Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
5
Helpful
3
Replies

NAT 0 configuration

dstewart65
Level 1
Level 1

‎04-18-2005 04:39 AM - edited ‎03-09-2019 10:58 AM

I am new to the PIX. I am trying to configure a new i/f for what I call a special purpose internet connection, only very specific sites will be accessible via this connection.

I want to set up the onterface so there is NO NAT, NATting will be done on the router. I currently have three i/f; INSIDE, OUTSIDE, DMZ. I know I will need to set the security to be lower than the existing i/f, except the OUTSIDE.

It's bad, I know what I want to do I just have not figured out the command syntax to make it happen....

Help please.

Thanks,

Dennis

Labels:
0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎04-18-2005 06:54 AM

hi dennis

consider ur internal network to be 192.168.1.0/24.. the following will be configured on the PIX to pass the traffic with the same private IP

nat (inside) 0 access-list nonat

access-list nonat permit ip 192.168.1.0 255.255.255.0

You can keep adding networks on access-list nonat to allow the subnets to be no-natted.

hope this helps.. all the best.

Raj

0 Helpful

dstewart65
Level 1
Level 1
In response to sachinraja

‎04-18-2005 07:55 AM

Thanks Raj,

Would this be the proper syntax?

#10.0.0.0/8 is my internal network

#100.110.0.0/16 is the location on the internet

******* command line **********

nameif ethernet3 SPI security1

nat (inside) 0 access-list SPI_NONAT

access-list SPI_NONAT permit ip 10.0.0.0/8 100.110.0.0/16 #100.110.0.0/16 being the internet IP location

ip address SPI 208.4.26.225/24

access-group SPI_NONAT in interface SPI

route 100.110.0.0/24 SPI #208.4.26.225/24

********** end command line ******

I have other NATs in place global pool and static. To confirm, this will not affect them at all?

Thanks,

Dennis

0 Helpful

sachinraja
Level 9
Level 9
In response to dstewart65

‎04-18-2005 08:42 AM

Hi dennis...

everything looks fine except the access-group SPI_NONAT statement..

SPI_NONAT access list permits 10.x to 100.x.. it shoulnt be applied on the SPI interface.. your accesslist on the SPI interface should be the other way

access-group SPI_ACL in interface SPI

access-list SPI_ACL permit ip 100.110.0.0 255.255.0.0 10.0.0.0 255.0.0.0

the nonat will not have any effect on any other traffic.. you can apply this and let us know.. only traffic from 10.0.0.0 to 100.x IPs will be no natted.

Hope this helps. rate replies if found useful..

Raj

Customers Also Viewed These Support Documents