PIX Nat

[limejudo]

Can someone explain this for me? I've just started working on the pix and trying to learn more security.

static (inside,external) 10.128.25.9 10.128.25.9 netmask 255.255.255.255 0 0

This is the exact statment in the pix.
thx

Eric - A+, Net+, INet+ CCNA next week.
Network Admin/Helpdesk II

http://www.usunwired.com

 

[KiscoKid]

Basically that statement is a static NAT statement. NAT stands for Network Address Translation which, as its name suggests, 'hides' your internal network by translating those addresses with a public address (usually allocated by your ISP).

In that particular statement you've mentioned there, 10.128.25.9 must be that host's real address and basically the PIX is being told to translate that host's address to itself.

This may sound odd but you do need it as the PIX ALWAYS performs NAT. YOu can't stop it performing NAT so when you don't want to translate an internal address to something else, you simply translate it to its own address.

This concept can be a little confusing but I hope this makes some sense

 

[limejudo]

yes it does. What is up with the (inside, external) statments mention above.
thx

Eric - A+, Net+, INet+ CCNA next week.
Network Admin/Helpdesk II

http://www.usunwired.com

 

[KiscoKid]

Basically when you config NAT, you have to define what your inside interface is (i.e. where your internal network is, the addresses you want to hide) and where your external interface is (i.e. outside your network (e.g. Internet) - where any hosts on this side of the PIX see the NAT'ed address only)

 

[limejudo]

Cool. I have it now. So I could take a pvt address such as 172.30.1.2 (inside) and translate or change it to a public address such as 64.45.52.25.

Kisco, it doesn't seem hard once I think about it. Spend more time with it though.

I now have that priviledge of working on the pix because the senior admin left.
Thx. bro.

Eric - A+, Net+, INet+ CCNA next week.
Network Admin/Helpdesk II

http://www.usunwired.com

 

[limejudo]

One more thing. I need to find my public address range, what is the command?

Eric - A+, Net+, INet+ CCNA next week.
Network Admin/Helpdesk II

http://www.usunwired.com

 

[KiscoKid]

Hmm chances are the outside interface of your PIX (if it is Internet-facing) will have a public address assigned to it as well as the subnet mask. This should give you an idea of what your public range is and how many you have available.

Other commands that may give you a clue include 'show global', 'show nat' or 'show static'.

I'm surprised the guy you're taking over from never passed this onto you .. to be honest.

I suppose, as a last resort, you can contact your ISP and ask what yor public address allocation is.

It could be, of course, you have multiple allocations and only one of them is configured on the PIX. So speaking with your ISP is probably a good bet.

 

[limejudo]

Well, one interface (inside) faces me and the external actually (outside) goes to our sister co. Don't ask me why it's like this but that's the way it's always been, from what I was told.

That outside address is a public ip address. The guy got offered and extremely good job and I would have left to. The company is laying everyone off by January anyway.


Eric - A+, Net+, INet+ CCNA next week.
Network Admin/Helpdesk II

http://www.usunwired.com

 

[watchguardmonkey]

just sh int will tell you.