PIX515E passing traffic from outside to inside without Static or NAT

Answered Question
Sep 19th, 2007

I just loaded 7.2.3 code on my PIX515E and I'm seeing something very weird. My traffic from outside to inside works without any NAT or Static configuration in the PIX. I have an access list applied on the outside interface to permit traffic from outside to inside host but no NAT or STATIC configuration. I haven't dealt with 7.x code much and don't know if I'm missing something here. I ran this by a couple of my peers and they are at a loss too.

PIX inside int: 192.168.1.1/24

PIX outside int: 172.16.1.1/24

Outside host: 172.16.1.3

Inside host: 192.168.1.3

PIX515E# show run access-group

access-group acl_outside in interface outside

PIX515E# show run access-list acl_outside

access-list acl_outside extended permit icmp host R1 host R2

access-list acl_outside extended permit ip any any

PIX515E# show xlate

0 in use, 0 most used

PIX515E# show conn

0 in use, 4 most used

After initiating telnet from outside host to inside:

PIX515E# show conn

1 in use, 4 most used

TCP out R1:49491 in R2:23 idle 0:00:04 bytes 117 flags UIOB

PIX515E# show run name

name 172.16.1.3 R1

name 192.168.1.3 R2

PIX515E# show xlate

0 in use, 0 most used

PIX515E# show nat

TIA

Sundar

I have this problem too.
0 votes
Correct Answer by a.alekseev about 9 years 4 months ago

PIX 7.0 introduces the nat-control command. You can use the nat-control command in configuration mode in order to specify if NAT is required for outside communications. With NAT control enabled, configuration of NAT rules is required in order to allow outbound traffic, as is the case with previous versions of PIX software. If NAT control is disabled (no nat-control), inside hosts can communicate with outside networks without the configuration of a NAT rule. However, if you have inside hosts that do not have public addresses, you still need to configure NAT for those hosts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
a.alekseev Wed, 09/19/2007 - 21:52

PIX 7.0 introduces the nat-control command. You can use the nat-control command in configuration mode in order to specify if NAT is required for outside communications. With NAT control enabled, configuration of NAT rules is required in order to allow outbound traffic, as is the case with previous versions of PIX software. If NAT control is disabled (no nat-control), inside hosts can communicate with outside networks without the configuration of a NAT rule. However, if you have inside hosts that do not have public addresses, you still need to configure NAT for those hosts.

Actions

This Discussion