pix501 config issue

[DIDIER]

Archived from groups: comp.security.firewalls (More info?)

Hi,
One of my customers just bought a PIX501.
He has a couple of web servers and a range of 60 internet IPs already
assigned to those servers.
He wants to put that little box as a front end firewall and protect his
servers without changing the IPs to a private range for instance.
And thus here is my questions : how can I do that without NAT/PAT ?

Thx for your replies.
Didier





---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.659 / Virus Database: 423 - Release Date: 4/15/2004

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Didier wrote:

> Hi,
> One of my customers just bought a PIX501.
> He has a couple of web servers and a range of 60 internet IPs already
> assigned to those servers.
> He wants to put that little box as a front end firewall and protect his
> servers without changing the IPs to a private range for instance.
> And thus here is my questions : how can I do that without NAT/PAT ?
>
> Thx for your replies.
> Didier
>
>
>
>
>
> ---
>
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.659 / Virus Database: 423 - Release Date: 4/15/2004
>

Really need to explain network better, possibly post relevant portions
of your PIX config (munging IP's) to see how network is setup.


Chad

 

[DIDIER]

Archived from groups: comp.security.firewalls (More info?)

Hi Chad,

It's quite simple...
How do I configure a PIX501 in the case your're not using NAT/PAT, when
you're not hidding your private IPs because actually they are not private
IPs but registered ones.

Thx for your help.

Rgds,
Didier

"Chad Mahoney" <spamme@mah0ney.com> wrote in message
news:107vfm2t90gov3d@news.supernews.com...
> Didier wrote:
>
> > Hi,
> > One of my customers just bought a PIX501.
> > He has a couple of web servers and a range of 60 internet IPs already
> > assigned to those servers.
> > He wants to put that little box as a front end firewall and protect his
> > servers without changing the IPs to a private range for instance.
> > And thus here is my questions : how can I do that without NAT/PAT ?
> >
> > Thx for your replies.
> > Didier
> >
> >
> >
> >
> >
> > ---
> >
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.659 / Virus Database: 423 - Release Date: 4/15/2004
> >
>
> Really need to explain network better, possibly post relevant portions
> of your PIX config (munging IP's) to see how network is setup.
>
>
> Chad


---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.659 / Virus Database: 423 - Release Date: 4/15/2004

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Didier wrote:

> Hi Chad,
>
> It's quite simple...

if you use the right hardware.

> How do I configure a PIX501 in the case your're not using NAT/PAT, when
> you're not hidding your private IPs because actually they are not private
> IPs but registered ones.

You don't. Instead you buy a bigger one and simply forget about using a 501
in that environment.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

The 501 is fine for this purpose, it runs the same software as all the other
PIX models, and therefore has EXACTLY the same features. If your Internet
connection is 2Mb or under it will run fine.

To turn off NAT use the command

nat (inside) 0 list No-Nat

access-list No-Nat permit host a.b.c.d any

where a.b.c.d is the IP address of the host whose address you don't want to
translate, or make the access-list match the range of addresses. Make sure
you issue a 'clear xlate' command after entering these, or reboot, to clear
the translation table.

Regards,

Reg

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:c5pp5j$ujv$1@news.shlink.de...
> Didier wrote:
>
> > Hi Chad,
> >
> > It's quite simple...
>
> if you use the right hardware.
>
> > How do I configure a PIX501 in the case your're not using NAT/PAT, when
> > you're not hidding your private IPs because actually they are not
private
> > IPs but registered ones.
>
> You don't. Instead you buy a bigger one and simply forget about using a
501
> in that environment.
>
> Wolfgang
> --
> A foreign body and a foreign mind
> never welcome in the land of the blind.
> from 'Not one of us', (c) 1980 Peter Gabriel

 

[DIDIER]

Archived from groups: comp.security.firewalls (More info?)

Thx Reg, I've also found some examples at Cisco web site.

Rgds,
Didier

"BlankReg" <me@here.now> wrote in message
news:c5r399$4el$1@news.freedom2surf.net...
> The 501 is fine for this purpose, it runs the same software as all the
other
> PIX models, and therefore has EXACTLY the same features. If your Internet
> connection is 2Mb or under it will run fine.
>
> To turn off NAT use the command
>
> nat (inside) 0 list No-Nat
>
> access-list No-Nat permit host a.b.c.d any
>
> where a.b.c.d is the IP address of the host whose address you don't want
to
> translate, or make the access-list match the range of addresses. Make sure
> you issue a 'clear xlate' command after entering these, or reboot, to
clear
> the translation table.
>
> Regards,
>
> Reg
>
> "Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
> news:c5pp5j$ujv$1@news.shlink.de...
> > Didier wrote:
> >
> > > Hi Chad,
> > >
> > > It's quite simple...
> >
> > if you use the right hardware.
> >
> > > How do I configure a PIX501 in the case your're not using NAT/PAT,
when
> > > you're not hidding your private IPs because actually they are not
> private
> > > IPs but registered ones.
> >
> > You don't. Instead you buy a bigger one and simply forget about using a
> 501
> > in that environment.
> >
> > Wolfgang
> > --
> > A foreign body and a foreign mind
> > never welcome in the land of the blind.
> > from 'Not one of us', (c) 1980 Peter Gabriel
>
>


---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.659 / Virus Database: 423 - Release Date: 4/15/2004