Hi Firewall Gurus,
I'm just a bit confused with the NAT and PAT capabilities of a PIX firewall. For example I have this configuration:
global (outside) 2 210.*.*.49-22.214.171.124 netmask 255.255.255.0
global (outside) 2 202.*.*.34
nat (inside) 2 10.161.0.0 255.255.255.0 0 0
1. Why do I still have to include the subnet mask in the global command?
2. What will happen to this kind of configuration?
3. Will it a NAT or PAT and what CLI command will specify if it is NAT or PAT?
4. What if I want to have a one-to-one dynamic translation? What config should I do?
Here's what I have in mind, the first 7 workstation from 10.161.0.0/24 subnet will NAT to 126.96.36.199-55 then the succeding workstations will PAT to these IP address range. Please correct me if I'm wrong.
Because we have clients that use VPN client that needs one-to-one public IP translation and should not be port address translated. All of these are dynamic NAT and PAT.
How does the PIX firewall interpret a nat (inside) access-list command?
What if I have this configuration:
global (outside) 2 188.8.131.52
global (outside) 3 184.108.40.206
nat (inside) 2 access-list 2
nat (inside) 3 access-list 3
access-list 2 permit ip any host 220.127.116.11
access-list 2 permit ip any host 18.104.22.168
access-list 3 permit ip any any
Is this going to be read in parallel? I mean if the destination IP is 22.214.171.124 and 126.96.36.199, i always wanted to translate it to 188.8.131.52 not 184.108.40.206. Because access-list 3 will also satisfy the condition which is "any any".
Sorry for so many questions but I just want to clarify everything.
Thank you very much.