no translation between intranet networks needed on PIX 520

chrrbc · ‎11-19-2001

We want to run a PIX 520 FW (V6.1.1) within our intranet (not to the Internet).

Like this, both interfaces, inside and outside, are RFC1918 addresses which we can maintain ourselves and therefore there is no need of any address translation.

We want to be able to restrict access to and from the "outside" interface by protocols (access-lists), but we do not want any address translation (NAT, PAT) to take place, neither inbound nor outbound.

Can you show me how a sample configuration should look like, which prevents any translation (no NAT, PAT,keep the original addresses).

I tried with nat (inside) 0 0.0.0.0 0.0.0.0 0 0 for outbound traffic, which works

and

static entries like

static (inside,secure) RZ_FwdProxy RZ_FwdProxy netmask 255.255.255.255 0 0

static (inside,secure) int_dns_pri int_dns_pri netmask 255.255.255.255 0 0

static (inside,secure) int_dns_sec int_dns_sec netmask 255.255.255.255 0 0

static (inside,secure) NMS NMS netmask 255.255.255.255 0 0

static (inside,secure) timeSrvU310 timeSrvU310 netmask 255.255.255.255 0 0

static (inside,secure) timeSrvU320 timeSrvU320 netmask 255.255.255.255 0 0

for inbound traffic, which works as well, but would be for many inbound addresses a very administrativ way to do.

Is there an easier way?

How do we define the PIX in order not to have any translations inside to outside and back?

The purpose behind all this to have a more secured "internal" Lan/Subnet than the rest of our intranet.

klye · ‎11-20-2001

I am doing almost the same thing, I use the PDM to add a NAT group but under the address pools option, use same address. This added the following line to the PIX configuration

nat(inside) 0 192.168.1.0 255.255.255.0 0 0

but I am try to find out what does all the "0" mean in the line, but that fix my problem, allow me to use access rule to restrict from the inside to any lower secure interface.

chrrbc · ‎11-21-2001

The first 0 is the natID.

The both zeroes at the end stand for the translate ip address and mask. since you use the same, they are 0 (I suppose).

My problem is not, having no translation outbound - this works by such a NAT statement (see initial message)- , but how do I tell a PIX520 NOT to do any inbound translation? Defining individual static statements is too boring, I think there should be one statement or even better none at all.

Who knows how?

rrbleeker · ‎11-21-2001

Chris,

Assuming that you use 192.168.1.0/24 as your internal address block, the following command allows you to setup a static without translation:

static (inside, outside) 192.168.1.0 192.168.1.0 255.255.255.0

You do need to setup an access-list for the traffic allowed in.

chrrbc · ‎11-27-2001

Thanks for your answers.

Just to understand you right:

Does this mean that each outside address accessing any address within this range on the inside will not be translated at all and appear on the inside as it was on the outside?

f.e 10.62.20.3 on the outside accessing 192.168.1.5 on the inside would still appear as 10.62.20.3 on the inside?

Side remark:

I suppose the exact statement syntax(in V6.1) should be:

static (inside, outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

shouldn't it?

Isn't there a static statement which says any address form the outside to any address on the inside shall not be translated?

Probably something like:

static (inside, outside) 0.0.0.0 0.0.0.0 netmask 0.0.0.0 0 0

Does this work?

Any answer's are appriciated very much. Thank you in advance.