topic Re: PIX Static, NAT & NONAT in Network Security

PIX Static, NAT & NONAT

licenties — Fri, 21 Feb 2020 06:52:34 GMT

I have a problem.

I have 8 ip addresses on the outside of my PIX.

I want to use the first ip address for the global statement and the 2nd for a static translation.

I want all computers to use the global address but my server should use only the 2nd ip address.

hope you can help me

Re: PIX Static, NAT & NONAT

jmia — Fri, 25 Jul 2003 10:50:25 GMT

Here's a document that might be useful to your needs:

>http://www.cisco.com/warp/public/707/28.html

Hope this helps --

Re: PIX Static, NAT & NONAT

licenties — Fri, 25 Jul 2003 11:24:55 GMT

Thanks but this paper tells me how to use statics but the static translation is not the problem. The problem is that the server connects a l2tp tunnel.

So the server has to listen and speak with the same ip address.

Bas

Re: PIX Static, NAT & NONAT

l.mourits — Fri, 25 Jul 2003 12:40:22 GMT

Here's what you should do:

nat (inside) 0 access-list nonat

nat (inside) 1

global (outside) 1 255.255.255.255

static (inside, outside) netmask 255.255.255.255

access-list nonat deny ip host any

access-list nonat permit ip any any

And ofcourse your normal access-list bound to the outside interface for the permitted protocols to your server, but I guess you have that allready.

The trick here is, as you can see, to put the normally used nat and global command on it, and also the normally used static command, but, in addition to that, you have to prevent the returning traffic from your server from being natted by the nat and global commands. That is where the nat 0 with access-list nonat kicks in, this will prevent returning traffic from being dynamicly translated (nat 0 is no translations), but since there is also a static translation in place translation does occure since there is an entrie in the xlate table for every static used.

This will do the trick. I hope this makes sence to you. Otherwise do not hesitate to ask :-)))

Kind Regards,

Leo

Re: PIX Static, NAT & NONAT

licenties — Sat, 26 Jul 2003 08:34:23 GMT

Thank's for the reply.

I've got one question, I allready have a nonat statement in the cconfig. It's for the vpn users.

## nat (inside) 0 access-list vpnusers

## access-list vpnusers permit ip .........

I called the access-list vpnusers. then I use ## access-list vpnusers deny ip host any ??

With Regards,

Bas

Re: PIX Static, NAT & NONAT

jmia — Sat, 26 Jul 2003 10:29:36 GMT

Hi Bas -

Change ACL 'vpnusers' to permit, i.e.

> access-list vpnusers permit ip host any

Basically, with the 'no nat' cmd you are saying NOT to NAT the access-list vpnusers and using the ACL vpnusers you are permiting the traffic for the vpn tunnel, which will not be nat'd.

Hope this helps --