Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1320
Views
10
Helpful
9
Replies

PIX 506E, no NAT configuration?

Go to solution
lucifuge
Level 1
Level 1

‎09-11-2003 05:35 AM - edited ‎02-20-2020 10:59 PM

I'm attempting to set up a PIX to firewall for devices on a valid IP subnet. This is a 506e, with only two interfaces.

I'm having trouble finding a config example, and wondering if that's because this isn't a supported configuration.

Any pointers?

Thanks,

Daryl

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
l.mourits
Level 5
Level 5
In response to lucifuge

‎09-11-2003 01:33 PM

Hi there,

What you want to achieve is possible and quite easy to configure. There is no restriction in terms of having no public address at your inside interface. Allthough you do not want to do any translation you still may need a static command.

The minimal config you need would not be nat 0, like some may think, and this works, but only if the PIX does not have to do proxy-ARP for IP adresses behind the PIX. If the PIX does need to proxy-ARP for these adresses you should configure it this way:

static (inside, outside) 111.111.111.208

111.111.111.208 netmask 255.255.255.240

If you use this command and remove the

nat (inside) 0 command it will work fine also. The main difference is that with the static command in place the PIX does proxy-ARP for the IP-addresses behind your PIX and when using nat 0 commands it doesn´t.

In case you do not need proxy-ARP you could do it with nat 0, but then you need nat 0 on both interfaces at your PIX, so, you would need:

nat (inside) 0 & nat (outside) 0

Determine if you need proxy-ARP at your edge router:

Is there a route (with the correct next hop) at your edgerouter pointing to 111.111.111.208/28 or does your router think this is a connected network?

If your router thinks it is a directly connected subnet for some reason (this reason could be that this router is not an ip-classless router) then the router does want to send packets to the MAC adres and does an ARP request. In that case the PIX does need to proxy-ARP.

Doing proxy-ARp is no problem at all for the PIX, cause if you use my first way of configuring as described earlier, then the PIX does proxy-ARP for all adresses within the static command.

Don´t know if this solves your problem, but this could very well be the case.

Otherwise, you could post your config here (remember to remove passwords first then) and we can take a look into it.

Another thing got to my mind just now. It could also be the case that your edgerouter has an ARP table which still contains mappings for the IP adresses which now resides behind your firewall. In that case you would have to do a clear ARP at your edge router.

Hope this helps.

Kind regards,

Leo

View solution in original post

0 Helpful
9 Replies 9

Go to solution
mostiguy
Level 6
Level 6

‎09-11-2003 06:09 AM

nat 0 = no nat. Read up on the nat command

0 Helpful

Go to solution
lucifuge
Level 1
Level 1
In response to mostiguy

‎09-11-2003 06:13 AM

I'm well aware that nat 0 = no nat.

Are you saying that you have a working configuration as I described, or are you just posting somehthing obvious?

0 Helpful

Go to solution
lucifuge
Level 1
Level 1
In response to jmia

‎09-11-2003 06:21 AM

I probably wansn't as clear as I should have been in my first post. What I'm looking to do is have valid IP blocks on both interfaces.

Configuring no nat between the subnets, specifying allow ip any any from inside to outside, and pointing an "inside" machine at the inside address of the PIX as a default gateway doesn't pass any traffic. I know a PIX can't really route, so I'm confused as to how to make this work, or if it's even possible.

0 Helpful

Go to solution
mostiguy
Level 6
Level 6
In response to lucifuge

‎09-11-2003 07:14 AM

The pix is a routing firewall. It doesn't offer the routing functionality of a IOS device, but it cannot act as a bridging firewall. Installing a pix generally means segmentation of your network somewhere, as it routes

Go to solution
lucifuge
Level 1
Level 1
In response to mostiguy

‎09-11-2003 07:42 AM

OK, that's pretty much what I thought...I'm just being a bit too general in my statements.

What I have is:

Edge Router interface (111.111.111.193/29)----(111.111.111.194/29)PIX E0--PIX E1(111.111.111.209/28)

With the hosts to be protected on the E1 interface.

0 Helpful

Go to solution
l.mourits
Level 5
Level 5
In response to lucifuge

‎09-11-2003 01:33 PM

Hi there,

What you want to achieve is possible and quite easy to configure. There is no restriction in terms of having no public address at your inside interface. Allthough you do not want to do any translation you still may need a static command.

The minimal config you need would not be nat 0, like some may think, and this works, but only if the PIX does not have to do proxy-ARP for IP adresses behind the PIX. If the PIX does need to proxy-ARP for these adresses you should configure it this way:

static (inside, outside) 111.111.111.208

111.111.111.208 netmask 255.255.255.240

If you use this command and remove the

nat (inside) 0 command it will work fine also. The main difference is that with the static command in place the PIX does proxy-ARP for the IP-addresses behind your PIX and when using nat 0 commands it doesn´t.

In case you do not need proxy-ARP you could do it with nat 0, but then you need nat 0 on both interfaces at your PIX, so, you would need:

nat (inside) 0 & nat (outside) 0

Determine if you need proxy-ARP at your edge router:

Is there a route (with the correct next hop) at your edgerouter pointing to 111.111.111.208/28 or does your router think this is a connected network?

If your router thinks it is a directly connected subnet for some reason (this reason could be that this router is not an ip-classless router) then the router does want to send packets to the MAC adres and does an ARP request. In that case the PIX does need to proxy-ARP.

Doing proxy-ARp is no problem at all for the PIX, cause if you use my first way of configuring as described earlier, then the PIX does proxy-ARP for all adresses within the static command.

Don´t know if this solves your problem, but this could very well be the case.

Otherwise, you could post your config here (remember to remove passwords first then) and we can take a look into it.

Another thing got to my mind just now. It could also be the case that your edgerouter has an ARP table which still contains mappings for the IP adresses which now resides behind your firewall. In that case you would have to do a clear ARP at your edge router.

Hope this helps.

Kind regards,

Leo

0 Helpful

Go to solution
lucifuge
Level 1
Level 1
In response to l.mourits

‎09-12-2003 09:54 AM

A combination of Layer 0 problems (stupid engineer - me) and not knowing if what I was trying was possible made me not contune on beating my head againt the wall. Based on your message I was able to get things working as expected.

Thank you very much for the help,

Daryl

0 Helpful

Go to solution
l.mourits
Level 5
Level 5
In response to lucifuge

‎09-14-2003 07:34 AM

Good to hear it is all okay then.

Kind regards,

Leo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card