PIX 515E - Clarify on NAT

prashanth15 · ‎05-20-2005

hi,

Pls find the attached files.

New to PIx firewal.

128.1.1.248 is not given by ISP.

do let me know whether the following can be deleted:

1)access-list inside_outbound_nat0_acl permit ip any 128.1.1.248 255.255.255.248

2)nat (inside) 0 access-list inside_outbound_nat0_acl

is this correct:

"global (outside) 10 interface" to be changed to "global (outside) 10 public interface IP"

and

"nat (inside) 10 0.0.0.0 0.0.0.0 0 0" to be changed to "nat (inside) 10 128.1.1.0 255.255.255.0 0 0

Regards,

Prashanth

gfullage · ‎05-22-2005

Looks like you have PPTP connections coming into this PIX from the outside (all the vpdn commands down the bottom), and the two lines you're wanting to delete are for that. I wouldn't recommend deleting them unless you're sure the PPTP connectivity is no longer allowed. They specifically tell the PIX not to NAT traffic destined for the PPTP tunnel, which is the correct thing to do.

Your other nat/global pair is fine. The keyword "interface" in the global command tells the PIX to PAT everything to whatever IP address is configured on the outside interface, so leave it as is. The nat statement having all zeroes simply means any packet coming in from the inside will be PAT'd as it goes out, regardless of its IP address. If you like you can make this more specific to only cover your actual internal subnet with the command you specify above.

prashanth15 · ‎05-22-2005

thanks gfullage for your explanation

Cheers,

Prashanth