Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pix Inbound NAT

From: "Julian M. Dragut" <julianmd () gmail com>
Date: Mon, 12 Nov 2007 10:56:43 -0500
Sivakumar,


If you want to allow traffic coming to an interface, the the ACL needs
to apply to the interface.
In your case, the out2in ACL is bound to the inside interface, and it
should be applied to the outside.

ACL's apply to the incoming traffic towards an interface. Think of PIX
as a box, and you inside it. Which interface will the traffic come
into the box through? (in your case through the outside interface)
Then you need to apply the ACL to that Interface.

In regards to the NAT with ACL, a correct command will be:

nat (inside) 0 access-list "name" - which translates to - for the
"inside" hosts declared in the access-list "name , please do not do
any NAT.

In your case, you need bidirectional NAT, and the command should be

nat (outside) 0 access-list out2in


----****-----

access-list out2in permit tcp 1.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-group out2in in interface outside
nat (outside) 0 access-list out2in


Julian M. Dragut

On Nov 12, 2007 4:57 AM, sivakumar <siva_itech () yahoo com> wrote:


Hi,

I just want to allow flows from Outside to Inside on Pix ver 6.3. I'm
totally confused since it doesn't allow me to perform the operation. Please
check the configs below and guide me if its wrong.

 interface inside securtiy level 100
 interface outside securtiy level 60

access-list out2in permit tcp 1.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-group out2in in interface inside

nat(inside) 0 access-list out2in outside ----> is that outside required n
tell me y it is used?

And further should i need to apply this to my Outside interface or inside
interface. i want the addresses to be sent as such without Natting to my
internal network.

--
View this message in context: http://www.nabble.com/Pix-Inbound-NAT-tf4737527.html#a13547961
Sent from the Firewall Wizards mailing list archive at Nabble.com.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: