Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
2
Replies

Nat 0 setup help

jbernard
Community Member

‎12-11-2003 09:10 AM - edited ‎03-09-2019 05:50 AM

Hi,

I am setting up a Pix to replace our current firewall. We have two Class C networks that are used for servers and for DSL customers. These will be internal to the Pix. I see I can use NAT 0 to not translate those networks. To allow acces into the servers, do I only need to set up ACL's for the various services? I am a little confused as to the particulars of getting access into these networks.

Thanks,

Brian

Labels:
0 Helpful
2 Replies 2

nihal.akbulut
Level 5
Level 5

‎12-11-2003 10:16 AM

Hi Brian,

PIX interfaces have security levels. these levels are determined by numbers in range 0-100. 100 is the most secure interface , it is inside. and 0 is least secure, that is outside. and DMZ interfaces are somewhere between 0 and 100. and there are two types of access in pix:

1) from higher security level to lower security level (inside to outside, dmz to outside)

by default pix permits these connections, you only have to configure a translation method. this can be static by command 'static' or dynamic with commands 'nat' and 'global'. or if you want to choose not to translate you can use nat 0.

2) from lower security level to higher security level (outside to inside, dmz to inside)

by default pix denies these types of connections. so you have to permit them. You can do this by access-list or conduit. and also you need translation too..

there is a very useful document below. hope this helps..

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Nihal

0 Helpful

billhunt
Community Member

‎12-14-2003 02:09 PM

Nat 0 isn't going to allow connections to be initiated from the outside. You need a static translation for the destination (as well as a permit statement in the acl applied to the outside interface, specifying the destination public ip and port). Assuming that you want to keep public addresses on all the hosts on the inside of the pix (which wastes alot of public addresses, but saves you the work of re-addressing hundreds of hosts) you can do a "net static" for the inside subnets, "translating" them from the inside to the outside, BUT keeping the same ip addresses. Suppose one of your class c networks was 100.1.1.0:

static (inside,outside) 100.1.1.0 100.1.1.0 netmask 255.255.255.0

Then, the acl on the outside interface will determine what ips and ports outside users can get to.

Remember that you need different subnets on each pix interface. What model pix do you have (how many intefaces?)

Nat 0 (referencing an access-list) is usually used in VPN configs, to define the traffic going through the tunnel.

0 Helpful
Customers Also Viewed These Support Documents