Do Cisco PIX firewalls have NAT turned on by default?

Discussion in 'Cisco' started by Fred Knobles, Jul 22, 2004.

  1. Fred Knobles

    Fred Knobles Guest

    Simple PIX question....

    Do Cisco PIX firewalls have NAT turned on by default, put another way
    do I have to use the "static" command to tell PIX firewalls NOT to
    translate addresses as they pass from one interface to the next.

    Thanks
     
    Fred Knobles, Jul 22, 2004
    #1
    1. Advertising

  2. Fred Knobles

    Ivan Ostres Guest

    In article <410012b7.5218533@127.0.0.1>, says...
    >
    > Simple PIX question....
    >
    > Do Cisco PIX firewalls have NAT turned on by default, put another way
    > do I have to use the "static" command to tell PIX firewalls NOT to
    > translate addresses as they pass from one interface to the next.
    >
    > Thanks
    >
    >
    >


    Simple as that.. No, there's no NAT turned on by default on PIX. When I
    think better, there's no any config on PIX by default.

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostres, Jul 22, 2004
    #2
    1. Advertising

  3. In article <>,
    Ivan Ostres <> wrote:
    :In article <410012b7.5218533@127.0.0.1>, says...

    :> Do Cisco PIX firewalls have NAT turned on by default, put another way
    :> do I have to use the "static" command to tell PIX firewalls NOT to
    :> translate addresses as they pass from one interface to the next.

    :Simple as that.. No, there's no NAT turned on by default on PIX. When I
    :think better, there's no any config on PIX by default.

    The PIX 501, 506 (in more recent versions), and 506e, all come with
    factory default settings that use 192.168.1.0/24 as the inside network,
    use dhcp to get the outside interface settings, and PAT through that
    outside address. Thus, by default, if one had a factory-fresh configuration,
    one of those models, and an appropriate software rev, then YES, those
    have NAT turned on by default.

    If you have a 506 or 506e with a software rev before this change
    (it was always present in the 501), or if you have *any* other model of
    PIX [of *any* software revision], then the factory fresh configuration
    has all of the network interfaces turned off, assigned 127.0.0.1 as
    their address, and there are no default nat or global statements.
    Thus, by default, if one had a factory-fresh configuration, then your
    PIX is not going to pass any traffic at all, and NAT is off by default
    in those cases.

    In any model of PIX, with any software rev, if you do not have a nat/global
    pair and you do not have a static or 'nat 0' statement, then the PIX will
    not know how to translate the IPs, and will drop all the outgoing packets.
    In other words, for non-trivial address translation to happen, with any
    software rev on any model, your configuration must either have a 'static',
    or it must have a nat/global pair. If you do not have a 'static' and
    you do not have a nat/global pair, then traffic isn't going to go out
    at all (unless you have a 'nat 0' statement.)

    So, in the broader sense, PIX do NOT do address translation unless
    configured to do so -- they don't send out any traffic at all unless
    configured to let it pass.

    But it is true that "out of the box", new 501, 506, and 506e start with
    "plug and play" configurations intended to get people up and running
    quickly and those have nat/global pre-configured -- and anyone serious
    about using the PIX is probably going to promptly reconfigure all the
    defaults anyhow.
    --
    vi -- think of it as practice for the ROGUE Olympics!
     
    Walter Roberson, Jul 22, 2004
    #3
  4. Fred Knobles

    Sam Wilson Guest

    In article <410012b7.5218533@127.0.0.1>, Fred Knobles
    <> wrote:

    > Simple PIX question....
    >
    > Do Cisco PIX firewalls have NAT turned on by default, put another way
    > do I have to use the "static" command to tell PIX firewalls NOT to
    > translate addresses as they pass from one interface to the next.


    Just answer the question another way, the PIX ALWAYS has NAT turned on
    by default - even when it's not translating addresses it still uses a
    translation table to map address w.x.y.z to w.x.y.z. To put it another
    way, if you want a PIX not to translate addresses you have to tell it
    to do NAT without changing the address (identity NAT or NAT exemption).

    Sam
     
    Sam Wilson, Jul 23, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    5
    Views:
    7,776
    Walter Roberson
    May 3, 2005
  2. Rich
    Replies:
    0
    Views:
    503
  3. Ed
    Replies:
    0
    Views:
    439
  4. Bob
    Replies:
    4
    Views:
    1,366
  5. BigRich
    Replies:
    4
    Views:
    317
    PeterN
    Feb 17, 2011
Loading...

Share This Page