one to one Static Translations

Unanswered Question
May 25th, 2007

I have large number of devices from different areas that need to traverse my Pix. I have used nested Object groups reduce the number ACL's and wondered if there was a way of reducing the number of individual statics I will have.

Each of these devices will enter the pix on the inside interface with a security value of 100 through to an interface valued at 80.

The inside addresses will not need to be natted. As said, I do not want to have an endless list of static one to one translations ;-

static (inside, bla) netmask 0 0

Does anyone know a way of reducing the number of static's ?

Can I use groups or something similar ?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 05/25/2007 - 06:59

You can do the whole network instead of individual hosts, does this solve your problem?...

static (inside, bla) netmask 0 0

thestagman Fri, 05/25/2007 - 07:04


Thanks for your reply. That would be nice if each site had a contigous list of addresses But, knowing my luck they will not, in fact I know they will be odds and sods... I'm expecting 6 - 7 devices from each of the different areas of which there are 42, so 42 x7 = 294 static entries :o(

acomiskey Fri, 05/25/2007 - 07:17

You could write the static for the whole network and then create an acl and use names/groups there. That would cut down on the statics but you would obviously be writing acl's as well.

thestagman Fri, 05/25/2007 - 07:23


if I nat the whole network as you say. I Could create nested object groups, a group per area and then bind this to the top level object group. In theory I would then only need one ACL .....

did that make sense ?

jean.l.pierre Fri, 05/25/2007 - 07:40


Instead of the statics you are using, if you want that the inside networks not to be natted, use NAT0

Example: nat (inside) 0



thestagman Mon, 05/28/2007 - 03:05

I think your right , Jean's knocked the nail right on the head ...

I will give it a go when I return to work on Tuesday... and let you know ...

thestagman Mon, 06/04/2007 - 01:50

Hi jean

Am I correct in saying that, if I use the NAT 0 command below, the Statics that are already configured on the inbound interface will not be effected as any Statics configured will always be used over any Global/Nat Statements ..

Is that right ?

nat (inside) 0



thestagman Mon, 06/04/2007 - 04:49

Thanks for that, that is certainly most useful...

But I have another question on the same subject.

On my Pix there is the following Nat Statment: -

nat (inside) 1 access-list bla1 0 0

if I had another statement ie :-

nat (inside) 0 access-list test

firstly, is this allowed ie two Nat statments on the same interface. or will one overide the other..



acomiskey Mon, 06/04/2007 - 04:55

Absolutely it is allowed. Will one override the other, yes, go back and look at the nat order of operations I posted above. Nat 0 is first in the list while policy nat is 4th.

thestagman Mon, 06/04/2007 - 05:08

so, so long as the access-lists applied to these 2 nat statments do not have duplicate addresses or ranges, then in theory the Nat 0 statment should not clash with the Nat 1 Statement because the contents of the acl's are different ?

hope that made sense ..

acomiskey Mon, 06/04/2007 - 05:09

Yes, and yes it does. :)

access-list nonat permit ip any

access-list nat permit ip any

nat (inside) 1 access-list nat

nat (inside) 0 access-list nonat


This Discussion