Any address that matches a NAT command with an index of 0 will not be translated.
The problem with your configuration is the STATIC command you are using. The mask is invalid and then entire command is not necessary. Also, what are you trying to do with those access-lists? They are not applied. They will compromise your security and is probably not necessary given your simple setup. Take care, Paul Borghese ----- Original Message ----- From: ""David Tran"" Newsgroups: groupstudy.cisco Sent: Monday, December 17, 2001 4:13 PM Subject: how to disable NAT in PIX firewall (both inside an [7:29303] > Hi Everyone, > > I am having problem setting up a network in this scenario > > with my PIX515-UR firewall running version 6.1(1) with pdm > > version 1.1(2). > > I have a network with REGISTERED IP addresses. The > > "inside" interface of the PIX is on the 129.174.1.0/24 > > network with IP address of 129.174.1.254. The "outside" > > interface of the PIX is on the 66.61.46.0/24 network with > > IP address of 66.61.46.120. The "inside" interface has > > a security level of 100 and the "outside" interface has > > security level of 0. On the "inside" internal network, I > > have 10 workstations range from 129.174.1.1-10. These > > workstations have the default gateway point to the > > "inside" interface of the PIX. > > I understand that for machines from the "inside" > > network to access the Internet, the command "nat" > > and global must be used. However, since I all of my > > machines have valid (aka registered IP addresses), I > > want to disabe NAT completely. For, example, > > I want machine 129.174.1.1 to be able to browse and > > ping any machines on the Internet. At the same time, > > I don't want users from the Internet to be able to access > > any of the workstations on the "inside" interface. I have > > been searching for documentation on Cisco website > > but it seems likemost of the example have to do with NAT > > enable. There are a few examples that will disable NAT > > but it is relatedto VPN which is something I don't want. > > Furthermore, most of the examples fill with errors and > > pretty worthless (for PIX anyway). If anyone has done > > this before, let me know. I also include a copy of the config. > > Thanks. > > David > > PIX Version 6.1(1) > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > nameif ethernet2 dmz security50 > > enable password sdfkjfdjjdfjksdf encrypted > > passwd sdfjksdfkjsdfjksjf encrypted > > hostname ciscopix > > fixup protocol ftp 21 > > fixup protocol http 80 > > fixup protocol h323 1720 > > fixup protocol rsh 514 > > fixup protocol rtsp 554 > > fixup protocol smtp 25 > > fixup protocol sqlnet 1521 > > fixup protocol sip 5060 > > fixup protocol skinny 2000 > > names > > access-list no-nat-list permit ip any any > > access-list no-nat-list permit icmp any any > > pager lines 24 > > interface ethernet0 auto > > interface ethernet1 auto > > interface ethernet2 auto > > mtu outside 1500 > > mtu inside 1500 > > mtu dmz 1500 > > ip address outside 66.61.46.120 255.255.255.0 > > ip address inside 129.174.1.254 255.255.255.0 > > ip address dmz 127.0.0.1 255.255.255.255 > > ip audit info action alarm > > ip audit attack action alarm > > no failover > > failover timeout 0:00:00 > > failover poll 15 > > failover ip address outside 0.0.0.0 > > failover ip address inside 0.0.0.0 > > failover ip address dmz 0.0.0.0 > > pdm history enable > > arp timeout 14400 > > nat (inside) 0 129.174.1.0 255.255.255.0 > > static (inside, outside) 129.174.1.0 129.174.1.0 > > conduit permit ip any any > > conduit permit icmp any any > > route outside 0.0.0.0 0.0.0.0 66.61.46.254 1 > > timeout xlate 3:00:00 > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 > sip > > 0:30:00 sip_media 0:02:00 > > timeout uauth 0:05:00 absolute > > aaa-server TACACS+ protocol tacacs+ > > aaa-server RADIUS protocol radius > > no snmp-server location > > no snmp-server contact > > snmp-server community public > > no snmp-server enable traps > > floodguard enable > > no sysopt route dnat > > telnet timeout 5 > > ssh timeout 5 > > terminal width 80 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29404&t=29404 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
