not route. Period. > > - Original Message - > From: Kenneth <[EMAIL PROTECTED]> > Newsgroups: groupstudy.cisco > To: <[EMAIL PROTECTED]> > Sent: Thursday, February 15, 2001 6:35 PM > Subject: Re: PIX and NAT with VPN > > > > I'm totally foreign to PIX but I'm just wondering, maybe it's possible to > > use policy-based routing on PIX? > > > > "Rick Holden" <[EMAIL PROTECTED]> wrote in message > > 002001c097b6$60c466a0$[EMAIL PROTECTED]">news:002001c097b6$60c466a0$[EMAIL PROTECTED]... > > > I have a PIX firewall that is being used for a VPN as well. The problem > is > > > all the inside addresses are being translated to public addresses even > > when > > > the traffic is destine for the VPN tunnel. I tried the following > commands > > > but this seems to block all translations. > > > (real IPs have been replaced for security) > > > > > > access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 > > > 255.255.255.0 > > > nat (inside) 0 access-list nonat > > > global (outside) 1 172.16.10.1 net 255.255.255.255 > > > > > > I also tried using DENY in the access list > > > access-list nonat deny ip 192.168.2.0 255.255.255.0 192.168.1.0 > > > 255.255.255.0 > > > This didn't work either. > > > > > > How can I can the traffic destined for the Internet to be translated and > > the > > > traffic destined for the VPN not be translated? > > > > > > _ > > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > > > _ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and NAT with VPN
The PIX does not route. Period. - Original Message - From: Kenneth <[EMAIL PROTECTED]> Newsgroups: groupstudy.cisco To: <[EMAIL PROTECTED]> Sent: Thursday, February 15, 2001 6:35 PM Subject: Re: PIX and NAT with VPN > I'm totally foreign to PIX but I'm just wondering, maybe it's possible to > use policy-based routing on PIX? > > "Rick Holden" <[EMAIL PROTECTED]> wrote in message > 002001c097b6$60c466a0$[EMAIL PROTECTED]">news:002001c097b6$60c466a0$[EMAIL PROTECTED]... > > I have a PIX firewall that is being used for a VPN as well. The problem is > > all the inside addresses are being translated to public addresses even > when > > the traffic is destine for the VPN tunnel. I tried the following commands > > but this seems to block all translations. > > (real IPs have been replaced for security) > > > > access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 > > 255.255.255.0 > > nat (inside) 0 access-list nonat > > global (outside) 1 172.16.10.1 net 255.255.255.255 > > > > I also tried using DENY in the access list > > access-list nonat deny ip 192.168.2.0 255.255.255.0 192.168.1.0 > > 255.255.255.0 > > This didn't work either. > > > > How can I can the traffic destined for the Internet to be translated and > the > > traffic destined for the VPN not be translated? > > > > _ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and NAT with VPN
Use a "static" to itself, takes presidence over NAT. Or you can use NAT 0 but you can only use it once. ""Rick Holden"" <[EMAIL PROTECTED]> wrote in message 002001c097b6$60c466a0$[EMAIL PROTECTED]">news:002001c097b6$60c466a0$[EMAIL PROTECTED]... > I have a PIX firewall that is being used for a VPN as well. The problem is > all the inside addresses are being translated to public addresses even when > the traffic is destine for the VPN tunnel. I tried the following commands > but this seems to block all translations. > (real IPs have been replaced for security) > > access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 > 255.255.255.0 > nat (inside) 0 access-list nonat > global (outside) 1 172.16.10.1 net 255.255.255.255 > > I also tried using DENY in the access list > access-list nonat deny ip 192.168.2.0 255.255.255.0 192.168.1.0 > 255.255.255.0 > This didn't work either. > > How can I can the traffic destined for the Internet to be translated and the > traffic destined for the VPN not be translated? > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and NAT with VPN
I'm totally foreign to PIX but I'm just wondering, maybe it's possible to use policy-based routing on PIX? "Rick Holden" <[EMAIL PROTECTED]> wrote in message 002001c097b6$60c466a0$[EMAIL PROTECTED]">news:002001c097b6$60c466a0$[EMAIL PROTECTED]... > I have a PIX firewall that is being used for a VPN as well. The problem is > all the inside addresses are being translated to public addresses even when > the traffic is destine for the VPN tunnel. I tried the following commands > but this seems to block all translations. > (real IPs have been replaced for security) > > access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 > 255.255.255.0 > nat (inside) 0 access-list nonat > global (outside) 1 172.16.10.1 net 255.255.255.255 > > I also tried using DENY in the access list > access-list nonat deny ip 192.168.2.0 255.255.255.0 192.168.1.0 > 255.255.255.0 > This didn't work either. > > How can I can the traffic destined for the Internet to be translated and the > traffic destined for the VPN not be translated? > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX and NAT with VPN
I have a PIX firewall that is being used for a VPN as well. The problem is all the inside addresses are being translated to public addresses even when the traffic is destine for the VPN tunnel. I tried the following commands but this seems to block all translations. (real IPs have been replaced for security) access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (inside) 0 access-list nonat global (outside) 1 172.16.10.1 net 255.255.255.255 I also tried using DENY in the access list access-list nonat deny ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 This didn't work either. How can I can the traffic destined for the Internet to be translated and the traffic destined for the VPN not be translated? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and NAT
The answer really depends on your Corporate Security Policy. Most security policies want the "physical" addresses of the boxes hidden, so NAT would be used. If there is no security policy, then I wouldn't really worry about using NAT. Again, this could be one of those corporate decisions or a personal one. It is really up to you. If it were me implementing this solution, I would use NAT for sure and most likely private addresses. Regards, Don Orlik. Oscar Rau <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > We are implementing a DMZ which will be using public IP addresses. The > DMZ systems interfacing the PIX interface will have a public IP > addresses and not a private IP addresses. In this case, can GLOBAL/NAT > statements be still used to add any valuable security to the DMZ > systems? Is there any point in using NAT, because we do not have private > > IP addresses to the DMZ systems? > > Any thoughts/ideas for this solution appreciated. > > Thank you in advance. > > Oscar Rau > [EMAIL PROTECTED] > > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX and NAT
We are implementing a DMZ which will be using public IP addresses. The DMZ systems interfacing the PIX interface will have a public IP addresses and not a private IP addresses. In this case, can GLOBAL/NAT statements be still used to add any valuable security to the DMZ systems? Is there any point in using NAT, because we do not have private IP addresses to the DMZ systems? Any thoughts/ideas for this solution appreciated. Thank you in advance. Oscar Rau [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]