06-25-2007 02:32 AM - last edited on 03-25-2019 05:37 PM by ciscomoderator
Hi,
I have been running a PIX 520 with 6.3. Now coding a PIX515E with 7.1. I decided to read a manual ;)
Now I was amazing at the different NAT and policies.
What is the best way to do things - on my old firewall I just had access lists binded to my interfaces. SHould I continue this or should I use policy NAT style ??
Also with vlan - should I just let the flow of the main interface or is it more secure to create vlan interfaces ??
Thanks for any pointers
Ed
06-25-2007 02:37 AM
Hi,
Nat policies have to be designed according to what you want to do...
Remember that access-lists are not especially lminked to nat rules.
Purpose of VLAN is to spare interfaces. 515E has 6 FE. If you don't need 100Mb for your subnet and if you plan to connect many (>6) subnets on thix PIX, I suggest using Vlans...
Regards,
Gaetan
06-25-2007 03:09 AM
Thanks for the reply.
I'm using vlan for the DMZ thou its on one FE. I using a vlan for the public traffic and one for managment - is this correct way to proceed.
So there is no greater security by using policy nat comparared to just binding ACL's to the interface ??
At present I have about 3 or 4 vlans inside going through the PIX to public router. I dont have it vlans in the PIX it comes in gets NAT'ed and then leaves without a segragation in terms of vlan. Security wise this is fine...?
Thanks
Ed
06-25-2007 04:07 AM
NAT is just a way to translate addresses. It will never replace filtering with ACLs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide