what type of Nat setup?

Answered Question
May 8th, 2006
User Badges:

Hello, i'm confused as to what type of NAT I should use for my PIX515E.


Our network is at a colocation, and we deal with websites, and multimedia.


So based on that, am I right, that I shouldn't be using PAT?


I have assigned external IP's pointing to the internal IP's.


Is there anything I should be configuring so that the inside can access the outside?


I've attached a simple diagram of what the network will look like.

Correct Answer by Fernando_Meza about 11 years 3 months ago

OK .. if you DON't want PAT to happened for a host or subnet then you can use what is called NAT exception. for example the commands:


nat (inside) 0 access-list no_nat


access-list no_nat permit x.x.x.0 255.255.255.0 any


the above instructions will NO pat inside hosts on the range x.x.x.0 going out.


I hope it helps .. ahhah plese don't forget to rate it if you find the information provided on this forum useful






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
stomasko Mon, 05/08/2006 - 07:41
User Badges:
  • Silver, 250 points or more

If you have an external IP for every internal machine you could use static nat statements for one to one correlation. Typically though you would use static statements for your servers which need constant outside connectivity and PAT for your standard user machines.


Hope this helps.


Steve

bajancanuk Mon, 05/08/2006 - 10:10
User Badges:

ip address outside X.X.42.148 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

access-list ACL_OUT permit tcp any host X.X.42.44 eq www

static (inside,outside) tcp X.X.X.44 www 192.168.0.10 www netmask 255.255.255.255 0 0

access-group ACL_OUT in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.42.148 1



so instead of route outside this way: all pointing to my firewall OUTSIDE,

I need to do something like:

route outside 192.168.0.10 255.255.255.0 X.X.X.44 1


and have as many of these entries for all the IP's I have inside, pointing outside. correct?


as a side note, confusing, you will see that I have "static (inside,outside)" its confusing to me, because

I have the first set of IP's is actually the outside Ip's, and the second is inside.....

Thanks


Will

Fernando_Meza Mon, 05/08/2006 - 22:15
User Badges:
  • Gold, 750 points or more

Hi .. you are a bit confused .. let me explain it how it works ..


static nat : Is used when you want to make your internal systems reachable from the outside ( in this case).


From your config ... the instruction

static (inside,outside) tcp X.X.X.44 www 192.168.0.10 www netmask 255.255.255.255


means that any system on the internet can connect to X.X.X.44 on port 80. The PIX will redirect this traffic to 192.168.0.10 ( your internal system ). The access is allowed by the access list you have applied to the outside interface which is correct.


Now .. if you wan to allow your inside users access to the Internet then you have to create a combination of nat and global instructions. so ..


global (outside) 1 interface

nat (inside) 1 access-list 120

access-list 120 permit ip any any


Will allow your users access to the Internet. As the packet traverses from inside to outside, the combination of nat<->global commands will transalte the source internal Ip to the IP address of the outside interface of your PIX.


in regards to your routes .. you only need


route outside 0.0.0.0 0.0.0.0


this command .. is not correct so .. you don't need this one.


route outside 192.168.0.10 255.255.255.0 X.X.X.44 1


I hope it helps .. please rate it if it does !!



bajancanuk Tue, 05/09/2006 - 05:13
User Badges:

I will! I'm starting to understand.

What has me confused, I guess is the "wording".

That, if I use 1 IP as my "outside" source, PIX will 'PAT' all internal to external with that 1 ip.


I CAN'T do that (PAT), because I have multimedia apps on the server, which PAT doesn't work with.


SO, I'm assuming, that for every 1 IP on the inside, it needs to be referenced to an OUTSIDE IP.. so that the connection isn't "PATed".. is this correct?



Correct Answer
Fernando_Meza Tue, 05/09/2006 - 16:48
User Badges:
  • Gold, 750 points or more

OK .. if you DON't want PAT to happened for a host or subnet then you can use what is called NAT exception. for example the commands:


nat (inside) 0 access-list no_nat


access-list no_nat permit x.x.x.0 255.255.255.0 any


the above instructions will NO pat inside hosts on the range x.x.x.0 going out.


I hope it helps .. ahhah plese don't forget to rate it if you find the information provided on this forum useful






Actions

This Discussion