At 08:24 AM 11/20/01 -0500, Ramesh c wrote:
1) I got a pix in test(all internal) environment (configured as
outside,inside and DMZ).Do I need to use NAT to connect to the outside
segment from inside or vice versa.Since Pix can act as a router ,will
enabling routing solve this purpose without use of NAT.Applying access list
later for security.
2)I want to open all the ports of TCP connection for a particular host.How
do I go about?
cheers
Ramesh
No, you do not. If you want to do a No Nat configuration, make an acl for
no nat (using id 0) for the ips you do not want to translate. Of course,
this is only sensible if you have registered ips on the inside. If not,
you really should use NAT.
The pix is generally a horrible router, it only supports rip.A
router in the most generic sense of a multihomed host that can move from
interface a to interface b is barely a router. Heck, Windows NT can do
that. (shudder)
You have not defined what security policy you want. access-lists for
what? Inbound or outbound? If you use PAT (which is really a misnamed
ciscoism), you have some light level of security for inbound
conneciton. By default, no one can hit your inside from the outside unless
you have statics + access lists. If you use static NATs, you WILL open a
security hole for sure unless you got ACLs blocking on the outside
interface. Remember, the inflexible Cisco pix can only do inbound ACLs to
any interface. (However, you can still simulate the inbound outbound
security policy by putting it on the other interfaces).
You have not mentioned inbound or outbound. If you mean inbound, use a
static (from the outside to the inside) and write an acl that allows him
access through.
I know you said this is a test environment. However, I think you should
review some of the pix's basic configurations on Cisco's web site to get a
better understanding and should definitely get a consultant to review your
final configuration before deployment.
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26839t=26832
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]