Cisco PIX 501 NAT config issue

Discussion in 'Cisco' started by Binner, Oct 5, 2004.

  1. Binner

    Binner Guest

    Here is the situation.

    We are putting a subcontractor on our WAN and want to control their
    access to our network.

    The subcontractors network is on the outside interface and our
    internal networks are on the inside interface.

    They need access to lots of our subnets but we are restricting the
    ports they can access.

    i do not want any NAT to happen on any interface but I cannot work out
    how to do this for traffic inbound from the outside interface

    Any ideas gratefully received
    Binner, Oct 5, 2004
    #1
    1. Advertising

  2. add the command:
    static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

    where 192.168.0.0 represent your inside network.
    This way the nat is turned of, so to speak

    Then add the acl on the outside interface permitting the external access to
    the inside hosts.

    HTH
    Martin Bilgrav


    "Binner" <> skrev i en meddelelse
    news:...
    > Here is the situation.
    >
    > We are putting a subcontractor on our WAN and want to control their
    > access to our network.
    >
    > The subcontractors network is on the outside interface and our
    > internal networks are on the inside interface.
    >
    > They need access to lots of our subnets but we are restricting the
    > ports they can access.
    >
    > i do not want any NAT to happen on any interface but I cannot work out
    > how to do this for traffic inbound from the outside interface
    >
    > Any ideas gratefully received
    Martin Bilgrav, Oct 5, 2004
    #2
    1. Advertising

  3. Binner

    Binner Guest

    "Martin Bilgrav" <> wrote in message news:<41629482$0$22682$>...
    > add the command:
    > static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
    >
    > where 192.168.0.0 represent your inside network.
    > This way the nat is turned of, so to speak
    >
    > Then add the acl on the outside interface permitting the external access to
    > the inside hosts.
    >
    > HTH
    > Martin Bilgrav
    >
    >
    > "Binner" <> skrev i en meddelelse
    > news:...
    > > Here is the situation.
    > >
    > > We are putting a subcontractor on our WAN and want to control their
    > > access to our network.
    > >
    > > The subcontractors network is on the outside interface and our
    > > internal networks are on the inside interface.
    > >
    > > They need access to lots of our subnets but we are restricting the
    > > ports they can access.
    > >
    > > i do not want any NAT to happen on any interface but I cannot work out
    > > how to do this for traffic inbound from the outside interface
    > >
    > > Any ideas gratefully received


    Thanks for the response but in the time it took to post this message I
    fixed the problem.

    I setup the PIX to allow all inbound traffic using the following (the
    ip addresses have been changed to protect the innocent)

    access-list outside_in permit ip 192.168.0.0 255.255.255.0 192.168.1.0
    255.255.255.0
    access-group outside_in in interface outside
    access-list no_nat permit 192.168.0.0 255.255.255.0 192.168.1.0
    255.255.255.0
    nat(inside) 0 access-list no_nat

    I then set up an ojbect-group containing the ports I wanted to allow
    through and created an access list using this object-group with the
    same identifier as first access list above. I then removed the
    unrestricted access list and this worked just fine.

    it allows the ports in the access group and drops everything else
    Binner, Oct 6, 2004
    #3
  4. "Binner" <> skrev i en meddelelse
    news:...
    > "Martin Bilgrav" <> wrote in message

    news:<41629482$0$22682$>...
    > > add the command:
    > > static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
    > >
    > > where 192.168.0.0 represent your inside network.
    > > This way the nat is turned of, so to speak
    > >
    > > Then add the acl on the outside interface permitting the external access

    to
    > > the inside hosts.
    > >
    > > HTH
    > > Martin Bilgrav
    > >

    >
    > I setup the PIX to allow all inbound traffic using the following (the
    > ip addresses have been changed to protect the innocent)
    >
    > access-list outside_in permit ip 192.168.0.0 255.255.255.0 192.168.1.0
    > 255.255.255.0
    > access-group outside_in in interface outside
    > access-list no_nat permit 192.168.0.0 255.255.255.0 192.168.1.0
    > 255.255.255.0
    > nat(inside) 0 access-list no_nat
    >
    > I then set up an ojbect-group containing the ports I wanted to allow
    > through and created an access list using this object-group with the
    > same identifier as first access list above. I then removed the
    > unrestricted access list and this worked just fine.




    You should seriouly consider not running nat 0, since this config you have
    now opens up for EVERYTHING to ALL HOSTS !!
    But its your call.

    HTH
    Martin
    Martin Bilgrav, Oct 7, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    680
    Andre
    Feb 20, 2005
  2. Buck Rogers

    PIX 501 Config Issue

    Buck Rogers, May 31, 2005, in forum: Cisco
    Replies:
    5
    Views:
    3,404
    Paul Womar
    Jun 1, 2005
  3. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    621
    Walter Roberson
    May 20, 2006
  4. Terry Cole
    Replies:
    0
    Views:
    381
    Terry Cole
    Jan 18, 2007
  5. karlman

    PIX 501 Config (ACL and NAT)

    karlman, Mar 1, 2008, in forum: Cisco
    Replies:
    0
    Views:
    420
    karlman
    Mar 1, 2008
Loading...

Share This Page