Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
246
Views
0
Helpful
4
Replies

traffic flow between interfaces w/o NAT

mhellman
Level 7
Level 7

‎02-21-2003 01:08 PM - edited ‎03-09-2019 02:12 AM

first post...don't hurt me;-)

Reading through the book "Cisco PIX firewalls" by R. Deal. I'm confused by some of the examples, one in particular. Let's say I have a PIX with 2 interfaces, inside and outside....call them networkA and networkB respectively. I want any host on the internal network to be able to initiate connections to the outside network without doing NAT. What are the commands to do this?

Ok, now let's say that in addition I want any host in the outside network to be able to initiate connections to the inside network without NAT. What are the commands to do this?

Labels:
0 Helpful
4 Replies 4

0rsnaric
Level 1
Level 1

‎02-21-2003 01:29 PM

For outbound connections -

nat (inside) 0

The 0 is for no NAT, and the network/mask would represent your inside interfaces network.

For inbound connections -

static (inside,outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255

access-list 100 permit tcp www host 10.10.10.1

access-group 100 in interface outside

These three commands would setup access to the server with address 10.10.10.1 and allow inbound web traffic.

You could change the static command to allow traffic to the entire network with -

static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

However, you would still need the appropriate acls applied to the outside interface, such as -

access-list 100 permit ip any any

access-group 100 in interface outside

~rls

0 Helpful

mhellman
Level 7
Level 7
In response to 0rsnaric

‎02-21-2003 02:37 PM

The static command is where I'm falling down. Just to verify...In your example, is the host 10.10.10.1 on the outside network (the access-list is a little different than I'm used to...is www a named host)? If so, this would gel with the example in the book. Conceptually, I was expecting that to be the destination address.

0 Helpful

0rsnaric
Level 1
Level 1
In response to mhellman

‎02-21-2003 02:51 PM

10.10.10.1 is on the inside interface and represents the address of your web server. This is the address clients on the outside address would point their browsers to.

0 Helpful

mhellman
Level 7
Level 7
In response to 0rsnaric

‎02-21-2003 02:54 PM

Excellent. Thank You. For the record, there are quite a few significant errors in this book, this is just one of them. I'm to the point where I'm beginning to question the quality of the information I'm reading.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents