No NAT in PIX 515 E

Unanswered Question

Hi,

I need to configure a PIX without NAT and I don't know how to do it. Can anyone help me please?

I have;

outside interface with 192.168.7.0/24

inside interface with 10.79.10.0/24

interface2 with 192.168.24.0/21


I need that 10.79.10.0/24 goes to the outside without doing NAT over it (because we have another FW in another place outside)


How can I do it?

Thanks, Regards


Eneko

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Thu, 01/08/2009 - 05:42
User Badges:
  • Red, 2250 points or more

hello eneko


YOu gotta use nat 0 statements to do a no-nat on the PIX.. the following commands should be in place:


nat (inside) 0 10.79.10.0 255.255.255.0 0 0


If there are more than one networks, you can assign an access-list and then allow the networks which have to be no-natted.


nat (inside) 0 access-list 101

access-list 101 permit ip 10.79.10.0 0.0.0.255 any


Let us know if this works fine.. all the best..


Raj


cisco24x7 Thu, 01/08/2009 - 05:58
User Badges:
  • Silver, 250 points or more

That is not entirely correct.


Depending on the configuration. Assuming

that you have no PAT/NAT configuration on the

Pix and that you use versin 7.x or 8.x,

"no nat-control" is on by default on the Pix

and the Pix will become a router. network

10.79.10.0/24 will be able to get to the

outside and return traffic can get back without

any issues, with the exception of icmp stuffs.



sachinraja Thu, 01/08/2009 - 06:45
User Badges:
  • Red, 2250 points or more

Agree with David.. If it is 6.3 and less, you can use my solution, if it is 7.x or 8.x, you can use no nat-control.. but im not really convinced with nat-controls.. by statically defining no-nats, the administrator always has the control of what traffic goes through the firewall, without nat, which is critical to his network.. If by default, all traffic is allowed, isnt it a security risk ? and if there is no access-list on the inside network, then it will be a major mess !


Regards

Raj

Actions

This Discussion