Pix 515E Disabling PAT

My goal is not to have cisco firewall alter the ports for internal clients as they are making outbound requests.

I have already successfully setup this configuration using PAT. But, now I need to have port assignment preserved. I was trying trying to remove the global command. Then, I couldn't get outside at all.

interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet2 speed 100 duplex full nameif outside security-level 0 ip address 192.168.5.1 255.255.255.0 ! access-list workstations line 1 extended permit ip host 192.168.1.132 global (outside) 1 interface nat (inside) 1 192.168.1.132 255.255.255.255 access-group workstations in interface inside

Thanks in advance

Reply to
RG
Loading thread data ...

You can get what you want with *nat exemption*.

nat (inside) 0 192.168.1.132 255.255.255.255

Delete all "global" command.

Bye, marco

Reply to
Marco Giuliani

Thanks for your help. I did what you mentioned. When specifying "sh xlate", cisco shows - "Global 192.168.1.132 Local 192.168.1.132". Shouldn't the global ip show external interface ip? Looking at syslog, ie ping attempt, I am only seeing response to name resolution but that is not getting back to 192.168.1.132. Is there anything else I need to do?

Syslog is not showing packets with source 192.168.1.132. It shows

192.168.1.132 as destination.

Thanks again

Reply to
RG

Thanks for your help. I did what you mentioned. When specifying "sh xlate", cisco shows - "Global 192.168.1.132 Local 192.168.1.132". Shouldn't the global ip show external interface ip? Looking at syslog, ie ping attempt, I am only seeing response to name resolution but that is not getting back to 192.168.1.132. Is there anything else I need to do?

Syslog is not showing packets with source 192.168.1.132. It shows

192.168.1.132 as destination.

Thanks again

Reply to
RG

It's right with NAT 0 command. There is no address translation with nat exemption.

No.

If you want to show external interface ip you should use this configuration.

nat (inside) 1 192.168.1.132 255.255.255.255 global (outside) 1 interface

However, you wrote "My goal is not to have cisco firewall alter the ports for internal clients as they are making outbound reques"

Maybe, do you want NAT without PAT? Maybe I don't understand your needs. ;-)

Looking at syslog,

Can you explain your network scheme?

x.x.x.x/x

outside pix ip address

PIX

inside pix ip address

192.168.1.0/24

bye, marco

Reply to
Marco Giuliani

The problem with this is if I am a client behind the firewall ie

192.168.1.132 port 30456 connecting to server outside of the firewall ie 192.168.5.30 port 5060. I would like that the ip/port appearing to the server should be the external ip of the firewall preserving original port number ie 192.168.5.1 port 30456.

Now that you explain to me, when configuring exemption, I suppose, firewall is routing packets. In that case, the server never had a return route. I just changed it and it works.

Is there a way to do this with just NAT and no PAT? Can you use static statements for outbound connections? If so, how?

Thanks for all your help

Reply to
RG

Yes. You're right.

In that case, the server never had a return

ok.

static (inside,outside) 192.168.5.132 192.168.1.132

"Static NAT allows bidirectional connection initiation, both to and from the host (if an access rule exists that allows it). With dynamic NAT and PAT, on the other hand, each host uses a different address or port for each subsequent translation, so bidirectional initiation is not supported."

formatting link

On the other hand, Everytime you map many real address (e.g. inside subnet 192.168.1.0/24) to a single global address (e.g. interface public address), pix firewall do port address traslation.

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

Bye, marco

Reply to
Marco Giuliani

formatting link

This is excellent. Thanks for all your help.

Reply to
RG

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.