Jon Marshall Wed, 10/01/2008 - 04:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It is static because the translation is not dynamically created when traffic goes through the firewall. This a permanent translation that you want all the time.

The purpose is because of an oddity with the pix/asa device. To allow traffic from a lower to a higher security level interface you need to

i) allow it in an access-list

ii) have a NAT statement for it

On most other firewalls you only NAT if you want to represent one address as another address. On pix/asa even if you don't want to change the address because of ii) you must have a nat statement and that is why you have it. It is almost a way of saying to the pix/asa i don't want to NAT for

As i say it is an oddity of the pix/asa firewalls.


cisco24x7 Wed, 10/01/2008 - 07:00
User Badges:
  • Silver, 250 points or more

you either use static (i,o) same-ip same-ip

or nat(inside) 0 access-list with Pix version


With version 7.x, you do not have to do this

if you have "no nat-control". That will

allow traffic from high to low.

HOWEVER, AS SOON AS YOU HAVE nat (inside) 1 x x

and global (outside) 1 interface, "NO NAT-CONTROL" WILL BECOME USELESS FOR



This Discussion