NAT/Global commands

srberg5219 · ‎03-21-2007

I promise I won't post every little question I have...My gratitude ahead of time for helping me learn!

Still new to the PIX appliances and just need a little help understanding assigning NAT/Global to my interfaces:

PIX 506 (2 Interfaces)

1) DSL Router IP: 10.0.0.1

2) OUTSIDE: 10.0.0.2 security0

3) INSIDE: 192.168.0.1 security100

4) Internal LAN subnet: 192.168.0.0/24

If I understand this correctly, NAT and Global commands assign a pool of IP's to help mask the true IPs of the originator?

So with only 2 interfaces on my 506 I would run the following:

INSIDE interface: nat (inside) 1 0 0

OUTSIDE interface: global (outside) 1 0 0

???

Simply put, I have a small network and I want to allow all workstations access out and/or to other resources on servers on the internal network.

At the same time, we also host our own website and email servers, so I need to allow access IN from the Internet to these servers...

Am I understanding the NAT and Global commands correctly?

acomiskey · ‎03-21-2007

For inside traffic to go outisde it would be

nat (inside) 1 0 0

global (outside) 1 interface or

global (outside) 1 netmask or

global (outside) 1 netmask

It does mask the private address, but it also allows them to be routed on the internet. So Nat'ing them to 10.0.0.2 won't do you any good unless you are Nat'ing again elsewhere. Outside to inside traffic, for your web/mail servers etc., would require a static command.

srberg5219 · ‎03-21-2007

nat (inside) 1 0 0

global (outside) 1 interface or

global (outside) 1 netmask or

global (outside) 1 netmask

What would the benefit be of assigning a whole range versus a single IP?