RE: pix, nat, and OWA [7:19152]

From: Menga, Justin (Justin.Menga@xxxxxxxxxx)
Date: Mon Sep 10 2001 - 23:41:33 GMT-3

• Next message: Jason Sinclair: "RE: How to limit the speed of GE port on catalyst 6509 ?"
• Previous message: Kyle Galusha: "RE: How to limit the speed of GE port on catalyst 6509 ?"
• Maybe in reply to: Bill Carter: "RE: pix, nat, and OWA [7:19152]"
• Next in thread: Menga, Justin: "RE: RE: pix, nat, and OWA [7:19152]"
• Maybe reply: Menga, Justin: "RE: RE: pix, nat, and OWA [7:19152]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Just use the nat 0 command - configure your ACL for each traffic flow you
DON'T want to NAT

E.g.

Inside host = 192.168.1.10, DMZ host = 192.168.2.10

! This disables NAT for any connections INITIATED from host 192.168.1.10 to
host 192.168.2.10
nat (inside) 0 access-list NO_NAT_INSIDE
access-list NO_NAT_INSIDE permit ip host 192.168.1.10 host 192.168.2.10

! This disables NAT for any connections INITIATED from host 192.168.2.10 to
host 192.168.1.10
nat (dmz) 0 access-list NO_NAT_DMZ
access-list NO_NAT_DMZ permit ip host 192.168.2.10 host 192.168.1.10

Regards

Justin Menga CCIE #6640
Network Solutions Architect
Wireless & E-Infrastructure
Compaq Computer New Zealand
DDI: +64-9-918-9381 Mobile: +64-21-349-599
mailto: justin.menga@compaq.com
web: http://www.compaq.co.nz

-----Original Message-----
From: Bill Carter [mailto:bcarter@family-net.net]
Sent: Tuesday, 11 September 2001 2:54 a.m.
To: Ccielab@Groupstudy. Com; Gordon White
Subject: RE: pix, nat, and OWA [7:19152]

You could address the DMZ servers with public IP addresses. Then 1 static
commands to tell the PIX not to translate the DMZ addresses

global (outside) 1 y.y.y.100 netmask 255.255.255.128
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (DMZ,outside) x.x.x.0 x.x.x.0 netmask 255.255.255.0

Read this link for building the access-list controlling traffic between the
DMZ and the Inside.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/mse
xchng.htm

^-^-^-^-^-^-^-^-^-^-^
Bill Carter
CCIE 5022
^-^-^-^-^-^-^-^-^-^-^

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Gordon White
Sent: Saturday, September 08, 2001 10:41 PM
To: cisco@groupstudy.com
Subject: pix, nat, and OWA [7:19152]

our pix is running nat, and i want to put an outlook web access server on a
dmz interface. however, all the netbios communication to the domain
controllers and exchange servers seems like it is going to require a whole
lot of static/conduits and a serious lmhosts file.

bottom line: is there a way to enable nat just for inside addresses going
outside? it seems that nat is an all or nothing set up. i'd like to run
nat just on the internet interface.

thanks,
gordon
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Jason Sinclair: "RE: How to limit the speed of GE port on catalyst 6509 ?"
• Previous message: Kyle Galusha: "RE: How to limit the speed of GE port on catalyst 6509 ?"
• Maybe in reply to: Bill Carter: "RE: pix, nat, and OWA [7:19152]"
• Next in thread: Menga, Justin: "RE: RE: pix, nat, and OWA [7:19152]"
• Maybe reply: Menga, Justin: "RE: RE: pix, nat, and OWA [7:19152]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:16 GMT-3