cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
444
Views
0
Helpful
5
Replies

disabling nat after the pix

thaier1978
Level 1
Level 1

dear sir,

I want to prevent users from connecting routers after my 525 pix firewall,through disabling nat for them or other way?

I appreciate your help in advanced.

thank you,

thaier

5 Replies 5

pradeepde
Level 5
Level 5

If you have a public address on the inside network, and you want the inside hosts to go out to the outside without translation, you can disable NAT. You would also need to change the static command.

nat (inside) 0 175.1.1.0 255.255.255.0

If you are using ACLs in PIX software versions 5.0.1 and later, use the following commands.

access-list 103 permit ip 175.1.1.0 255.255.255.0 any

nat (inside) 0 access-list 103

This command disables NAT for the 175.1.1.0 network. The static command for the web server would be changed as shown below.

static (inside, outside) 175.1.1.254 175.1.1.254

The following command defines the conduit for the web server.

conduit permit tcp host 175.1.1.254 eq www any

If you are using ACLs in PIX software versions 5.0.1 and later, use the following commannds.

access-list 102 permit tcp any host 175.1.1.254 eq www

access-group 102 in interface outside

Note that the difference between using nat 0 with specifying network/mask as opposed to using an ACL that uses a network/mask that permits initiation of connections from inside only. The use of ACLs permits initiation of connections by inbound or outbound traffic. The PIX interfaces should be in different subnets to avoid reachability issues.