NAT - Understanding

edw · ‎06-25-2007

Hi,

I have been running a PIX 520 with 6.3. Now coding a PIX515E with 7.1. I decided to read a manual ;)

Now I was amazing at the different NAT and policies.

What is the best way to do things - on my old firewall I just had access lists binded to my interfaces. SHould I continue this or should I use policy NAT style ??

Also with vlan - should I just let the flow of the main interface or is it more secure to create vlan interfaces ??

Thanks for any pointers

Ed

gaetan.allart · ‎06-25-2007

Hi,

Nat policies have to be designed according to what you want to do...

Remember that access-lists are not especially lminked to nat rules.

Purpose of VLAN is to spare interfaces. 515E has 6 FE. If you don't need 100Mb for your subnet and if you plan to connect many (>6) subnets on thix PIX, I suggest using Vlans...

Regards,

Gaetan

edw · ‎06-25-2007

Thanks for the reply.

I'm using vlan for the DMZ thou its on one FE. I using a vlan for the public traffic and one for managment - is this correct way to proceed.

So there is no greater security by using policy nat comparared to just binding ACL's to the interface ??

At present I have about 3 or 4 vlans inside going through the PIX to public router. I dont have it vlans in the PIX it comes in gets NAT'ed and then leaves without a segragation in terms of vlan. Security wise this is fine...?

Thanks

Ed

gaetan.allart · ‎06-25-2007

NAT is just a way to translate addresses. It will never replace filtering with ACLs.