08-11-2010 09:48 PM - edited 03-11-2019 11:24 AM
Hi,
If we do not configure any static NAT in ASA but allow the access by access-lists does it work?
For example:
static(inside,outside) a.b.c.d a.b.c.d packet will exit without any change in IP address. Corresponding access-lists are cconfigured on the interfaces.
If we do not configure static in ASA and if proper routing is configured on ASA and also access-lists are configured on ASA , can the packet cross ASA?
What if the case is of PIX and not ASA?
Appreciate your help.
Thanks in advance
Subidh
Solved! Go to Solution.
08-11-2010 10:52 PM
PIX and ASA works exactly in the same way.
From your description, here are a couple of scenario for consideration:
1) If the traffic is initiated from inside towards outside, you do not need to configure static NAT statement IF you have the following:
++ "no nat-control" configured
++ and there are no NAT statement configured on the inside interface at all.
If the above statement matches, then you only need ACL to allow outbound traffic.
2) If the traffic is initiated from inside towards outside, however, one or both of the above points do not match (ie: you either have "nat-control" configured, or you have 1 NAT statement configured on the inside interface), then you would need to configure the static statement as stated.
3) If the traffic is initiated from outside towards inside, then you would need to configure static NAT statement.
Hope that helps.
08-11-2010 10:52 PM
PIX and ASA works exactly in the same way.
From your description, here are a couple of scenario for consideration:
1) If the traffic is initiated from inside towards outside, you do not need to configure static NAT statement IF you have the following:
++ "no nat-control" configured
++ and there are no NAT statement configured on the inside interface at all.
If the above statement matches, then you only need ACL to allow outbound traffic.
2) If the traffic is initiated from inside towards outside, however, one or both of the above points do not match (ie: you either have "nat-control" configured, or you have 1 NAT statement configured on the inside interface), then you would need to configure the static statement as stated.
3) If the traffic is initiated from outside towards inside, then you would need to configure static NAT statement.
Hope that helps.
08-12-2010 06:03 AM
Hi,
Thanks a lot any cisco.com document available for this on cisco.com. Searched a lot but could not find it.
Thanks appreciate your help.
Thanks
Subodh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide