NAT - Understanding

Unanswered Question
Jun 25th, 2007
User Badges:

Hi,


I have been running a PIX 520 with 6.3. Now coding a PIX515E with 7.1. I decided to read a manual ;)


Now I was amazing at the different NAT and policies.


What is the best way to do things - on my old firewall I just had access lists binded to my interfaces. SHould I continue this or should I use policy NAT style ??


Also with vlan - should I just let the flow of the main interface or is it more secure to create vlan interfaces ??


Thanks for any pointers


Ed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gaetan.allart Mon, 06/25/2007 - 02:37
User Badges:

Hi,


Nat policies have to be designed according to what you want to do...


Remember that access-lists are not especially lminked to nat rules.


Purpose of VLAN is to spare interfaces. 515E has 6 FE. If you don't need 100Mb for your subnet and if you plan to connect many (>6) subnets on thix PIX, I suggest using Vlans...


Regards,


Gaetan

edw Mon, 06/25/2007 - 03:09
User Badges:

Thanks for the reply.


I'm using vlan for the DMZ thou its on one FE. I using a vlan for the public traffic and one for managment - is this correct way to proceed.


So there is no greater security by using policy nat comparared to just binding ACL's to the interface ??


At present I have about 3 or 4 vlans inside going through the PIX to public router. I dont have it vlans in the PIX it comes in gets NAT'ed and then leaves without a segragation in terms of vlan. Security wise this is fine...?


Thanks


Ed

gaetan.allart Mon, 06/25/2007 - 04:07
User Badges:

NAT is just a way to translate addresses. It will never replace filtering with ACLs.

Actions

This Discussion