config looks correct. check with your next hop router outside of the firewall to ensure that routes for your inside network are available.
>From: "Brian Whalen" >Reply-To: "Brian Whalen" >To: [EMAIL PROTECTED] >Subject: Re: how to disable NAT in PIX firewall (both insid [7:29405] >Date: Tue, 18 Dec 2001 11:57:04 -0500 > >Though I am not a PIX pro, if you don't want nat, are you sure you got the >right product for your needs?? > >Brian "Sonic" Whalen >Success = Preparation + Opportunity > > >On Mon, 17 Dec 2001, David Tran wrote: > > > Hi Everyone, > > > > I am having problem setting up a network in this scenario > > > > with my PIX515-UR firewall running version 6.1(1) with pdm > > > > version 1.1(2). > > > > I have a network with REGISTERED IP addresses. The > > > > "inside" interface of the PIX is on the 129.174.1.0/24 > > > > network with IP address of 129.174.1.254. The "outside" > > > > interface of the PIX is on the 66.61.46.0/24 network with > > > > IP address of 66.61.46.120. The "inside" interface has > > > > a security level of 100 and the "outside" interface has > > > > security level of 0. On the "inside" internal network, I > > > > have 10 workstations range from 129.174.1.1-10. These > > > > workstations have the default gateway point to the > > > > "inside" interface of the PIX. > > > > I understand that for machines from the "inside" > > > > network to access the Internet, the command "nat" > > > > and global must be used. However, since I all of my > > > > machines have valid (aka registered IP addresses), I > > > > want to disabe NAT completely. For, example, > > > > I want machine 129.174.1.1 to be able to browse and > > > > ping any machines on the Internet. At the same time, > > > > I don't want users from the Internet to be able to access > > > > any of the workstations on the "inside" interface. I have > > > > been searching for documentation on Cisco website > > > > but it seems likemost of the example have to do with NAT > > > > enable. There are a few examples that will disable NAT > > > > but it is relatedto VPN which is something I don't want. > > > > Furthermore, most of the examples fill with errors and > > > > pretty worthless (for PIX anyway). If anyone has done > > > > this before, let me know. I also include a copy of the config. > > > > Thanks. > > > > David > > > > PIX Version 6.1(1) > > > > nameif ethernet0 outside security0 > > > > nameif ethernet1 inside security100 > > > > nameif ethernet2 dmz security50 > > > > enable password sdfkjfdjjdfjksdf encrypted > > > > passwd sdfjksdfkjsdfjksjf encrypted > > > > hostname ciscopix > > > > fixup protocol ftp 21 > > > > fixup protocol http 80 > > > > fixup protocol h323 1720 > > > > fixup protocol rsh 514 > > > > fixup protocol rtsp 554 > > > > fixup protocol smtp 25 > > > > fixup protocol sqlnet 1521 > > > > fixup protocol sip 5060 > > > > fixup protocol skinny 2000 > > > > names > > > > access-list no-nat-list permit ip any any > > > > access-list no-nat-list permit icmp any any > > > > pager lines 24 > > > > interface ethernet0 auto > > > > interface ethernet1 auto > > > > interface ethernet2 auto > > > > mtu outside 1500 > > > > mtu inside 1500 > > > > mtu dmz 1500 > > > > ip address outside 66.61.46.120 255.255.255.0 > > > > ip address inside 129.174.1.254 255.255.255.0 > > > > ip address dmz 127.0.0.1 255.255.255.255 > > > > ip audit info action alarm > > > > ip audit attack action alarm > > > > no failover > > > > failover timeout 0:00:00 > > > > failover poll 15 > > > > failover ip address outside 0.0.0.0 > > > > failover ip address inside 0.0.0.0 > > > > failover ip address dmz 0.0.0.0 > > > > pdm history enable > > > > arp timeout 14400 > > > > nat (inside) 0 129.174.1.0 255.255.255.0 > > > > static (inside, outside) 129.174.1.0 129.174.1.0 > > > > conduit permit ip any any > > > > conduit permit icmp any any > > > > route outside 0.0.0.0 0.0.0.0 66.61.46.254 1 > > > > timeout xlate 3:00:00 > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 >0:05:00 > > sip > > > > 0:30:00 sip_media 0:02:00 > > > > timeout uauth 0:05:00 absolute > > > > aaa-server TACACS+ protocol tacacs+ > > > > aaa-server RADIUS protocol radius > > > > no snmp-server location > > > > no snmp-server contact > > > > snmp-server community public > > > > no snmp-server enable traps > > > > floodguard enable > > > > no sysopt route dnat > > > > telnet timeout 5 > > > > ssh timeout 5 > > > > terminal width 80 s _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29502&t=29405 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
