Re: Pix 501 disabling NAT

anthonyfloyd · ‎07-16-2006

I have a 2611 Router at home that i use to access my isp the 2 ethernet ports are configured with private ip addresses Ethernet 0 192.168.0.1, Ethernet 0/1 10.0.0.1 Both ports have a static/default route pointing to dialer interface also both interfaces have dynamic nat overloading applied,i have a Pix 501 that i would like to use but i am unsure how to configure it with this setup,would i have to disable nat on the pix. any advice would be greatfully appreciated.

Fernando_Meza · ‎07-16-2006

Hi .. if you are trying to use the PIX instead of the router then the only issue is that the PIX 501 will only give you 1 internal subnet as it does not support more than 2 segments ( outside / inside )

You could connected then as below ..

Internet->Firewall->Router ( Lan 1 and Lan 2)

The default gateway for the router will be the internal interface of the PIX. The Default gateway of the PIX will be your ISP. And the PIX can be configured as PPPoE client. as per the below link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801055dd.shtml

Also On the PIX you would need to add a static routes for your internal lans.

The below config will give internet access from any host connected to the Internal side.

global (outside) 1 interface

nat (inside) 1 access-list Internet_Access

access-list Internet_Access permit ip x.x.x.x 255.255.255.0 any ( where x.x.x.x is you internal lan )

I hope it helps .. please rate it if it does !!!

anthonyfloyd · ‎07-17-2006

Hi fernando thanks for taking the time to reply to my post i will try your suggestions and post back as soon as i can.

grant.maynard · ‎07-17-2006

try this:

access-list noNAT permit ip [PIX_INSIDE_subnet] [mask] any

nat (inside) 0 access-list noNAT

or

static (inside,outside) [PIX_INSIDE_subnet] [PIX_INSIDE_subnet] netmask [mask] 0 100

anthonyfloyd · ‎07-17-2006

Hi Grant thanks for the config i will try this at the weekend and post back with results many thanks.