I have large number of devices from different areas that need to traverse my Pix. I have used nested Object groups reduce the number ACL's and wondered if there was a way of reducing the number of individual statics I will have.
Each of these devices will enter the pix on the inside interface with a security value of 100 through to an interface valued at 80.
The inside addresses will not need to be natted. As said, I do not want to have an endless list of static one to one translations ;-
static (inside, bla) 10.10.10.10 10.10.10.10 netmask 255.255.255.255 0 0
Does anyone know a way of reducing the number of static's ?
Can I use groups or something similar ?
You can do the whole network instead of individual hosts, does this solve your problem?...
static (inside, bla) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0
Thanks for your reply. That would be nice if each site had a contigous list of addresses But, knowing my luck they will not, in fact I know they will be odds and sods... I'm expecting 6 - 7 devices from each of the different areas of which there are 42, so 42 x7 = 294 static entries :o(
You could write the static for the whole network and then create an acl and use names/groups there. That would cut down on the statics but you would obviously be writing acl's as well.
if I nat the whole network as you say. I Could create nested object groups, a group per area and then bind this to the top level object group. In theory I would then only need one ACL .....
did that make sense ?
Instead of the statics you are using, if you want that the inside networks not to be natted, use NAT0
Example: nat (inside) 0
I think your right , Jean's knocked the nail right on the head ...
I will give it a go when I return to work on Tuesday... and let you know ...
Am I correct in saying that, if I use the NAT 0 command below, the Statics that are already configured on the inbound interface will not be effected as any Statics configured will always be used over any Global/Nat Statements ..
Is that right ?
nat (inside) 0
Mike, this is what you're looking for, scroll down to "Order of NAT Commands Used to Match Local Addresses"
Thanks for that, that is certainly most useful...
But I have another question on the same subject.
On my Pix there is the following Nat Statment: -
nat (inside) 1 access-list bla1 0 0
if I had another statement ie :-
nat (inside) 0 access-list test
firstly, is this allowed ie two Nat statments on the same interface. or will one overide the other..
Absolutely it is allowed. Will one override the other, yes, go back and look at the nat order of operations I posted above. Nat 0 is first in the list while policy nat is 4th.
so, so long as the access-lists applied to these 2 nat statments do not have duplicate addresses or ranges, then in theory the Nat 0 statment should not clash with the Nat 1 Statement because the contents of the acl's are different ?
hope that made sense ..
Yes, and yes it does. :)
access-list nonat permit ip 192.168.1.0 255.255.255.0 any
access-list nat permit ip 10.0.0.0 255.255.255.0 any
nat (inside) 1 access-list nat
nat (inside) 0 access-list nonat