Ian,
Not true. You can disable NAT'ing of any internal networks:
nat (inside) 0 0.0.0.0 0.0.0.0
would turn off ALL NAT'ing on the inside interface.
nat (inside) 0 192.168.1.0 255.255.255.0
would turn off NAT'ing of only machines in the 192.168.1.0/24
network on the inside interface:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/commands.htm#23406
Note that Adaptive Security remains in effect when using the "nat 0"
command.
Cheers,
A Routerman wrote:
>
> It is my understanding that NAT is the basis for the PIX firewall and as such can't be "disabled". (This includes it's cousin PAT - port address translation and static NAT's).
>
> Here is a portion of the config for configuring failover:
>
> ip address outside x.x.x.1 255.255.255.0
> ip address inside y.y.y.1 255.255.255.0
> ip address crosslink z.z.z.1 255.255.255.0
> ip address backchannel w.w.w.1 255.255.255.0
>
> failover
> failover timeout 0:00:00
> failover ip address outside x.x.x.2
> failover ip address inside y.y.y.2
> failover ip address dmz-web z.z.z.2
> failover ip address dmz-auth w.w.w.2
> failover link inside
>
> Thanks,
>
> Ian
>
> -----Original Message-----
> From: Vinod Anthony Joseph Cherunni vac@dsqworld.com
> Sent: Fri, 20 Apr 2001 18:23:49 +0530
> To: routerman@visto.com
> CC: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] REG: PIX Failover Bundle.
>
> Hi,
>
> Thanks a lot for the advice. Just a couple of queries in mind.
>
> In a config as below -
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz-web security60
> nameif ethernet3 dmz-auth security3
>
> Assuming I am not using NAT on any interfaces, & need to disable it. How
> would I achieve the same on all my PIX interfaces.
>
> Secondly it would be great if you could send me a sample config for the
> PIX failover part.
>
> With kind regards,
> Vinod.
>
> ___________________________________________________________________________
> Visit http://www.visto.com/info, your free web-based communications center.
> Visto.com. Life on the Dot.
--
| | David Jirku, CCIE #5287
:|: :|: Systems Engineer
:|||: :|||: Bay Wellington Tower, BCE Place
.:|||||||:..:|||||||:. 181 Bay Street, Suite 3400, P.O. Box 802
C I S C O S Y S T E M S Toronto, Ontario M5J 2T3
"Empowering the P: 416-306-7719 E: djirku@cisco.com
Internet Generation" F: 416-306-7099 Pager: 1-800-68-CISCO
From vac@dsqworld.coõÅ;atReceived: from someone claiming to be
megrez.antarix.net (se2013.a01.antarix.net [210.4.8.12])
byõÅ;k. for <cisco-nsp@puck.nether.net>; Sat, 21 Apr 2001 03:29:46 -0400
(eõÅ;opReceived-Date: Sat, 21 Apr 2001 03:29:46 -0400
Received: from sirius.maa.antarix.net ([192.168.12õÅ;)
with ESMTP id 2001042111440060:3072 ;
SatõÅ; ATo: cisco-nsp@puck.nether.net
Cc: routerman@visto.com, persiko@bvsd.k12.co.us, djirku@cisco.com
SuõÅ;t:X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000
From: "Vinod Anthony Joseph CõÅ;nnMessage-ID: <OFEFCD04F1.49D8FD88-ON65256A35.00206DAF@maa.antarix.net>
Date: Sat, 21 Apr 2001 11:38:1õÅ;53 11:38:31,
Serialize cõÅ;et Itemize by SMTP Server on MEGREZ/DSQworld(Release 5.0.7 |March 21, 2001) at
04/21/2001 11:44:0õÅ;,
01:03:09 PM,
Serialize complete at õÅ;1/MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_alternative 0021B7F165256A35_="
This õÅ; m--=_alternative 0021B7F165256A35_=
Content-Type: text/plain; charset="us-ascii"
Dear AllõÅ;haby Mr. Ian as below -
ip address outside x.x.x.õÅ; ip address inside y.y.y.1 255.255.255.0
ip address crosslink z.z.z.1 255.255.255.0
ip address backchaõÅ; w
failover
failover timeout 0:00:00
failover ip address outside x.x.x.2
failover ip address inside y.yõÅ;
ffailover ip address dmz-auth w.w.w.2
failover link inside
Can't the IP address of the õÅ;rfthe same for the primary, & secondary (failover) be the same, because
otherwise hõÅ;ou(example insdie LAN) would be using the default gateway as the õÅ;ddoF the active PIX interface, & if that's down, then how would all the
systems forward to the IP of the failover PIXõÅ;caaddresses on each system becomes a little complex.
Note that Adaptive Security remains in effect when õÅ;g command.
