1. Home
  2. Cisco Systems
  3. Pix without NAT?

Pix without NAT?

I have a Pix 501 that I'd like to use to protect our DMZ. The goal is to prove it all works and then we'll purchase a larger pix such as a

515 etc.

Basically what I have an ISP assigned /30 and /26 for my use. I'm planning on putting the /30 on the outside interface of the pix and the /26 on the inside. Connected to the inside interface is of course the Pix, and various other servers such as email, squid proxy, sql, ISA (Microsoft shop..bleh). I have it all set up and I have removed all the NAT related statements from the Pix config. I can ping the world from the pix and the world can ping the outside interface of the pix. But the world can't reach any of the DMZ boxen. Of course the pix itself can ping the DMZ boxen without problem. I have opened ICMP to both Pix interfaces and I have ACL's on both Pix interfaces to permit all traffic.

Is it not possible to use a pix basically as a router?

The basic layout is this...

LAN (192.168.10.x) -- DMZ -- Pix -- ISP router -- Internet

I know all the subnets are routed properly because if I put a regular router in to handle the spot the Pix is in things work fine. It's like the Pix isn't pushing the packets through to the DMZ. I set up debug on the pix and I see the packets arriving inward on the outside interface.

Just wondering if I'm trying to do something that isn't supported here. Does a Pix HAVE to nat traffic? I figured that by removing the global, local, and nat statements I'd have basically reduced it to a simple router with some packet filtering and inspection capabilities.

Reply to
Jason
Loading thread data ...

I don't follow you. Please explain the question marks in the following diagram.

Internet | | ISP router | (a /30 network) | Cisco PIX 501 | (a /26 network) ? ? (192.168.10.0/24 network)

Yes you can, but PIX is a firewall so the default setting is deny traffic. That's why you have to do some configuration work to make it act as a router. You probably need commands like

"nat 0" or static access-list access-group route

Hmm. I hope that you have noticed that a 10 user PIX 501 can't handle your public /26 address range.

Reply to
Jyri Korhonen

Here's the missing piece you asked about...

Cisco PIX 501 | (a /26 network) | FreeBSD Unix box acting as router and proxy between LAN/DMZ | (192.168.10.0/24 network)

Actually this Pix501 has a 50 user license. We keep it around for testing.

I have put in ACLS for both the inside and outside interface to permit all IP and ICMP traffic in addition to statements to allow ICMP to both interfaces themselves.

The only thing I've seen so far other than your suggestions is that I need static statements like this...

static(inside,outside) 123.123.123.0 123.123.123.0 netmask

255.255.255.192

... to bring the public subnet across to the inside interface. I haven't tried that yet but do you know if it's correct?

Reply to
Jason

Yes, that's correct. Or you could use

access-list NO_NAT permit ip 123.123.123.0 255.255.255.192 any nat (inside) 0 access-list NO_NAT

Reply to
Jyri Korhonen

Jyri,

I put in the syntax ala...

nat (inside) 0 123.123.123.0 255.255.255.192 0 0

... and all is working just swell! Thank you very much for your input and help :-).

The machines in the DMZ are being seen with their proper public IP and traffic appears to be passing properly in and out of the DMZ.

-Jason

Reply to
Jason

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.