11-08-2005 11:04 PM - edited 02-21-2020 12:30 AM
I want to prevent users from connecting routers after my 525 pix firewall,through disabling nat for them or other way?
I appreciate your help in advanced.
11-14-2005 02:08 PM
If you have a public address on the inside network, and you want the inside hosts to go out to the outside without translation, you can disable NAT. You would also need to change the static command.
nat (inside) 0 22.214.171.124 255.255.255.0
If you are using ACLs in PIX software versions 5.0.1 and later, use the following commands.
access-list 103 permit ip 126.96.36.199 255.255.255.0 any
nat (inside) 0 access-list 103
This command disables NAT for the 188.8.131.52 network. The static command for the web server would be changed as shown below.
static (inside, outside) 184.108.40.206 220.127.116.11
The following command defines the conduit for the web server.
conduit permit tcp host 18.104.22.168 eq www any
If you are using ACLs in PIX software versions 5.0.1 and later, use the following commannds.
access-list 102 permit tcp any host 22.214.171.124 eq www
access-group 102 in interface outside
Note that the difference between using nat 0 with specifying network/mask as opposed to using an ACL that uses a network/mask that permits initiation of connections from inside only. The use of ACLs permits initiation of connections by inbound or outbound traffic. The PIX interfaces should be in different subnets to avoid reachability issues.
11-14-2005 09:55 PM
I know how disable the NAT on my pix, I just want to disable the NAT after the pix and keep my pix doning NATing.
My problem is that some of my inside users are using routers to establish asmall network inside my network, I want to prevent that with out affecting the other users that are using DHCP to gane their IPs and NATed through the PIX to the outside????
I appreciate your kind reply...
11-14-2005 11:54 PM
There are two ways of looking at this.
Where your LAN is 10.1.1.0/24
Where your WAN is 126.96.36.199/24
Where the Routers WAN is 10.1.1.0/24
Where the Routers LAN is 10.1.2.0/24
If you are working with simple nat configurations on the firewall such as:
nat (inside) 99 10.1.1.0 255.255.255.0
global (outside) 99 interface
In this example, users would not be able to configure a router behind your firewall as only the inside LAN addresses are NATed by the firewall. The 10.1.2.0/24 subnet is not valid for NAT translations.
If the router has NAT configured and translates address from 10.1.2.0/24 to 10.1.1.x and then forwards them to the firewall for a second translation (double NAT), then the connection will succeed. You can't really do much about this without somehow identifying valid source addresses or sessions.
Consider configuring all of the switch ports to only allow a single mac address? - Presumably the router would be the first and all other connections would fail.
11-15-2005 03:40 AM
how can I configure the switch ports to only allow a single mac address, Bythe way I have Cisco C2950 switches???
11-15-2005 08:46 AM
This article discusses port security on the 2950 switch.
Although, on second thought - All of the source MAC addresses will be the router anyway. MAC src/dst addresses are always the forwarding and receiving hosts which in your case is the unwanted router and your firewall.
You could preconfigure every port with the proper mac address, but that would quickly become far to complex and administratively intense.
Sorry - I can't think of an easy way to do this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: