Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515E-UR interface4 without nat allowed (routed)?

Status
Not open for further replies.
PcClone

PcClone

IS-IT--Management
Dec 19, 2003
16
US
Hello, thank you in advance for any help that can be provided.

We are running ver. 8 of the pix software.

Can we have a public ip behind the pix on an interface when the other interfaces are doing nat? I know about transparent mode, but that seems an all or nothing solution.

We are installing a system that needs the server to have a public ip in it's interface settings for licensing reasons. I could place the machine outside the PIX I'd rather not rely on a software firewall (iptables) on the host.

We currently have a /29 from our ISP and are using the 4 IPs allowed (they use the others for routing/router). We can go to a /28 if needed so we could route to that interface.

We have 5 total interfaces with 3 in use. This system could be left on a dedicated interface if needed,but we would prefer to be able to put another public ip assigned server on that interface in the future.

We can't use NAT or aliases for this machine and I have never attempted something like this. Most of my google and forum searches have ended with incomplete solutions or no answers.

Thanks for any help you can provide!
 
Sort by date Sort by votes
It's really early in the morning so all of my neurons aren't firing yet, but I think NAT Exemption should work:
Code: 
PIX(config)# access-list extended NONAT permit ip 200.100.50.7 255.255.255.248 any
PIX(config)# nat (dmz) 0 access-list NONAT
Replace 200.100.50.7 with the public IP assigned to the server. This is also assuming that the server is placed in your DMZ so you will need to adjust this if your server is on the inside or if your interface name is different.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks for the quick reply. A few questions. Since you used a .248 subnet for the nonat does that mean I need to change the subnet on the outside interface to not overlap the DMZ subnet? Also, I assume that since you used a subnet in that nonat staement I can put a few computers on that dmz interface and just assign ips in that subnet, am I correct?
Or am I reading this wrong and the .248 is because I currently have a .248 and the nonat statement subnet should match the subnet on the outside interface?

Thanks again.
 
Upvote 0 Downvote
Try it both ways; one with the /29 prefix and one with a /32 prefix. Either one should work.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
325
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
73
steve777777
steve777777
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
200
gkreg
gkreg
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top