PIX NO-NAT-Control

Unanswered Question
May 5th, 2008

have pix firewall 535 with IOS 7.x version. I have enable it with no-nat-control, to my understanding with this no-nat-control traffic from higher secuirty level to lower secuirty level allowed if there is no access-list. But from low to high still need of static and access-list. But in my case traffic from low to high is permitted without static. My outside network users are able to reach inside network without static.

Please tell me why it is so, why low to high permitted without static or is it the normal behaviour.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
srue Mon, 05/05/2008 - 05:13

with "no nat-control", IP addresses on a higher security level interface do not need any sort of nat translation to go to a lower security level interface. This has nothing to do with ACL's (unless you're talking about policy NAT).

IP's on a lower security level interface never need a NAT translation entry to go to a higher security level interface.

If "nat-conrol" is enabled, IP's on a higher security level interface need some sort of NAT statement when going to a lower security level interface.

Things get even fuzzier with regards to same security level interfaces.


This Discussion