NAT - Understanding

Unanswered Question
Jun 25th, 2007
User Badges:


I have been running a PIX 520 with 6.3. Now coding a PIX515E with 7.1. I decided to read a manual ;)

Now I was amazing at the different NAT and policies.

What is the best way to do things - on my old firewall I just had access lists binded to my interfaces. SHould I continue this or should I use policy NAT style ??

Also with vlan - should I just let the flow of the main interface or is it more secure to create vlan interfaces ??

Thanks for any pointers


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gaetan.allart Mon, 06/25/2007 - 02:37
User Badges:


Nat policies have to be designed according to what you want to do...

Remember that access-lists are not especially lminked to nat rules.

Purpose of VLAN is to spare interfaces. 515E has 6 FE. If you don't need 100Mb for your subnet and if you plan to connect many (>6) subnets on thix PIX, I suggest using Vlans...



edw Mon, 06/25/2007 - 03:09
User Badges:

Thanks for the reply.

I'm using vlan for the DMZ thou its on one FE. I using a vlan for the public traffic and one for managment - is this correct way to proceed.

So there is no greater security by using policy nat comparared to just binding ACL's to the interface ??

At present I have about 3 or 4 vlans inside going through the PIX to public router. I dont have it vlans in the PIX it comes in gets NAT'ed and then leaves without a segragation in terms of vlan. Security wise this is fine...?



gaetan.allart Mon, 06/25/2007 - 04:07
User Badges:

NAT is just a way to translate addresses. It will never replace filtering with ACLs.


This Discussion