Dumb question.
Does the Router on the otside interface of the pix (66.61.46.254) have the
following route in the route table?
ip route 129.174.1.0 255.255.255.0 to 66.61.46.120
If not, a traceroute will show either unreachable or a routing loop.
-ejay hire
-Original Message-
From: David Tran [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 19, 2001 12:08 PM
To: [EMAIL PROTECTED]
Subject: How to disable NAT in Cisco PIX? [7:29641]
I posted this question once before; however, none of the
advise mentioned work so I am going to post it again hoping
that I might be able to an a correct answer this time.
By the way, please don't tell me to change the default route
because everything works. The PIX can ping the Internet just
fine. Furthermore, I have a workstation on the 66.61.46.0/24
network (66.61.46.150) and that machine can reach the Internet
just fine. There is no problem with connectivity issue except
for the fact that the machines from the "inside" interfave can
NOT browse the Internet. Why it doesn't work is a mystery
to me. Another thing, this is a TEST network so everything
is wide open at the moment. Please help.
I am having problem setting up a network in this scenario
with my PIX515-UR firewall running version 6.1(1) with pdm
version 1.1(2).
I have a network with REGISTERED IP addresses. The
"inside" interface of the PIX is on the 129.174.1.0/24
network with IP address of 129.174.1.254. The "outside"
interface of the PIX is on the 66.61.46.0/24 network with
IP address of 66.61.46.120. The "inside" interface has
a security level of 100 and the "outside" interface has
security level of 0. On the "inside" internal network, I
have 10 workstations range from 129.174.1.1-10. These
workstations have the default gateway point to the
"inside" interface of the PIX.
I understand that for machines from the "inside"
network to access the Internet, the command "nat"
and global must be used. However, since I all of my
machines have valid (aka registered IP addresses), I
want to disabe NAT completely. For, example,
I want machine 129.174.1.1 to be able to browse and
ping any machines on the Internet. At the same time,
I don't want users from the Internet to be able to access
any of the workstations on the "inside" interface. I have
been searching for documentation on Cisco website
but it seems likemost of the example have to do with NAT
enable. There are a few examples that will disable NAT
but it is relatedto VPN which is something I don't want.
Furthermore, most of the examples fill with errors and
pretty worthless (for PIX anyway). If anyone has done
this before, let me know. I also include a copy of the config.
Thanks.
David
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password sdfkjfdjjdfjksdf encrypted
passwd sdfjksdfkjsdfjksjf encrypted
hostname ciscopix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list no-nat-list permit ip any any
access-list no-nat-list permit icmp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 66.61.46.120 255.255.255.0
ip address inside 129.174.1.254 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
nat (inside) 0 129.174.1.0 255.255.255.0
static (inside, outside) 129.174.1.0 129.174.1.0
conduit permit ip any any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 66.61.46.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00
sip
0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29678&t=29641
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
