Using Cisco PIX without translation?

Discussion in 'Cisco' started by dexx, Nov 9, 2005.

  1. dexx

    dexx Guest

    I am configuring a cisco firewall for a client. The Cisco firewall
    service module (FWSM) is a blade which goes into a 6500 or 7600
    chassis. Its very similar to PIX. I am configuring one to firewall
    between 3 internal networks. No address translation is needed in my
    scenario. Yet PIX seem to use NAT and PAT to excess. Is it possible to
    configure rules so that NAT and PAT are not necessary? I just want to
    filter on source, destination, and port.
     
    dexx, Nov 9, 2005
    #1
    1. Advertising

  2. In article <>,
    dexx <> wrote:
    >I am configuring a cisco firewall for a client. The Cisco firewall
    >service module (FWSM) is a blade which goes into a 6500 or 7600
    >chassis. Its very similar to PIX. I am configuring one to firewall
    >between 3 internal networks. No address translation is needed in my
    >scenario. Yet PIX seem to use NAT and PAT to excess. Is it possible to
    >configure rules so that NAT and PAT are not necessary? I just want to
    >filter on source, destination, and port.


    Yes. You can do that with a PIX. Just be aware that many of the
    fancier features (such as awareness of how protocols work) are tied
    to the NAT/PAT engine. But that is not a problem if all you need
    is a simple packet filter.

    Disclaimer: This opinion is based on research done circa PIX OS 6.2.
    Newer releases may not have the same limitations.
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Nov 9, 2005
    #2
    1. Advertising

  3. In article <>,
    dexx <> wrote:
    :I am configuring a cisco firewall for a client. The Cisco firewall
    :service module (FWSM) is a blade which goes into a 6500 or 7600
    :chassis. Its very similar to PIX.

    "Similar" is not sufficient in this case. The FWSM is -not- a PIX,
    and it has different restrictions than the PIX does. A -closer-
    relationship is the FWSM, ASA 5500 series, and PIX running 7.0...
    but even then the FWSM has some important differences.

    :I am configuring one to firewall
    :between 3 internal networks. No address translation is needed in my
    :scenario. Yet PIX seem to use NAT and PAT to excess. Is it possible to
    :configure rules so that NAT and PAT are not necessary? I just want to
    :filter on source, destination, and port.

    If you are trying to do a "transparent layer 2 firewall", in which
    you have the same IP subnet on multiple interfaces, then with the
    ASA 5500 or PIX series you must use the 7.0 code stream. With the
    FWSM you have some flexibility about when various aspects are applied,
    and I don't know whether those interact with this matter.

    If it is acceptable to have different IP subnets on different interfaces,
    then you can use static or nat 0 access-list to map addresses to
    themselves. The following setup is completely legal in the 6.x code stream:

    outside ip 123.45.67.1/28
    inside ip 123.45.67.129/25
    dmz ip 123.45.67.65/26
    route inside 123.45.67.17/28
    route inside 123.45.67.33/27
    static (inside,outside) 123.45.67.128 123.45.67.128 netmask 255.255.255.128
    static (dmz,outside) 123.45.67.64 123.45.67.64 netmask 255.255.255.192
    static (inside,outside) 123.45.67.16 123.45.67.16 netmask 255.255.255.240
    static (inside,outside) 123.45.67.32 123.45.67.32 netmask 255.255.255.224

    In this situation, a PIX would proxy-arp for its outside IP 123.45.67.1
    and for everything static'd, 123.45.67.128/25, 123.45.67.64/26,
    123.45.67.16/28, and 123.45.67.32/27 ... unless you had turned proxy-arp off.

    If instead of using static, you use nat 0 access-list, then the PIX
    will NOT proxy ARP for any flow listed in the ACL.

    Either way, it is better to ensure that your WAN router routes all
    of 123.45.67/24 via the outside IP 123.45.67.1
    --
    I am spammed, therefore I am.
     
    Walter Roberson, Nov 9, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BitBucket
    Replies:
    4
    Views:
    3,846
    BitBucket
    Nov 3, 2003
  2. Dave Clark

    PIX and translation table

    Dave Clark, Nov 18, 2003, in forum: Cisco
    Replies:
    3
    Views:
    607
    Dave Clark
    Nov 19, 2003
  3. KipBond
    Replies:
    5
    Views:
    1,676
    KipBond
    Jan 26, 2007
  4. Scooty

    Cisco PIX NAT Translation

    Scooty, Aug 8, 2008, in forum: Cisco
    Replies:
    1
    Views:
    692
    Christoph Gartmann
    Aug 8, 2008
  5. sam.mattern
    Replies:
    0
    Views:
    2,188
    sam.mattern
    Jan 11, 2010
Loading...

Share This Page