https://community.cisco.com/t5/network-security/nat-understanding/m-p/773995#M1021709 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Nat policies have to be designed according to what you want to do...</P><P></P><P>Remember that access-lists are not especially lminked to nat rules.</P><P></P><P>Purpose of VLAN is to spare interfaces. 515E has 6 FE. If you don't need 100Mb for your subnet and if you plan to connect many (&gt;6) subnets on thix PIX, I suggest using Vlans...</P><P></P><P>Regards,</P><P></P><P>Gaetan</P></BODY></HTML> Mon, 25 Jun 2007 09:37:31 GMT gaetan.allart 2007-06-25T09:37:31Z https://community.cisco.com/t5/network-security/nat-understanding/m-p/773994#M1021707 <P>Hi,</P><P></P><P>I have been running a PIX 520 with 6.3. Now coding a PIX515E with 7.1. I decided to read a manual <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P><P>Now I was amazing at the different NAT and policies.</P><P></P><P>What is the best way to do things - on my old firewall I just had access lists binded to my interfaces. SHould I continue this or should I use policy NAT style ??</P><P></P><P>Also with vlan - should I just let the flow of the main interface or is it more secure to create vlan interfaces ??</P><P></P><P>Thanks for any pointers</P><P></P><P>Ed</P> Tue, 26 Mar 2019 00:37:50 GMT https://community.cisco.com/t5/network-security/nat-understanding/m-p/773994#M1021707 edw 2019-03-26T00:37:50Z https://community.cisco.com/t5/network-security/nat-understanding/m-p/773995#M1021709 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Nat policies have to be designed according to what you want to do...</P><P></P><P>Remember that access-lists are not especially lminked to nat rules.</P><P></P><P>Purpose of VLAN is to spare interfaces. 515E has 6 FE. If you don't need 100Mb for your subnet and if you plan to connect many (&gt;6) subnets on thix PIX, I suggest using Vlans...</P><P></P><P>Regards,</P><P></P><P>Gaetan</P></BODY></HTML> Mon, 25 Jun 2007 09:37:31 GMT https://community.cisco.com/t5/network-security/nat-understanding/m-p/773995#M1021709 gaetan.allart 2007-06-25T09:37:31Z https://community.cisco.com/t5/network-security/nat-understanding/m-p/773996#M1021711 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply.</P><P></P><P>I'm using vlan for the DMZ thou its on one FE. I using a vlan for the public traffic and one for managment - is this correct way to proceed.</P><P></P><P>So there is no greater security by using policy nat comparared to just binding ACL's to the interface ??</P><P></P><P>At present I have about 3 or 4 vlans inside going through the PIX to public router. I dont have it vlans in the PIX it comes in gets NAT'ed and then leaves without a segragation in terms of vlan. Security wise this is fine...?</P><P></P><P>Thanks</P><P></P><P>Ed</P></BODY></HTML> Mon, 25 Jun 2007 10:09:56 GMT https://community.cisco.com/t5/network-security/nat-understanding/m-p/773996#M1021711 edw 2007-06-25T10:09:56Z https://community.cisco.com/t5/network-security/nat-understanding/m-p/773997#M1021713 <HTML><HEAD></HEAD><BODY><P>NAT is just a way to translate addresses. It will never replace filtering with ACLs.</P></BODY></HTML> Mon, 25 Jun 2007 11:07:43 GMT https://community.cisco.com/t5/network-security/nat-understanding/m-p/773997#M1021713 gaetan.allart 2007-06-25T11:07:43Z