> global (dmz) 1 10.10.10.1 netmask 255.255.255.255 > nat (inside) 1 192.168.0.0 255.255.255.0 0 0 > > Am I correct to understand that only the specified > traffic from the Inside interface, 192.168.0.X will be > NATed to the address 10.10.10.1 when it enters the > DMZ? This is also to say that traffic from any other > subnet, 192.168.1.X or even from the Outside > interface won't be NATed.
you are right. As the docs state this nat rule will only match ips from the specified network on the inside interface - you may (maybe later pix-versions only) use acl-ids in the nat statement (6.1 allows this). Note, that cisco uses security-levels on the different interfaces. Therefore nat'ing between interfaces depends on the securitylevel. from higher -> lower => NAT from lower -> higher => static (look the command reference for static and nat) > > While I'm at it...Which is more recommended to use, > Conduits or ACLs with PIX version 5.0(3)? And, can > you use conduits to allow DMZ traffic to enter the > Inside interface (such as a web server connecting to > an internal database)? in an earlier discussion here on this list, it was often stated to use rather acl than conduit. (on a pix 6.x I havent used any conduit). AFAIK conduit could only be used for inbound connections, for outbound you must use acl (plz correct me if im wrong). For your DMZ-Hosts connecting to internal look up static additionally to the access method. You may use a different global IP to connect to, the pix will translate it to the internal (local) ip - useful when mapping public ip's to non-routables. Good Luck Boris
