Re: No NAT in PIX 515 E

ehuarte · ‎01-08-2009

Hi,

I need to configure a PIX without NAT and I don't know how to do it. Can anyone help me please?

I have;

outside interface with 192.168.7.0/24

inside interface with 10.79.10.0/24

interface2 with 192.168.24.0/21

I need that 10.79.10.0/24 goes to the outside without doing NAT over it (because we have another FW in another place outside)

How can I do it?

Thanks, Regards

Eneko

sachinraja · ‎01-08-2009

hello eneko

YOu gotta use nat 0 statements to do a no-nat on the PIX.. the following commands should be in place:

nat (inside) 0 10.79.10.0 255.255.255.0 0 0

If there are more than one networks, you can assign an access-list and then allow the networks which have to be no-natted.

nat (inside) 0 access-list 101

access-list 101 permit ip 10.79.10.0 0.0.0.255 any

Let us know if this works fine.. all the best..

Raj

cisco24x7 · ‎01-08-2009

That is not entirely correct.

Depending on the configuration. Assuming

that you have no PAT/NAT configuration on the

Pix and that you use versin 7.x or 8.x,

"no nat-control" is on by default on the Pix

and the Pix will become a router. network

10.79.10.0/24 will be able to get to the

outside and return traffic can get back without

any issues, with the exception of icmp stuffs.

sachinraja · ‎01-08-2009

Agree with David.. If it is 6.3 and less, you can use my solution, if it is 7.x or 8.x, you can use no nat-control.. but im not really convinced with nat-controls.. by statically defining no-nats, the administrator always has the control of what traffic goes through the firewall, without nat, which is critical to his network.. If by default, all traffic is allowed, isnt it a security risk ? and if there is no access-list on the inside network, then it will be a major mess !

Regards

Raj

CSCO10320953 · ‎01-17-2009

Hi Eneko,

Would u confirm whether issue is solved or not.