https://community.cisco.com/t5/network-security/simple-pix-question/m-p/353828#M552006 <HTML><HEAD></HEAD><BODY><P>Alan,</P><P></P><P>Yes it is. What I would do *if possible* is to group the machines that keep their outside global addresses together so that I could create an access list to cover them.</P><P></P><P>i.e.</P><P></P><P>access-list nonat permit ip 10.10.10.0 255.255.255.224</P><P>nat (outside) 0 access-list nonat</P><P></P><P>This allows the first 32 (-2) IP addresses through the firewall with no address translation.</P><P></P><P>You may also want to restrict the traffic types as well. My suggestion is to keep traffic flow and traffic filtering lists separate. So if I have a webserver in the above mentioned subnet, I would write the following:</P><P></P><P>access-list inbound permit tcp 10.10.10.3 255.255.255.255 eq www</P><P></P><P>Hope this helps,</P><P></P><P>Doug.</P></BODY></HTML> Mon, 31 Jan 2005 14:33:39 GMT dougz 2005-01-31T14:33:39Z https://community.cisco.com/t5/network-security/simple-pix-question/m-p/353827#M552005 <P>Hi,</P><P></P><P>It's been a while since I've done any work with a PIX and as such I'm a little rusty with them. I'm wondering if someone that's a little more familiar with them my be able to answer my question.</P><P></P><P>We have a /24 block of public IP addresses that are currently being used for various Linux Servers + AS5300's. I'd rather keep it as one solid block with out subnetting it.</P><P></P><P>We have a number of Windows 2000 servers that run various PSTN switching + SQL applications that will be installed on the same network. I don't wish to put these on the public internet no matter what safe guards are taken on the local machines. Thankfully we have a PIX 515 going spare.</P><P></P><P>From our net block is it possible to map individual/block of IP addresses from the outside interface to the inside interface of the pix as opposed to routing a block of addresses to the inside interface or performing a static mapping from public to private. The result I'm after is for the servers behind the PIX to have a public IP address which is passed through the PIX. So in effect the PIX would be acting as a firewalling bridge. Is this kind of setup possible?</P><P></P><P>Regards,</P><P></P><P>Alan</P> Fri, 21 Feb 2020 07:54:16 GMT https://community.cisco.com/t5/network-security/simple-pix-question/m-p/353827#M552005 alitster 2020-02-21T07:54:16Z https://community.cisco.com/t5/network-security/simple-pix-question/m-p/353828#M552006 <HTML><HEAD></HEAD><BODY><P>Alan,</P><P></P><P>Yes it is. What I would do *if possible* is to group the machines that keep their outside global addresses together so that I could create an access list to cover them.</P><P></P><P>i.e.</P><P></P><P>access-list nonat permit ip 10.10.10.0 255.255.255.224</P><P>nat (outside) 0 access-list nonat</P><P></P><P>This allows the first 32 (-2) IP addresses through the firewall with no address translation.</P><P></P><P>You may also want to restrict the traffic types as well. My suggestion is to keep traffic flow and traffic filtering lists separate. So if I have a webserver in the above mentioned subnet, I would write the following:</P><P></P><P>access-list inbound permit tcp 10.10.10.3 255.255.255.255 eq www</P><P></P><P>Hope this helps,</P><P></P><P>Doug.</P></BODY></HTML> Mon, 31 Jan 2005 14:33:39 GMT https://community.cisco.com/t5/network-security/simple-pix-question/m-p/353828#M552006 dougz 2005-01-31T14:33:39Z