Firewall Wizards mailing list archives

RE: PIX and NAT

From: "Benjamin P. Grubin" <bgrubin () pobox com>
Date: Wed, 3 Apr 2002 10:39:22 -0500

Use static to map the dmz's servers to the outside.  Use nat to map the
internal network to the outside.  Use static to map the dmz servers to
the inside.

'nat' is for high sec -> low sec.  'static' is for low sec -> high sec.

Using the firewall as a simple router to your dmz subverts the whole
purpose of the dmz.

Cheers,
Ben

-----Original Message-----
From: firewall-wizards-admin () nfr com 
[mailto:firewall-wizards-admin () nfr com] On Behalf Of Joe Keegan
Sent: Tuesday, April 02, 2002 1:54 PM
To: Firewall Wizards Mailing List
Subject: [fw-wiz] PIX and NAT

I am a CheckPoint guy who is trying to learn about Cisco PIX 
firewalls.
I have had some experience with Cisco IOS and I have found it easy to
use and intuitive, everything I have read has made sense. I am now
finding that PIX does not follow this trend.

I am confused about how to configure a PIX to use NAT on some
interfaces, but not on others. Here is the situation, I have 
a PIX with
four Ethernet interfaces.

E0 - outside, security0
E1 - inside, security100
E2 - dmz1, security20
E3 - dmz2, security95

Now I want the inside, dmz1 & dmz2 (each with RFC1918 IP's) 
networks to
each use their own PATs when they send traffic destined for 
the outside,
which is no problem (each get their own NAT and global numbers).

But I do not want inside, dmz1 & dmz2 to perform NAT (or PAT) between
each other.

I am confused on how to accomplish this, any help or pointing 
me in the
right direction would be greatly appreciated.

Thanks

Joe

*******************************************************************
Joe Keegan                                             joe () jjk3 com
Security Engineer
SANS GCFW, CCSE, SCSA
Phone: 408-242-4588
*******************************************************************

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

PIX and NAT Joe Keegan (Apr 03)
- Re: PIX and NAT Carson Gaspar (Apr 03)
- RE: PIX and NAT Benjamin P. Grubin (Apr 03)
- <Possible follow-ups>
- RE: PIX and NAT Iannaccone, Al (Apr 03)