Yes of course. I have two independent networks.
On the other side I can't imagine, that I can have two the same IP
addresses connected to one PIX.
Pix probably would not allow it.

So when I use different IP adresses any duplicity during translation
can occured?


did you think
access_list nonat_acl extended permit ip 172.16.0.0 255.255.0.0
172.16.0.0 255.255.0.0
nat (inside) 0 access-list nonat_acl
nat (dmz) 0 access-list nonat_acl ?

Because with nat (inside) 1 .... I would need to use global statement.
Thanks.
Vladislav
On Mon, Mar 3, 2008 at 4:33 PM, Fetch, Brandon wrote:
> So my explanation required another presumption: that you're running
> different IP addresses between your DMZ & inside networks.
>
> If not, then you're stuck doing the respective static for the inside to
> DMZ or vice versa.
>
>
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.icsalabs.com
> [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
> Vladislav Antolik
>
>
> Sent: Sunday, March 02, 2008 3:11 PM
> To: Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] static nat and tcp limits
>
> Many thanks. Just one question. Is it true what I've written in my
> question? That
> there could be a problem with two same IP address - nated and real.
>
> Vladislav
>
> On Sat, Mar 1, 2008 at 11:54 PM, Fetch, Brandon wrote:
> > Easiest way I've found to handle inside to DMZ traffic with the
> > following presumption:
> > Your security policy has no need for any of the "NAT inspections" the
> > firewall does when it performs NAT across interfaces
> >
> > Easiest way to do this is to define a nonat group that includes your
> > inside & DMZ networks both directions.
> >
> > And in your case it would appear to be a simple nonat ACL of:
> > Permit ip 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0
> >
> > Then define your appropriate "nat (1)" statements for the appropriate
> > interfaces (inside & DMZ).
> >
> > This will make the firewall NOT perform NAT when either inside talks

> to
> > DMZ or DMZ talks to inside.
> >
> > The added side benefit of this is it makes writing 'secure' (haha -

> I've
> > seen some BAD ones) ACLs that allow traffic from the DMZ into the
> > inside. Since there is no NAT happening you don't have to worry

> about
> > trying to figure out what inside address a DMZ system needs to be
> > configured to allowed to reach.
> >
> > You're only dealing with RFC1918 address when creating/managing your
> > 'interior' ACLs to me means easier firewall management.
> >
> > HTH,
> > Brandon
> >
> >
> >
> > -----Original Message-----
> > From: firewall-wizards-bounces@listserv.icsalabs.com
> > [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
> > Vladislav Antolik
> > Sent: Friday, February 29, 2008 5:27 AM
> > To: firewall-wizards@listserv.icsalabs.com
> > Subject: [fw-wiz] static nat and tcp limits
> >
> > Hello,
> >
> > I'm using Cisco Pix 515E, 8.0(3).
> > I have two networks - inside and dmz. Inside has sec. level 100, dmz
> > 50. To communicate hosts from inside to dmz I made
> > static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0 tcp 0

> 10.
> > I think that Pix during NAT vindicate NAT-ed IP address on

> destination
> > interface, so I had on these segments two devices with the same IP
> > address.
> > Is it true? What is the best solution; disable nat-control and then
> > disable static record?
> > Many thanks,
> > Vladislav
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailma...rewall-wizards
> >
> >
> > This message is intended only for the person(s) to which it is

> addressed
> > and may contain privileged, confidential and/or insider information.
> > If you have received this communication in error, please notify us
> > immediately by replying to the message and deleting it from your

> computer.
> > Any disclosure, copying, distribution, or the taking of any action

> concerning
> > the contents of this message and any attachment(s) by anyone other
> > than the named recipient(s) is strictly prohibited.
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailma...rewall-wizards
> >

> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards
>
>
> This message is intended only for the person(s) to which it is addressed
> and may contain privileged, confidential and/or insider information.
> If you have received this communication in error, please notify us
> immediately by replying to the message and deleting it from your computer.
> Any disclosure, copying, distribution, or the taking of any action concerning
> the contents of this message and any attachment(s) by anyone other
> than the named recipient(s) is strictly prohibited.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards