PIX one-to-one Static NAT

Discussion in 'Cisco' started by OgVada, Feb 13, 2008.

  1. OgVada

    OgVada

    Joined:
    Feb 12, 2008
    Messages:
    2
    Likes Received:
    0
    Hi gang,

    Does anyone know how to setup a PIX to use a 1:1 static NAT in such a way to allow me to assign a static external NAT address to each unique internal IP address?

    Example: Internal 10.0.0.1 - 10.0.0.254 maps to external 192.168.1.1 - 192.168.1.254 and each internal IP always maps to the same external IP (ex - internal 10.0.0.50 always maps to external 192.168.1.50)

    The reason I need to do this is that the network policy does not allow dynamic NAT because they want to be able to review security logs and know which system(s) were really involved. I can't change the policy, so I'm trying to comply. My internal IPs are not routeable on the external network, so I must use NAT.

    Any ideas?

    Thanks,
    Og
     
    OgVada, Feb 13, 2008
    #1
    1. Advertisements

  2. OgVada

    OgVada

    Joined:
    Feb 12, 2008
    Messages:
    2
    Likes Received:
    0
    Version Information

    BTW - This is for a Pix 515E running 6.3.(3)

    Thanks!
    Og
     
    OgVada, Feb 13, 2008
    #2
    1. Advertisements

  3. OgVada

    professorguy

    Joined:
    Sep 15, 2006
    Messages:
    36
    Likes Received:
    0
    I get what you mean, but I don't get it.

    Why not just have each machine have a static, routable IP? Since you will need a static, routable IP for every machine, and since you will be doing a bidirectional static NAT for each, there is no functional difference between what you propose and just putting the IP on each machine itself.

    You are probably asking yourself, "But won't there be security problems when every machine can be addressed from outside the LAN?" The answer is YES! But that's exactly what you are proposing to do with your static NAT lines.

    And since you will be monitoring this from outside the local network (or you wouldn't need this scheme), I'll presume you don't care that you are making that local network much less secure. What the heck, screw 'em, right? At least you'll have the information you need.

    Yeah, this is a real 21st century security solution. Make it more dangerous for all users so that a central authority can monitor you for your own good. Boo, hiss.
     
    professorguy, Feb 13, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.