Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Gold

traffic flow between interfaces w/o NAT

first post...don't hurt me;-)

Reading through the book "Cisco PIX firewalls" by R. Deal. I'm confused by some of the examples, one in particular. Let's say I have a PIX with 2 interfaces, inside and outside....call them networkA and networkB respectively. I want any host on the internal network to be able to initiate connections to the outside network without doing NAT. What are the commands to do this?

Ok, now let's say that in addition I want any host in the outside network to be able to initiate connections to the inside network without NAT. What are the commands to do this?

  • Other Security Subjects
4 REPLIES
New Member

Re: traffic flow between interfaces w/o NAT

For outbound connections -

nat (inside) 0

The 0 is for no NAT, and the network/mask would represent your inside interfaces network.

For inbound connections -

static (inside,outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255

access-list 100 permit tcp www host 10.10.10.1

access-group 100 in interface outside

These three commands would setup access to the server with address 10.10.10.1 and allow inbound web traffic.

You could change the static command to allow traffic to the entire network with -

static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

However, you would still need the appropriate acls applied to the outside interface, such as -

access-list 100 permit ip any any

access-group 100 in interface outside

~rls

Gold

Re: traffic flow between interfaces w/o NAT

The static command is where I'm falling down. Just to verify...In your example, is the host 10.10.10.1 on the outside network (the access-list is a little different than I'm used to...is www a named host)? If so, this would gel with the example in the book. Conceptually, I was expecting that to be the destination address.

New Member

Re: traffic flow between interfaces w/o NAT

10.10.10.1 is on the inside interface and represents the address of your web server. This is the address clients on the outside address would point their browsers to.

Gold

Re: traffic flow between interfaces w/o NAT

Excellent. Thank You. For the record, there are quite a few significant errors in this book, this is just one of them. I'm to the point where I'm beginning to question the quality of the information I'm reading.

86
Views
0
Helpful
4
Replies