Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
2
Replies

static NAT - PIX and ASA

Go to solution
bapatsubodh
Level 1
Level 1

‎08-11-2010 09:48 PM - edited ‎03-11-2019 11:24 AM

Hi,

If we do not configure any static NAT in ASA but allow the access by access-lists does it work?

For example:

static(inside,outside) a.b.c.d    a.b.c.d  packet will exit without any change in IP address.  Corresponding access-lists are cconfigured on the interfaces.

If we do not configure static in ASA and if proper routing is configured on ASA and also access-lists are configured on ASA , can the packet cross ASA?

What if the case is of PIX and not ASA?

Appreciate your help.

Thanks in advance

Subidh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-11-2010 10:52 PM

PIX and ASA works exactly in the same way.

From your description, here are a couple of scenario for consideration:

1) If the traffic is initiated from inside towards outside, you do not need to configure static NAT statement IF you have the following:

     ++ "no nat-control" configured

     ++ and there are no NAT statement configured on the inside interface at all.

If the above statement matches, then you only need ACL to allow outbound traffic.

2) If the traffic is initiated from inside towards outside, however, one or both of the above points do not match (ie: you either have "nat-control" configured, or you have 1 NAT statement configured on the inside interface), then you would need to configure the static statement as stated.

3) If the traffic is initiated from outside towards inside, then you would need to configure static NAT statement.

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-11-2010 10:52 PM

PIX and ASA works exactly in the same way.

From your description, here are a couple of scenario for consideration:

1) If the traffic is initiated from inside towards outside, you do not need to configure static NAT statement IF you have the following:

     ++ "no nat-control" configured

     ++ and there are no NAT statement configured on the inside interface at all.

If the above statement matches, then you only need ACL to allow outbound traffic.

2) If the traffic is initiated from inside towards outside, however, one or both of the above points do not match (ie: you either have "nat-control" configured, or you have 1 NAT statement configured on the inside interface), then you would need to configure the static statement as stated.

3) If the traffic is initiated from outside towards inside, then you would need to configure static NAT statement.

Hope that helps.

0 Helpful

Go to solution
bapatsubodh
Level 1
Level 1
In response to Jennifer Halim

‎08-12-2010 06:03 AM

Hi,

Thanks a lot any cisco.com document available for this on cisco.com. Searched a lot but could not find it.

Thanks appreciate your help.

Thanks

Subodh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card