We currently run a PIX 515E with 6.3 software, I want one of our global address's, 12.x.x.x, to not use nat. I wanted to confirm that my config seems correct.
internal server on DMZ interface should have 12.x.x.x, 255.255.255.0, default set to the static outside route on the the pix, 12.x.x.144, these values should be assigned to it's wan nic which is plugged directly into the
PIX DMZ interface port.
The config for this interface are as follows:
nameif ethernet2 DMZ security50
access-list acl-in permit tcp any host 12.x.x.x eq www
access-list acl-in permit udp any eq isakmp host 12.x.x.x eq isakmp log
access-list acl-in permit udp any eq 4500 host 12.x.x.x eq 4500
access-list acl-in permit udp any eq 1701 host 12.x.x.x eq 1701
access-list acl-in permit tcp any host 12.x.x.x eq pptp
access-list acl-in permit gre any host 12.x.x.x log 7
access-list DMZ permit icmp any any
access-list DMZ permit ip any any
static (DMZ,outside) 12.x.x.x 192.x.x.6 netmask 255.255.255.255 0 0
access-group acl-in in interface outside
Are the following commands correct:
clear command before each of the above commands except nameif and access group command
afterwards issue the following commands
access-list no-nat permit ip 12.x.x.x 255.255.255.255 0 0
nat (DMZ) 0 access-list no-nat
I would assume that a static route is unneeded since the access
list already associates the external ip 12.x.x.x with the dmz interface
I assume I then need to recreate the above access lists in the form
access-list acl-in permit tcp any host 12.x.x.x eq www
Thanks in advance
internal server on DMZ interface should have 12.x.x.x, 255.255.255.0, default set to the static outside route on the the pix, 12.x.x.144, these values should be assigned to it's wan nic which is plugged directly into the
PIX DMZ interface port.
The config for this interface are as follows:
nameif ethernet2 DMZ security50
access-list acl-in permit tcp any host 12.x.x.x eq www
access-list acl-in permit udp any eq isakmp host 12.x.x.x eq isakmp log
access-list acl-in permit udp any eq 4500 host 12.x.x.x eq 4500
access-list acl-in permit udp any eq 1701 host 12.x.x.x eq 1701
access-list acl-in permit tcp any host 12.x.x.x eq pptp
access-list acl-in permit gre any host 12.x.x.x log 7
access-list DMZ permit icmp any any
access-list DMZ permit ip any any
static (DMZ,outside) 12.x.x.x 192.x.x.6 netmask 255.255.255.255 0 0
access-group acl-in in interface outside
Are the following commands correct:
clear command before each of the above commands except nameif and access group command
afterwards issue the following commands
access-list no-nat permit ip 12.x.x.x 255.255.255.255 0 0
nat (DMZ) 0 access-list no-nat
I would assume that a static route is unneeded since the access
list already associates the external ip 12.x.x.x with the dmz interface
I assume I then need to recreate the above access lists in the form
access-list acl-in permit tcp any host 12.x.x.x eq www
Thanks in advance
