Solved: NAT on Pix Firewall

kuldeep.kaur · ‎08-29-2009

Hi Guys,

I am so confused about NAT on the firewall. I know NAT is used when inside host has to talk to outside host but:

Is NAT required when inside host has to talk to any other host in other DMZ ? I know you need an access list but do you need nat.

In my company' firewall I have seen no nat is configured if host on inside interface has to talk to host on DMZ. Only access list are configured.

I have also seen some static nat entries from inside host to DMZ host. Confused why we need nat here.

So bit confused. So really appreciate if someone can clear this up for me

Tks

Jon Marshall · ‎08-30-2009

Kuldeep

A lot depends on the version of pix code.

If it is pre 7.x code then you need NAT or a NAT exemption ie.

on pre 7 code you have to do one of the following

1) You can NAT the internal hosts to be the same addresses on the DMZ

static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

in effect says present the 192.168.10.x addresses as the same ie. 192.168.10.x as they go to dmz machines.

2) You can do a nat exemption. Lets says your DMZ hosts are in the 172.16.10.0/24 range

access-list natexempt permit ip 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0

nat (inside) 0 access-list natexempt

the above tells the pix not to nat the 192.168.10.x addresses as they access dmz machines.

3) Obviously you can also NAT the inside hosts to a different range as well but thats not really part of your confusion.

So without one of the above 3 options your inside hosts will not be able to talk to the DMZ hosts.

Version 7.x code and later

With version 7 code and later all the above applies but you also have the ability to disable NAT altogether with the "no nat-control" command.

Jon

Jon Marshall · ‎08-30-2009