explain about Nat 0

Unanswered Question
Mar 5th, 2007

I don't understand clearly about Nat 0. For example:

If I configure 1 interface OPERATION(address with nameif 60) and I configure Nat 0 for address

1)Can traffic from can go to higher level through interface OPERATION.

2)When traffic from go to Internet, traffic need not translate ?

If possible, you can explain more details about Nat 0?

Thank you very much

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ROBERTO TACCON Mon, 03/05/2007 - 21:17

Which os version do you use ?


The nat 0 command means let those IP addresses in the net appear on the outside without translation.

All other hosts are translated depending on how their nat or static command statements appear in the configuration.


The default configuration of PIX 7.0 is the specification of the 'no nat-control' command.

With nat-control disabled, the PIX forwards packets from a higher-security interface to a lower one without a specific translation entry in the configuration.

In order to pass traffic from a lower security interface to a higher one, use access-lists in order to permit the traffic. The PIX then forwards the traffic.

The 'nat-control' command ensures that the translation behavior is the same as PIX Firewall versions earlier than 7.0.

The nat-control command on the PIX specifies that all traffic through the firewall must have a specific translation entry (nat statement with a matching global, or a static statement) for that traffic to pass through the firewall.

To verify the nat

# sh run nat-control




suschoud Tue, 03/06/2007 - 06:00

If nat-control is enabled, you must configure a NAT rule before an inside host can communicate with any outside networks. The no nat-control command allows inside hosts to communicate with outside networks without configuring a NAT rule. Only hosts that undergo NAT need to have a NAT rule configured.

Two NAT policies are used to perform address translation on each packet that traverses the security appliance, an inside NAT policy and an outside NAT policy. If the nat-control command is enabled, each inside address must have an inside NAT rule before communication is permitted through the security appliance. Additionally, if outside dynamic NAT is enabled on an interface, each outside address must have an outside NAT rule before communication is permitted through the security appliance.

If the no nat-control command is configured and no NAT policy matches, an address rewrite is not performed and processing continues. The default is NAT control disabled (no nat-control command).

Note: To ensure backward compatibility, the nat-control command is automatically enabled if the startup configuration is six or lower.

Identity NAT (nat 0 command)?When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access lists.

The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the local host. The no nat-control command does not have this requirement, nor does it require a static command to allow communication to inside hosts.

Disabling NAT control is similar to the same security level communication feature, which allows communication between two interfaces of the same security level without configuring a NAT rule, except that the NAT control feature is between hosts instead of interfaces.

No new NAT functionality is provided with this feature. All existing NAT functionality remains the same.

The following table compares the results between nat-control and no nat-control:




This Discussion