Can this explained to me pls. I am a little unclear about it.
Kindly provide your valuble suggestioõÅ;
W
Vinod.
--=_alternative 0021B7F165256A35_=
Content-Type: text/html; charset="us-ascii"
<br><font size=õÅ;ce<br>
<br><font size=2 face="Arial">Thank you everybody for all the valuble advice. As mentioned õÅ;he<br>
<br><font size=2 face="Arial">ip address outside x.x.x.1 255.255.õÅ;0<ip Address inside y.y.y.1 255.255.255.0<br>
ip address crosslink z.z.z.1 255.255.255.0<br>
õÅ;dd<br>
failover<br>
failover timeout 0:00:00<br>
failover ip address outside x.x.õÅ;brfailover ip address dmz-web z.z.z.2<br>
failover ip address dmz-auth w.w.w.2<br>
õÅ;ov<br>
<br><font size=2 face="Arial">Can't the IP address of the interfaces belonging to a particular õÅ; b<br>
<br><font size=2 face="Arial">Note that Adaptive Security remains in effectõÅ;n command.</font>
<br>
<br><font size=2 face="Arial">Can this explained to me pls. I am a liõÅ; u<br>
<br><font size=2 face="Arial">Kindly provide your valuble suggestions.</font>
<br>
<br><font õÅ;=2<br>
<br><font size=2 face="Arial">Vinod.</font>
--=_alternative 0021B7F165256A35_=--
From dsinn@microsoftõÅ; Received: from someone claiming to be
mail3.microsoft.com (mail3.microsoft.com [131.107.3.123])õÅ; p for <cisco-nsp@puck.nether.net>; Sat, 21 Apr 2001 03:43:34 -0400
õÅ;veReceived-Date: Sat, 21 Apr 2001 03:43:34 -0400
Received: from 157.54.1.52 by mail3.microsofõÅ;m Received: from RED-MSG-11.redmondõÅ;p. Thu, 19 õÅ;20X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65
content-class: urn:content-classes:message
MIME-VõÅ;onCOntent-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [nsp] a queõÅ;n Date: Thu, 19 Apr 2001 11:26:05 -0700
Message-ID: <AF9E69C4CBFA3C4AA40068F03A286145018170A5@RED-MSG-1õÅ;dmX-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [nsp] a question CRC error ThreaFrom: "David Sinn" <dsinn@microsoft.coX-OriginalArrivalTime: 19 Apr 2001 18:26:05.0202 (UTC) FILETIME=[31F8EF20:01C0C8FE]
The only õÅ; acase of half-duplex Ethernet link when a collision occurs. This õÅ;eqon the Ethernet network, not just routers.
David=20
õÅ;--From: Tatsuya Kawasaki [mailto:tatsuya@kivex.com]
Sent: Thursday, April 19, 2001 3:52 AM
To: David SõÅ;CcSubject: RE: [nsp] a question CRC error and resent
dave,
I belive you are correct onf UDP paõÅ;.
if CRC occur btwn routers.
Someone have any comment on this???
TatsõÅ;
Tatsuya Kawasaki =20
Allegiance Telecom
Unlock the Power of the InterõÅ;htPhone 301.215.6777 Fax 301.215.5991
Affiliation given for identification not representation
/_/_/_/_/_õÅ;/_
On Wed, 18 Apr 2001, David Sinn wrote:
> If you are seeing CRC's then the router wilõÅ;ve>=20
> If UDP was lost, then it is lost forever and it is up to the
application
> how to deal with thõÅ;>=> If> transmitted the packet to retransmit the packet basõÅ;n > aCknowledgment responses from the receiving end. The routers will
never
> retransmit transit packets (that is packeõÅ;as> that were not locally generated by the router). It will only ever
> retransmit if it is one of õÅ;en>=20
> David=20
>=20
>=20
> -----Original Message-----
> From: Tatsuya Kawasaki [mailto:tatsuya@kivõÅ;om> Sent: Wednesday, April 18, 2001 12:06 PM
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] a question CRC error and õÅ;nt>
20
>=20
> Hi you all,
>=20
> I have a simple question for you.
> connected to serial to serial via T1.
> If you arõÅ;ei> another.
> if you see CRC on the one site, does TCP request resent
> request?õÅ; d> Does cisco has a way to checking such request?
>=20
> the second thing is who "shõÅ;" > I thought ONLY the router in the other end is the one should respond
> assuming there is no õÅ;r > btwn.
>=20
> TIA,
>=20
> Tatsuya
> =20
>=20
> /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/õÅ;_/> Tatsuya Kawasaki =20
> Allegiance Telecom
> Unlock the Power of the Internet
> http://www.kivex.com
> PhonõÅ;1.> Affiliation given for identification not representation
> /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/>=20
>=20
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:35 EDT