Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
4
Replies

Setup PIX without NAT

bevans
Level 1
Level 1

‎10-30-2003 03:58 PM - edited ‎02-20-2020 11:04 PM

I have a PIX 515E in place and it is running NAT. I would like to take off the NAT and not have any address translation. I have never setup a PIX this way. What do I do?

Bill E.

0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎10-30-2003 07:31 PM

When the NAT command is used with the special number 0 this tells the PIX not to NAT any of the traffic. In it's most basic form you cna just do:

nat (inside) 0 0 0

The first 0 says don't NAT the traffic, the second two zeroes define the subnet/mask of the traffic to NAT. If you want to get more specific then you can do something like this (assuming you'r inside network is 200.0.0.0/8):

nat (inside) 0 200.0.0.0 255.0.0.0

Then only traffic from the 200.0.0.0 network will not be NAT'd. When using "nat 0" you don't need a corresponding global statement cause the whole point of it is that the addresses aren't changed to something else. You cna also do:

nat (inside) 0 access-list nonat

access-list nonat permit ip 200.0.0.0 255.0.0.0 any

This is primarily used for VPN traffic where you don't want to NAT it as it goes through, but is just as valid for any other traffic also.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1032129 for further details.

0 Helpful

bevans
Level 1
Level 1
In response to gfullage

‎10-31-2003 07:55 AM

Thank you for your post. Although that information is helpful, its not exactly what I was looking for. I actually want to not use NAT. How would I do this?

Bill

0 Helpful

scoclayton
Level 7
Level 7
In response to bevans

‎10-31-2003 09:02 AM

Bill,

The PIX requires that you create translations across interfaces in order for traffic to pass. So, in essence, there is no option to not use NAT in some form. As Glenn pointed out though, you can configure the PIX to NAT the source address back to the same address as it passed from inside to outside. In practice, this gives you the same results as not NAT'ing the traffio on the PIX as the outside hosts will see the original source address on this packet.

Clearer?

Scott

0 Helpful

dmchugh
Level 1
Level 1
In response to scoclayton

‎11-20-2003 03:48 PM

But if you are using the PIX in an extranet environment, you must NAT the global addresses you wish nodes outside of the pix to use (for inbound), correct?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card