Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problems with NAT and static 1

Status
Not open for further replies.
rickberg

rickberg

IS-IT--Management
Dec 20, 2004
6
SE
Hello,

I am having some problems with the NAT and Static commands on PIX 525 version 7.0.

The situation is a PIX with seven interfaces. One should go to the internal network, one to the internet and the others to different partner networks (with many networks behind them, that should also be accessable).

Traffic from the inside to the internet should be NAT:ed, so I use commands like these:

nat (inside) 213 0.0.0.0 0.0.0.0
global (outside) 213 interface

But my question is this, how do I get all other traffic from the inside to the different networks on all other interfaces to be not nat-translated?

I would be most grateful for help on this.

best regards,
Rickard
 
Sort by date Sort by votes
hello,

first: what you are doing for the traffic from inside to internet is not nat, it is pat. but anyway it will work.

i think in version 7 the nonat-behaviour was changed..

in 6.3 you must make an nonat-accesslist.

for example:

nat (inside) 0 access-list nonat_inside --> no nat
nat (inside) 1 172.16.1.0 255.255.255.0 0 0 --> standard pat

the access-list nonat_inside will be applied on the inside-interface. the nat (inside) 0 is the hint for the pix to not nat the following traffic.

then you make a "normal" access-list:

access-list nonat_inside permit ip 172.16.1.0 255.255.255.0 172.16.10.0 255.255.255.0

now this traffic will not be natted.
the rest will be pated (strange word *g*).

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator
 
Upvote 0 Downvote

Hello Martin,

and thank you for your reply!

I have a question about this line:

> access-list nonat_inside permit ip 172.16.1.0 255.255.255.0 172.16.10.0 255.255.255.0

Do I have to specify every network that is reachable through each of the other interfaces in the accesslist? (There is quite a lot of them..)

What I am hoping for are a way of saying (in PIX language) something like this: "PAT traffic going to the outside interface, but leave traffic to all other interfaces untranslated" ?

best regards,
Rickard
 
Upvote 0 Downvote
hello,

in 6.3 you have to configure eacht traffic which should not be natted. i know this can be a lot of work.

i read something about version 7, that in this version everythink will not be natted, until you will do it...but i do not know if this realy works in version 7.

check out:
Optional Address Translation Services
Version 7.0(1) simplifies deployment of the security appliance by eliminating previous requirement for address translation policies to be in place before allowing network traffic to flow. Now, only hosts and networks that require address translation will need to have address translation policies configured. This feature introduces a new configuration option, "nat-control", which allows NAT to be enabled incrementally.

Version 7.0 introduces the nat-control command and preserves the current behavior for customers upgrading from previous versions of the software. For new security appliances or devices which have their configurations cleared, the default will be to not require a NAT policy for traffic to traverse the security appliance. For more information, see the " NAT Control" section in the Cisco Security Appliance Command Line Configuration Guide.


LINK:

Martin

An other way can be, that you make network-statics. you can configure the static, that the ips should be natted to it selfs....but of course you have to do this for each network connection...so it is near the same as the access-lists....

an other way is to configure a big nonat-access-list. this nonat-accesslist can be used in several nat 0 configs.
cisco does not recommend it, but it works fine...
if you are using the pdm, you will get an error message...

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator
 
Upvote 0 Downvote

Thank you for your help, Martin.
best regards, Rickard

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
289
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
329
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
247
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
209
Nitta84
Nitta84
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
73
steve777777
steve777777

Part and Inventory Search

Sponsor

Back
Top