- Posts: 9
- Thank you received: 0
how to select a certain traffic for NAT on a PIX?
18 years 2 months ago #17451
by eeee
how to select a certain traffic for NAT on a PIX? was created by eeee
Hi all,
I have a PIX 525 and it is on IOS 701. I have allowed all traffic to bypass PIX for outbound traffic. I want to add a new network behind PIX using the same inside interface for outbound connection. But I would like to use NAT just for this network for outbound.
how can I do this selection for NAT?
Regards,
e
I have a PIX 525 and it is on IOS 701. I have allowed all traffic to bypass PIX for outbound traffic. I want to add a new network behind PIX using the same inside interface for outbound connection. But I would like to use NAT just for this network for outbound.
how can I do this selection for NAT?
Regards,
e
18 years 2 months ago #17462
by Smurf
I'm affraid i don't fully understand your question, above statement seems a little odd, why would have have a pix in place and then want to bypass it ?
Anyhow, here is what i think you need to know.
If you have configured something like this in your pix config
[code:1]global (outside) 1 interface[/code:1]
this is setting up a nat translated ip address for your natting. This will basically use PAT because its picking the IP Address thats bound to the outside interface. If you have a full subnet from your ISP you may have actually selected a pool of NAT addresses, like follows
[code:1]global (outside) 1 192.168.0.1 - 192.168.0.100[/code:1]
What that will do is setup a direct IP to IP NAT translation fo rthe first 99 clients that connect, the rest will use PAT on the last address 192.168.0.100
Finally, you need to select the address that will use this global nat statement, this is the bit you need...
If you have configured a new subnet say 10.10.10.0/24 in your inside network which routes through the inside interface to get to the internet, you config your pix like this to just let that subnet NAT through
[code:1]nat (inside) 1 10.10.10.0 255.255.255.0[/code:1]
The number 1 is just linking the two statments. If you had a DMZ off the pix on an interface called DMZ with a subnet of 172.16.0.0/24 and you wanted that to also translate, you would configure the following nat statment
[code:1]nat (dmz) 1 172.16.0.0 255.255.255.0 [/code:1]
See, how we have linked this statement also to the global pool of address to NAT agains by selecting the number 1
Hope it helps ya
Wayne[/code]
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: how to select a certain traffic for NAT on a PIX?
I have allowed all traffic to bypass PIX for outbound traffic.
I'm affraid i don't fully understand your question, above statement seems a little odd, why would have have a pix in place and then want to bypass it ?
Anyhow, here is what i think you need to know.
If you have configured something like this in your pix config
[code:1]global (outside) 1 interface[/code:1]
this is setting up a nat translated ip address for your natting. This will basically use PAT because its picking the IP Address thats bound to the outside interface. If you have a full subnet from your ISP you may have actually selected a pool of NAT addresses, like follows
[code:1]global (outside) 1 192.168.0.1 - 192.168.0.100[/code:1]
What that will do is setup a direct IP to IP NAT translation fo rthe first 99 clients that connect, the rest will use PAT on the last address 192.168.0.100
Finally, you need to select the address that will use this global nat statement, this is the bit you need...
If you have configured a new subnet say 10.10.10.0/24 in your inside network which routes through the inside interface to get to the internet, you config your pix like this to just let that subnet NAT through
[code:1]nat (inside) 1 10.10.10.0 255.255.255.0[/code:1]
The number 1 is just linking the two statments. If you had a DMZ off the pix on an interface called DMZ with a subnet of 172.16.0.0/24 and you wanted that to also translate, you would configure the following nat statment
[code:1]nat (dmz) 1 172.16.0.0 255.255.255.0 [/code:1]
See, how we have linked this statement also to the global pool of address to NAT agains by selecting the number 1
Hope it helps ya
Wayne[/code]
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.112 seconds