https://community.cisco.com/t5/network-security/nat-global-commands/m-p/704081#M1009582 <HTML><HEAD></HEAD><BODY><P>nat (inside) 1 0 0 </P><P>global (outside) 1 interface or </P><P>global (outside) 1 <IP address=""> netmask <MASK> or </MASK></IP></P><P>global (outside) 1 <IP range=""> netmask <MASK> </MASK></IP></P><P></P><P>What would the benefit be of assigning a whole range versus a single IP?</P></BODY></HTML> Wed, 21 Mar 2007 22:12:01 GMT srberg5219 2007-03-21T22:12:01Z https://community.cisco.com/t5/network-security/nat-global-commands/m-p/704079#M1009580 <P>I promise I won't post every little question I have...My gratitude ahead of time for helping me learn!</P><P></P><P>Still new to the PIX appliances and just need a little help understanding assigning NAT/Global to my interfaces:</P><P></P><P>PIX 506 (2 Interfaces)</P><P>1) DSL Router IP: 10.0.0.1</P><P>2) OUTSIDE: 10.0.0.2 security0</P><P>3) INSIDE: 192.168.0.1 security100</P><P>4) Internal LAN subnet: 192.168.0.0/24</P><P></P><P>If I understand this correctly, NAT and Global commands assign a pool of IP's to help mask the true IPs of the originator?</P><P>So with only 2 interfaces on my 506 I would run the following:</P><P>INSIDE interface: nat (inside) 1 0 0</P><P>OUTSIDE interface: global (outside) 1 0 0</P><P>???</P><P></P><P>Simply put, I have a small network and I want to allow all workstations access out and/or to other resources on servers on the internal network.</P><P>At the same time, we also host our own website and email servers, so I need to allow access IN from the Internet to these servers...</P><P></P><P>Am I understanding the NAT and Global commands correctly?</P><P></P> Mon, 11 Mar 2019 09:50:24 GMT https://community.cisco.com/t5/network-security/nat-global-commands/m-p/704079#M1009580 srberg5219 2019-03-11T09:50:24Z https://community.cisco.com/t5/network-security/nat-global-commands/m-p/704080#M1009581 <HTML><HEAD></HEAD><BODY><P>For inside traffic to go outisde it would be </P><P></P><P>nat (inside) 1 0 0 </P><P>global (outside) 1 interface or </P><P>global (outside) 1 <IP address=""> netmask <MASK> or </MASK></IP></P><P>global (outside) 1 <IP range=""> netmask <MASK></MASK></IP></P><P></P><P>It does mask the private address, but it also allows them to be routed on the internet. So Nat'ing them to 10.0.0.2 won't do you any good unless you are Nat'ing again elsewhere. Outside to inside traffic, for your web/mail servers etc., would require a static command.</P></BODY></HTML> Wed, 21 Mar 2007 22:08:20 GMT https://community.cisco.com/t5/network-security/nat-global-commands/m-p/704080#M1009581 acomiskey 2007-03-21T22:08:20Z https://community.cisco.com/t5/network-security/nat-global-commands/m-p/704081#M1009582 <HTML><HEAD></HEAD><BODY><P>nat (inside) 1 0 0 </P><P>global (outside) 1 interface or </P><P>global (outside) 1 <IP address=""> netmask <MASK> or </MASK></IP></P><P>global (outside) 1 <IP range=""> netmask <MASK> </MASK></IP></P><P></P><P>What would the benefit be of assigning a whole range versus a single IP?</P></BODY></HTML> Wed, 21 Mar 2007 22:12:01 GMT https://community.cisco.com/t5/network-security/nat-global-commands/m-p/704081#M1009582 srberg5219 2007-03-21T22:12:01Z