[...]
> >If you're using a PIX, then I'd do it the PIX way - NAT.
> It's a complete
> >pain to try and configure PIXen without NAT and the documentation
> >recommends
> >against it.
>
> I'll probably follow your advice based on your comments
> belows. I don't
> understand, however, why configuring the pix to not do NAT is
> such a scary
> thing.
I looked around for the tech tip I read a million years ago about this, and
eventually found it:
http://www.cisco.com/warp/public/110/28.html
It's not as bad as I remember, but still show that you need to nat0 with
care, otherwise proxy-arp mayhem may ensue. Colour me slightly guilty of
knee-jerk exaggeration. ;)
> Using nat0 with an access list seems simple enough to
> me. Does this
> command not work correctly? I've seen others on this list
> recommonded
> against using nat0, but I've never understood why. In my
> test environment
> nat0 seems to work easy/well enough.
The command works fine - it's a critical part of getting the IPSec VPN stuff
to work, for example. It's just not meant to be used to disable NAT
altogether. The PIX security paradigm is designed around the security levels
and NAT.
All in all, I guess it's just a 'gut feel' thing. If I weren't using NAT, I
probably wouldn't spec a PIX - most of what makes a PIX nicer than a well
configured IOS router is the better NAT and the nicer security model.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
