Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

edw
New Member

NAT - Understanding

Hi,

I have been running a PIX 520 with 6.3. Now coding a PIX515E with 7.1. I decided to read a manual ;)

Now I was amazing at the different NAT and policies.

What is the best way to do things - on my old firewall I just had access lists binded to my interfaces. SHould I continue this or should I use policy NAT style ??

Also with vlan - should I just let the flow of the main interface or is it more secure to create vlan interfaces ??

Thanks for any pointers

Ed

3 REPLIES
New Member

Re: NAT - Understanding

Hi,

Nat policies have to be designed according to what you want to do...

Remember that access-lists are not especially lminked to nat rules.

Purpose of VLAN is to spare interfaces. 515E has 6 FE. If you don't need 100Mb for your subnet and if you plan to connect many (>6) subnets on thix PIX, I suggest using Vlans...

Regards,

Gaetan

edw
New Member

Re: NAT - Understanding

Thanks for the reply.

I'm using vlan for the DMZ thou its on one FE. I using a vlan for the public traffic and one for managment - is this correct way to proceed.

So there is no greater security by using policy nat comparared to just binding ACL's to the interface ??

At present I have about 3 or 4 vlans inside going through the PIX to public router. I dont have it vlans in the PIX it comes in gets NAT'ed and then leaves without a segragation in terms of vlan. Security wise this is fine...?

Thanks

Ed

New Member

Re: NAT - Understanding

NAT is just a way to translate addresses. It will never replace filtering with ACLs.

120
Views
0
Helpful
3
Replies