PIX 515e no nat for a single host

dustinlantz · ‎09-09-2010

I'm using a PIX 515e using two interfaces (inside / outside) with a block of public ipaddresses. NAT is currently enabled but I need to add a single host with a public ip address and no nat. The host does not work well using NAT. Any suggestions?

Thanks!!

manish arora · ‎09-09-2010

umm , few options :-

1> subnet the address block further and add a static route for that subnet in the pix. for ex --

if you have /25 assigned by the isp which could be 2.2.2.0/25 so subnet it as

2.2.2.0/26 ( 2.2.2.0-64) and get a /30 in from the end part of the remaining like 2.2.2.124/30 and then point

or add a static route on the pix as ip route 2.2.2.124 255.255.255.252 10.0.0.2 ( where 10.0.0.2 is the next hop for that subnet where the host exist ).

2> place a L2 dumb switch inbetween pix and isp and have pix, isp and the host connect to that switch with a public ip address but this leaves your host without any firewall protection.

3> have you isp provide you with a small subnet routed to your pix external ip and then you can further route that subnet to internal next hops.

i hope that i am making any sense here

thanks

Manish

golly_wog · ‎09-09-2010

A single address and no nat? Are you saying this host will use the same address on the inside as the outside?

If so static identity nat is your friend.

eg

static (inside,outside) 22.1.2.3 22.1.2.3