Need clarificaiton on NO NAT statmenet

Unanswered Question
Sep 27th, 2008


As per my understanding on NONAT satement in Firewall( up to IOS version6.3) is,,,,

If any packet traverse from Higher secuity to lower security--permitted by default r by ACL

If any packet traverse from Lower secuity to Higher security need to be allowed with ACL and NAT(for Higher interface ip)...If we doesnt do NAT need to do NONAT in the higher interface..

IS that above statments are correct?..Plese correct me if i m wrong..

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
sureshkum Sat, 10/11/2008 - 17:58

Hi Prince,

Thanks for ur response..So could u please tell me in what kindly of scenario NOnat is mandatory in pix firewall.

Matthew Warrick Sun, 09/28/2008 - 17:06

For 6.3 and older in order to reach the high security "local ip", it must be mapped to a "global ip" which is what the low security interface sees.

Unless you implement "nat exemption" you will need to map inside "local ip" to a "global ip" using nat or static commands.

For example:

static (inside,outside) netmask

This makes "local ip" map to the "global ip"

Without this mapping your inside address would not be reachable.

In 7.X+ the behavior was changed and you can use the command "no nat-control" to allow untranslated IPs to pass through to higher security by default.

sureshkum Sat, 10/11/2008 - 18:05

Hi mattiw,

I have never used like this in any of my scenario...I used to do nonat like below

To connect from DMZ( to inside(

access-list dmz-acl permit tcp host host eq ...

access-group in interface dmz

access-list nonat permit ip host host

nat(inside) 0 access-list nonat

plz comment on this

Farrukh Haroon Sun, 10/12/2008 - 05:08

There are three ways to bypass NAT on the cisco firewalls.

> (Dynamic) Identity NAT

> NAT Exemption

> Static Identity NAT

The first one is uni-directional from higher sec to lower sec level only. The latter two options are bi-directional. However there are a few differences between them. The most important one is that in NAT Exemption the firewall will not proxy arp for the mapped subnets (which is same as the real subnet of course). This was orignally introduced for VPN traffic, but is frequently used for other purposes as well. Another difference is that it exempts traffic based on 'source' interface only and the destination interface can be one or more (based on the destination portion of the ACL used for exemption).

With Static identity NAT both interfaces are specifically defined, as is visible from the syntax of the static command. The firewall proxies ARP request for the MAPPED IP in the static command.



Marwan ALshawi Sun, 09/28/2008 - 19:32

in addetion ot the great comments here

u need to know there is several type of nating

static nat, dynamic nat

nat exmption and identity nat

wit nat exmption u allow two why traiif with tcorsponding ACL

with identity nat only one way traffic will be allowed even if u have ACL because it work one way translation

good luck

if helpful Rate

abinjola Sat, 10/11/2008 - 18:47

hey Suresh..

From Higher Security to Lower and Vice Versa your options are :-

a)NAT 0

b)Self static , static (inside,dmz) x.x.x.x x.x.x.x

x.x.x.x-->IP address of higher security network


This Discussion