Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No NAT internal, NAT outside ?

I am not sure if this is possible, but here goes. I have a PIX 525 using 4 interfaces, inside, outside, eng, and dmz. I would like to allow systems on inside, eng, and dmz to be reachable by their internal addresses (no NAT), but have them all NAT going the outside.

Any help would be appreciated.

Thanks,

Tom Smith

3 REPLIES
New Member

Re: No NAT internal, NAT outside ?

Hi Tom,

You haven't mentioned from which source you want to reach inside, eng and DMZ. I hope it' s not from outside...

To permit inside access all networks, you just have to create a NAT 0 statement. For other interfaces, it's depending of their security level.

With more information, we will be able to help you.

Regards,

Benoit

New Member

Re: No NAT internal, NAT outside ?

Hi Benoit,

First off thank you for your response,

I have outlined in more detail below the configuration I am considering.

I have a PIX 525 running 5.3 with the following interfaces setup.

Security Interface IP Range

------------------------------------------

Security100 INSIDE 172.17.0.0/16

Security80 ENG 10.0.0.0/8

Security60 DMZ 192.168.1.0/24

Security0 OUTSIDE 209.100.100.0/24

I would like the INSIDE, ENG, and DMZ networks to be able to access each other via their actual private addresses without NAT. (For example a system on the ENG interface could contact a system on the INSIDE using it's 172.17.0.0/16 address and it would be seen as coming from its 10.0.0.0/8 address)

I would like to NAT(or PAT) the INSIDE, ENG, and DMZ networks only when they go out the OUTSIDE interface. The only access in from the OUTSIDE will be to select systems in DMZ.

I have some experience with other firewalls, but this is my first PIX, so I am not sure if I am even approaching this from correctly.

Thanks,

Tom Smith

New Member

Re: No NAT internal, NAT outside ?

If I understand your problem going from a low security interface to a high security interface. You require a static for traffic to pass from low to high security interfaces like from ENG to INSIDE. For example

static (inside,ENG) 172.17.0.0 172.17.0.0 netmask 255.255.0.0 0 0 ***translates traffic from ENG network to the "as is" ip of a machine on the INSIDE network

DMZ to INSIDE

static (inside,DMZ) 172.17.0.0 172.17.0.0 netmask 255.255.0.0 0 0 ***translates traffic from DMZ network to the "as is" ip of a machine on the INSIDE network

DMZ to ENG

static (ENG,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 ***translates traffic from DMZ network to the "as is" ip of a machine on the ENG network

This looks a bit confusing these statics on the PIX are based on destination not source. The only source information required is which interface it is coming from.

Going from High security to low security can be done with the nat 0 (interface) access-list. I have never done this before but hopefully the config looks like this

From INSIDE to DMZ and ENG

You need an access-list. I'll call it no-nat-inside. This access-list says not to translate from 172.17.0.0/16 if going to 10.0.0.0/8 or 192.168.1.0/24

access-list no-nat-inside permit ip 172.17.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list no-nat-inside permit ip 172.17.0.0 255.255.0.0 192.168.1.0 255.255.255.0

nat (INSIDE) 0 access-list no-nat-inside

Now repeat for the ENG to the DMZ

access-list no-nat-eng permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

nat (ENG) 0 access-list no-nat-eng

ACCESS to the outside world from each interface ....

nat (inside) 1 0.0.0.0 0.0.0.0

nat (ENG) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

global (outside) 1 209.100.100.1-209.100.100.64 netmask 255.255.255.0 *** a range of NAT ip's that you can define (63 in this example)

global (outside) 1 209.100.100.65 *** a single IP defaults to PAT up 65000 or so

You can use NAT PAT or both.

109
Views
0
Helpful
3
Replies
CreatePlease to create content