Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX NAT/Global Statements help

I am reviewing a PIX configuration and there are some interesting nat/global statements that I wanted to clarify.

NAT ID Set 1

global (inside) 1 insideip netmask 255.255.255.255

nat (dmz) 1 dmznet1 255.255.240.0 0 0

nat (dmz) 1 dmznet2 255.255.0.0 0 0

nat (dmz) 1 dmznet3 255.255.0.0 0 0

nat (dmz) 1 dmznet4 255.255.0.0 0 0

This I believe should work, but isen't it usually nat from higher sec level and global at the lower sec level. here it is reversed. But it will work as expected assuming acls in place correct?

The other set is NAT ID Set 4

global (DMZ) 4 DMZIP netmask 255.255.255.255

nat (DMZ) 4 inside_net1 255.255.255.0 0 0

nat (DMZ) 4 inside_net2 255.255.255.0 0 0

nat (DMZ) 4 inside_net3 255.255.254.0 0 0

nat (DMZ) 4 inside_net4 255.255.0.0 0 0

In this case the interface on both nat and global is DMZ. And the subnets listed on the NAT statements are located off the inside interface. Will this nat set do anything?

Finally I have a number of alias commands like alias(inside) xx.xx.xx.xx yy.yy.yy.yy followed by matching static commands: static(inside,dmz) yy.yy.yy.yy xx.xx.xx.xx. (The yy.yy.yy.yy are the real addresses of hosts on the DMZ) are the static statements required? What is their purpose.

1 REPLY

Re: PIX NAT/Global Statements help

Please see the following links to increase you understanding of these commands:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

1) This is called Dynamic Outside NAT and this works, but remember when nat-control is enabled, a static statement is still required.

2) The only scenario you will be needing this is when you are using hair-pinning (same-security-traffic permit intra-interface) and nat-control is enabled.

3) The alias and static commands are mutually exclusive, and only one of them is needed. Static are definitely more preferred. Please check the third link posted above.

Regards

Farrukh

126
Views
0
Helpful
1
Replies
CreatePlease to create content