Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT on Pix Firewall

Hi Guys,

I am so confused about NAT on the firewall. I know NAT is used when inside host has to talk to outside host but:

Is NAT required when inside host has to talk to any other host in other DMZ ? I know you need an access list but do you need nat.

In my company' firewall I have seen no nat is configured if host on inside interface has to talk to host on DMZ. Only access list are configured.

I have also seen some static nat entries from inside host to DMZ host. Confused why we need nat here.

So bit confused. So really appreciate if someone can clear this up for me

Tks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: NAT on Pix Firewall

Kuldeep

A lot depends on the version of pix code.

If it is pre 7.x code then you need NAT or a NAT exemption ie.

on pre 7 code you have to do one of the following

1) You can NAT the internal hosts to be the same addresses on the DMZ

static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

in effect says present the 192.168.10.x addresses as the same ie. 192.168.10.x as they go to dmz machines.

2) You can do a nat exemption. Lets says your DMZ hosts are in the 172.16.10.0/24 range

access-list natexempt permit ip 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0

nat (inside) 0 access-list natexempt

the above tells the pix not to nat the 192.168.10.x addresses as they access dmz machines.

3) Obviously you can also NAT the inside hosts to a different range as well but thats not really part of your confusion.

So without one of the above 3 options your inside hosts will not be able to talk to the DMZ hosts.

Version 7.x code and later

With version 7 code and later all the above applies but you also have the ability to disable NAT altogether with the "no nat-control" command.

Jon

1 REPLY
Hall of Fame Super Blue

Re: NAT on Pix Firewall

Kuldeep

A lot depends on the version of pix code.

If it is pre 7.x code then you need NAT or a NAT exemption ie.

on pre 7 code you have to do one of the following

1) You can NAT the internal hosts to be the same addresses on the DMZ

static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

in effect says present the 192.168.10.x addresses as the same ie. 192.168.10.x as they go to dmz machines.

2) You can do a nat exemption. Lets says your DMZ hosts are in the 172.16.10.0/24 range

access-list natexempt permit ip 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0

nat (inside) 0 access-list natexempt

the above tells the pix not to nat the 192.168.10.x addresses as they access dmz machines.

3) Obviously you can also NAT the inside hosts to a different range as well but thats not really part of your confusion.

So without one of the above 3 options your inside hosts will not be able to talk to the DMZ hosts.

Version 7.x code and later

With version 7 code and later all the above applies but you also have the ability to disable NAT altogether with the "no nat-control" command.

Jon

122
Views
0
Helpful
1
Replies
CreatePlease to create content