05-08-2006 07:26 AM - edited 03-09-2019 02:50 PM
Hello, i'm confused as to what type of NAT I should use for my PIX515E.
Our network is at a colocation, and we deal with websites, and multimedia.
So based on that, am I right, that I shouldn't be using PAT?
I have assigned external IP's pointing to the internal IP's.
Is there anything I should be configuring so that the inside can access the outside?
I've attached a simple diagram of what the network will look like.
Solved! Go to Solution.
05-09-2006 04:48 PM
OK .. if you DON't want PAT to happened for a host or subnet then you can use what is called NAT exception. for example the commands:
nat (inside) 0 access-list no_nat
access-list no_nat permit x.x.x.0 255.255.255.0 any
the above instructions will NO pat inside hosts on the range x.x.x.0 going out.
I hope it helps .. ahhah plese don't forget to rate it if you find the information provided on this forum useful
05-08-2006 07:41 AM
If you have an external IP for every internal machine you could use static nat statements for one to one correlation. Typically though you would use static statements for your servers which need constant outside connectivity and PAT for your standard user machines.
Hope this helps.
Steve
05-08-2006 10:10 AM
ip address outside X.X.42.148 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
access-list ACL_OUT permit tcp any host X.X.42.44 eq www
static (inside,outside) tcp X.X.X.44 www 192.168.0.10 www netmask 255.255.255.255 0 0
access-group ACL_OUT in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.42.148 1
so instead of route outside this way: all pointing to my firewall OUTSIDE,
I need to do something like:
route outside 192.168.0.10 255.255.255.0 X.X.X.44 1
and have as many of these entries for all the IP's I have inside, pointing outside. correct?
as a side note, confusing, you will see that I have "static (inside,outside)" its confusing to me, because
I have the first set of IP's is actually the outside Ip's, and the second is inside.....
Thanks
Will
05-08-2006 10:15 PM
Hi .. you are a bit confused .. let me explain it how it works ..
static nat : Is used when you want to make your internal systems reachable from the outside ( in this case).
From your config ... the instruction
static (inside,outside) tcp X.X.X.44 www 192.168.0.10 www netmask 255.255.255.255
means that any system on the internet can connect to X.X.X.44 on port 80. The PIX will redirect this traffic to 192.168.0.10 ( your internal system ). The access is allowed by the access list you have applied to the outside interface which is correct.
Now .. if you wan to allow your inside users access to the Internet then you have to create a combination of nat and global instructions. so ..
global (outside) 1 interface
nat (inside) 1 access-list 120
access-list 120 permit ip any any
Will allow your users access to the Internet. As the packet traverses from inside to outside, the combination of nat<->global commands will transalte the source internal Ip to the IP address of the outside interface of your PIX.
in regards to your routes .. you only need
route outside 0.0.0.0 0.0.0.0
this command .. is not correct so .. you don't need this one.
route outside 192.168.0.10 255.255.255.0 X.X.X.44 1
I hope it helps .. please rate it if it does !!
05-09-2006 05:13 AM
I will! I'm starting to understand.
What has me confused, I guess is the "wording".
That, if I use 1 IP as my "outside" source, PIX will 'PAT' all internal to external with that 1 ip.
I CAN'T do that (PAT), because I have multimedia apps on the server, which PAT doesn't work with.
SO, I'm assuming, that for every 1 IP on the inside, it needs to be referenced to an OUTSIDE IP.. so that the connection isn't "PATed".. is this correct?
05-09-2006 04:48 PM
OK .. if you DON't want PAT to happened for a host or subnet then you can use what is called NAT exception. for example the commands:
nat (inside) 0 access-list no_nat
access-list no_nat permit x.x.x.0 255.255.255.0 any
the above instructions will NO pat inside hosts on the range x.x.x.0 going out.
I hope it helps .. ahhah plese don't forget to rate it if you find the information provided on this forum useful
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: