Re: PIX with no NAT [7:31353]
there are different situations when you will want to do what you are doing, but here's a quick breakdown. "nat (inside) 0 access-list not-nated" [1] "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" [2] "access-list not-nated permit ip IP_not_nated_to_the_Internet Subnet_Mask_of_device_not_nated any" [3] "global (outside) 1 IP_Address_used_for_PAT_pool" [4] [1] Traffic NOT Nat'd defined by the ACL "not-nated" [2] Traffic Nat'd when outbound to the Internet (0.0.0.0 0.0.0.0 0 0 = everybody) [3] Source IP's that are NOT to be NAT'd when sending outbound traffic to the Internet [4] Devices on the (inside) Lan will use this IP Address as their Source IP using PAT when accessing the Internet What this will do is NOT 'NAT' the devices accessing the Internet that are in the ACL "not-nated", and it will then NAT everybody else to the IP Address that is PAT (Port Address Translated) since you will be allowing everybody else with the "0.0.0.0 0.0.0.0 0 0" of the "nat (inside) 1" config command. You also can use an ACL on the "nat (inside) 1 access-list do-nat", and specify what devices get NAT'd when sending outbound traffic to the Internet. I hope this information helps. If you have any questions feel free to ask. Thanks and there's my $0.02, - jek "Allen May" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > By default all outbound connections are enabled and all inbound are blocked. > > - Original Message - > From: "Philip Sousa" > To: > Sent: Wednesday, January 09, 2002 12:32 AM > Subject: PIX with no NAT [7:31353] > > > > I've been on Cisco's site for hours, but cannot find a conclusive answer > to > > my question. When you disable NAT (NAT 0) to allow the use of public IP's > > behind the PIX, are the internal nodes allowed to start outbound > connections > > by default?? I need to selectively allow nodes behind the firewall to > start > > outbound connections on certain porthow should I accomplish this? > > Access-lists? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31941&t=31353 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX with no NAT [7:31353]
> - Original Message - > From: "Philip Sousa" > Sent: Wednesday, January 09, 2002 12:32 AM > Subject: PIX with no NAT [7:31353] > > I've been on Cisco's site for hours, but cannot find a conclusive answer to > my question. When you disable NAT (NAT 0) to allow the use of public IP's > behind the PIX, are the internal nodes allowed to start outbound connections > by default?? I need to selectively allow nodes behind the firewall to start > outbound connections on certain porthow should I accomplish this? > Access-lists? nat (inside) 0 access-list only-the-lucky-one access-list only-the-lucky-one permit tcp/udp/. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31636&t=31353 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX with no NAT [7:31353]
By default all outbound connections are enabled and all inbound are blocked. - Original Message - From: "Philip Sousa" To: Sent: Wednesday, January 09, 2002 12:32 AM Subject: PIX with no NAT [7:31353] > I've been on Cisco's site for hours, but cannot find a conclusive answer to > my question. When you disable NAT (NAT 0) to allow the use of public IP's > behind the PIX, are the internal nodes allowed to start outbound connections > by default?? I need to selectively allow nodes behind the firewall to start > outbound connections on certain porthow should I accomplish this? > Access-lists? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31633&t=31353 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX with no NAT [7:31353]
You still need conduit or access list to bypass PIX ASA. -Keyur Shah- CCIE# 4799 (Security; Routing and Switching) css1,ccna,ccda,scsa,scna,mct,mcse,mcp+i,mcp,cni,mcne,cne,cna Hello Computers "Say Hello to Your Future!" http://www.hellocomputers.com Toll-Free: 1.877.794.3556 Fremont: 510.795.6815 Santa Clara: 408.496.0801 Europe: +(44)20 7900 3011 Fax: 510.291.2250 -Original Message- From: Philip Sousa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 08, 2002 10:33 PM To: [EMAIL PROTECTED] Subject: PIX with no NAT [7:31353] I've been on Cisco's site for hours, but cannot find a conclusive answer to my question. When you disable NAT (NAT 0) to allow the use of public IP's behind the PIX, are the internal nodes allowed to start outbound connections by default?? I need to selectively allow nodes behind the firewall to start outbound connections on certain porthow should I accomplish this? Access-lists? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31411&t=31353 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX with no NAT [7:31353]
may be you can use for example internal network: 192.168.1.x / 24 external network: 200.100.100.X /24 you can use this static command static 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0 access-list OUT permit ip any any access-list IN permit ip X.X.X.X any access-group OUT interface inside access-group IN interface outside Then , the PIX will perform as an ROUTER, you can control the outside and inside access-list instead of using CONDUIT to open/map the port for those internal server. This method is teached by a CCIE of Cisco TAC. Hope this tricky method can help you! ""Philip Sousa"" I've been on Cisco's site for hours, but cannot find a conclusive answer to > my question. When you disable NAT (NAT 0) to allow the use of public IP's > behind the PIX, are the internal nodes allowed to start outbound connections > by default?? I need to selectively allow nodes behind the firewall to start > outbound connections on certain porthow should I accomplish this? > Access-lists? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31371&t=31353 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX with no NAT [7:31353]
I've been on Cisco's site for hours, but cannot find a conclusive answer to my question. When you disable NAT (NAT 0) to allow the use of public IP's behind the PIX, are the internal nodes allowed to start outbound connections by default?? I need to selectively allow nodes behind the firewall to start outbound connections on certain porthow should I accomplish this? Access-lists? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31353&t=31353 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]