Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
3
Helpful
5
Replies

what type of Nat setup?

Go to solution
bajancanuk
Level 1
Level 1

‎05-08-2006 07:26 AM - edited ‎03-09-2019 02:50 PM

Hello, i'm confused as to what type of NAT I should use for my PIX515E.

Our network is at a colocation, and we deal with websites, and multimedia.

So based on that, am I right, that I shouldn't be using PAT?

I have assigned external IP's pointing to the internal IP's.

Is there anything I should be configuring so that the inside can access the outside?

I've attached a simple diagram of what the network will look like.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Fernando_Meza
Level 7
Level 7
In response to bajancanuk

‎05-09-2006 04:48 PM

OK .. if you DON't want PAT to happened for a host or subnet then you can use what is called NAT exception. for example the commands:

nat (inside) 0 access-list no_nat

access-list no_nat permit x.x.x.0 255.255.255.0 any

the above instructions will NO pat inside hosts on the range x.x.x.0 going out.

I hope it helps .. ahhah plese don't forget to rate it if you find the information provided on this forum useful

View solution in original post

0 Helpful
5 Replies 5

Go to solution
stomasko
Level 4
Level 4

‎05-08-2006 07:41 AM

If you have an external IP for every internal machine you could use static nat statements for one to one correlation. Typically though you would use static statements for your servers which need constant outside connectivity and PAT for your standard user machines.

Hope this helps.

Steve

0 Helpful

Go to solution
bajancanuk
Level 1
Level 1
In response to stomasko

‎05-08-2006 10:10 AM

ip address outside X.X.42.148 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

access-list ACL_OUT permit tcp any host X.X.42.44 eq www

static (inside,outside) tcp X.X.X.44 www 192.168.0.10 www netmask 255.255.255.255 0 0

access-group ACL_OUT in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.42.148 1

so instead of route outside this way: all pointing to my firewall OUTSIDE,

I need to do something like:

route outside 192.168.0.10 255.255.255.0 X.X.X.44 1

and have as many of these entries for all the IP's I have inside, pointing outside. correct?

as a side note, confusing, you will see that I have "static (inside,outside)" its confusing to me, because

I have the first set of IP's is actually the outside Ip's, and the second is inside.....

Thanks

Will

0 Helpful

Go to solution
Fernando_Meza
Level 7
Level 7
In response to bajancanuk

‎05-08-2006 10:15 PM

Hi .. you are a bit confused .. let me explain it how it works ..

static nat : Is used when you want to make your internal systems reachable from the outside ( in this case).

From your config ... the instruction

static (inside,outside) tcp X.X.X.44 www 192.168.0.10 www netmask 255.255.255.255

means that any system on the internet can connect to X.X.X.44 on port 80. The PIX will redirect this traffic to 192.168.0.10 ( your internal system ). The access is allowed by the access list you have applied to the outside interface which is correct.

Now .. if you wan to allow your inside users access to the Internet then you have to create a combination of nat and global instructions. so ..

global (outside) 1 interface

nat (inside) 1 access-list 120

access-list 120 permit ip any any

Will allow your users access to the Internet. As the packet traverses from inside to outside, the combination of nat<->global commands will transalte the source internal Ip to the IP address of the outside interface of your PIX.

in regards to your routes .. you only need

route outside 0.0.0.0 0.0.0.0

this command .. is not correct so .. you don't need this one.

route outside 192.168.0.10 255.255.255.0 X.X.X.44 1

I hope it helps .. please rate it if it does !!

Go to solution
bajancanuk
Level 1
Level 1
In response to Fernando_Meza

‎05-09-2006 05:13 AM

I will! I'm starting to understand.

What has me confused, I guess is the "wording".

That, if I use 1 IP as my "outside" source, PIX will 'PAT' all internal to external with that 1 ip.

I CAN'T do that (PAT), because I have multimedia apps on the server, which PAT doesn't work with.

SO, I'm assuming, that for every 1 IP on the inside, it needs to be referenced to an OUTSIDE IP.. so that the connection isn't "PATed".. is this correct?

0 Helpful

Go to solution
Fernando_Meza
Level 7
Level 7
In response to bajancanuk

‎05-09-2006 04:48 PM

OK .. if you DON't want PAT to happened for a host or subnet then you can use what is called NAT exception. for example the commands:

nat (inside) 0 access-list no_nat

access-list no_nat permit x.x.x.0 255.255.255.0 any

the above instructions will NO pat inside hosts on the range x.x.x.0 going out.

I hope it helps .. ahhah plese don't forget to rate it if you find the information provided on this forum useful

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents