05-25-2007 05:51 AM - edited 03-11-2019 03:20 AM
I have large number of devices from different areas that need to traverse my Pix. I have used nested Object groups reduce the number ACL's and wondered if there was a way of reducing the number of individual statics I will have.
Each of these devices will enter the pix on the inside interface with a security value of 100 through to an interface valued at 80.
The inside addresses will not need to be natted. As said, I do not want to have an endless list of static one to one translations ;-
static (inside, bla) 10.10.10.10 10.10.10.10 netmask 255.255.255.255 0 0
Does anyone know a way of reducing the number of static's ?
Can I use groups or something similar ?
cheers
05-25-2007 06:59 AM
You can do the whole network instead of individual hosts, does this solve your problem?...
static (inside, bla) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0
05-25-2007 07:04 AM
Hi
Thanks for your reply. That would be nice if each site had a contigous list of addresses But, knowing my luck they will not, in fact I know they will be odds and sods... I'm expecting 6 - 7 devices from each of the different areas of which there are 42, so 42 x7 = 294 static entries :o(
05-25-2007 07:17 AM
You could write the static for the whole network and then create an acl and use names/groups there. That would cut down on the statics but you would obviously be writing acl's as well.
05-25-2007 07:23 AM
Hmmmm
if I nat the whole network as you say. I Could create nested object groups, a group per area and then bind this to the top level object group. In theory I would then only need one ACL .....
did that make sense ?
05-25-2007 07:39 AM
Ya, i think so.
05-25-2007 07:40 AM
Hi!
Instead of the statics you are using, if you want that the inside networks not to be natted, use NAT0
Example: nat (inside) 0
Regards,
JP
05-25-2007 07:43 AM
^^ There you have it...good one jean!
05-28-2007 03:05 AM
I think your right , Jean's knocked the nail right on the head ...
I will give it a go when I return to work on Tuesday... and let you know ...
06-04-2007 01:50 AM
Hi jean
Am I correct in saying that, if I use the NAT 0 command below, the Statics that are already configured on the inbound interface will not be effected as any Statics configured will always be used over any Global/Nat Statements ..
Is that right ?
nat (inside) 0
Cheers
Mike
06-04-2007 04:40 AM
Mike, this is what you're looking for, scroll down to "Order of NAT Commands Used to Match Local Addresses"
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694
06-04-2007 04:49 AM
Thanks for that, that is certainly most useful...
But I have another question on the same subject.
On my Pix there is the following Nat Statment: -
nat (inside) 1 access-list bla1 0 0
if I had another statement ie :-
nat (inside) 0 access-list test
firstly, is this allowed ie two Nat statments on the same interface. or will one overide the other..
thanks
Mike
06-04-2007 04:55 AM
Absolutely it is allowed. Will one override the other, yes, go back and look at the nat order of operations I posted above. Nat 0 is first in the list while policy nat is 4th.
06-04-2007 05:08 AM
so, so long as the access-lists applied to these 2 nat statments do not have duplicate addresses or ranges, then in theory the Nat 0 statment should not clash with the Nat 1 Statement because the contents of the acl's are different ?
hope that made sense ..
06-04-2007 05:09 AM
Yes, and yes it does. :)
access-list nonat permit ip 192.168.1.0 255.255.255.0 any
access-list nat permit ip 10.0.0.0 255.255.255.0 any
nat (inside) 1 access-list nat
nat (inside) 0 access-list nonat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide