cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
14
Replies

one to one Static Translations

thestagman
Level 1
Level 1

I have large number of devices from different areas that need to traverse my Pix. I have used nested Object groups reduce the number ACL's and wondered if there was a way of reducing the number of individual statics I will have.

Each of these devices will enter the pix on the inside interface with a security value of 100 through to an interface valued at 80.

The inside addresses will not need to be natted. As said, I do not want to have an endless list of static one to one translations ;-

static (inside, bla) 10.10.10.10 10.10.10.10 netmask 255.255.255.255 0 0

Does anyone know a way of reducing the number of static's ?

Can I use groups or something similar ?

cheers

14 Replies 14

acomiskey
Level 10
Level 10

You can do the whole network instead of individual hosts, does this solve your problem?...

static (inside, bla) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0

Hi

Thanks for your reply. That would be nice if each site had a contigous list of addresses But, knowing my luck they will not, in fact I know they will be odds and sods... I'm expecting 6 - 7 devices from each of the different areas of which there are 42, so 42 x7 = 294 static entries :o(

You could write the static for the whole network and then create an acl and use names/groups there. That would cut down on the statics but you would obviously be writing acl's as well.

Hmmmm

if I nat the whole network as you say. I Could create nested object groups, a group per area and then bind this to the top level object group. In theory I would then only need one ACL .....

did that make sense ?

Ya, i think so.

Hi!

Instead of the statics you are using, if you want that the inside networks not to be natted, use NAT0

Example: nat (inside) 0

Regards,

JP

^^ There you have it...good one jean!

I think your right , Jean's knocked the nail right on the head ...

I will give it a go when I return to work on Tuesday... and let you know ...

Hi jean

Am I correct in saying that, if I use the NAT 0 command below, the Statics that are already configured on the inbound interface will not be effected as any Statics configured will always be used over any Global/Nat Statements ..

Is that right ?

nat (inside) 0

Cheers

Mike

Mike, this is what you're looking for, scroll down to "Order of NAT Commands Used to Match Local Addresses"

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

Thanks for that, that is certainly most useful...

But I have another question on the same subject.

On my Pix there is the following Nat Statment: -

nat (inside) 1 access-list bla1 0 0

if I had another statement ie :-

nat (inside) 0 access-list test

firstly, is this allowed ie two Nat statments on the same interface. or will one overide the other..

thanks

Mike

Absolutely it is allowed. Will one override the other, yes, go back and look at the nat order of operations I posted above. Nat 0 is first in the list while policy nat is 4th.

so, so long as the access-lists applied to these 2 nat statments do not have duplicate addresses or ranges, then in theory the Nat 0 statment should not clash with the Nat 1 Statement because the contents of the acl's are different ?

hope that made sense ..

Yes, and yes it does. :)

access-list nonat permit ip 192.168.1.0 255.255.255.0 any

access-list nat permit ip 10.0.0.0 255.255.255.0 any

nat (inside) 1 access-list nat

nat (inside) 0 access-list nonat

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: