static NAT - PIX and ASA

Answered Question
Aug 11th, 2010
User Badges:

Hi,


If we do not configure any static NAT in ASA but allow the access by access-lists does it work?


For example:


static(inside,outside) a.b.c.d    a.b.c.d  packet will exit without any change in IP address.  Corresponding access-lists are cconfigured on the interfaces.


If we do not configure static in ASA and if proper routing is configured on ASA and also access-lists are configured on ASA , can the packet cross ASA?


What if the case is of PIX and not ASA?


Appreciate your help.

Thanks in advance

Subidh

Correct Answer by Jennifer Halim about 6 years 9 months ago

PIX and ASA works exactly in the same way.


From your description, here are a couple of scenario for consideration:

1) If the traffic is initiated from inside towards outside, you do not need to configure static NAT statement IF you have the following:

     ++ "no nat-control" configured

     ++ and there are no NAT statement configured on the inside interface at all.

If the above statement matches, then you only need ACL to allow outbound traffic.


2) If the traffic is initiated from inside towards outside, however, one or both of the above points do not match (ie: you either have "nat-control" configured, or you have 1 NAT statement configured on the inside interface), then you would need to configure the static statement as stated.


3) If the traffic is initiated from outside towards inside, then you would need to configure static NAT statement.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Wed, 08/11/2010 - 22:52
User Badges:
  • Cisco Employee,

PIX and ASA works exactly in the same way.


From your description, here are a couple of scenario for consideration:

1) If the traffic is initiated from inside towards outside, you do not need to configure static NAT statement IF you have the following:

     ++ "no nat-control" configured

     ++ and there are no NAT statement configured on the inside interface at all.

If the above statement matches, then you only need ACL to allow outbound traffic.


2) If the traffic is initiated from inside towards outside, however, one or both of the above points do not match (ie: you either have "nat-control" configured, or you have 1 NAT statement configured on the inside interface), then you would need to configure the static statement as stated.


3) If the traffic is initiated from outside towards inside, then you would need to configure static NAT statement.


Hope that helps.

bapatsubodh Thu, 08/12/2010 - 06:03
User Badges:

Hi,

Thanks a lot any cisco.com document available for this on cisco.com. Searched a lot but could not find it.

Thanks appreciate your help.

Thanks

Subodh

Actions

This Discussion