Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

one to one Static Translations

I have large number of devices from different areas that need to traverse my Pix. I have used nested Object groups reduce the number ACL's and wondered if there was a way of reducing the number of individual statics I will have.

Each of these devices will enter the pix on the inside interface with a security value of 100 through to an interface valued at 80.

The inside addresses will not need to be natted. As said, I do not want to have an endless list of static one to one translations ;-

static (inside, bla) 10.10.10.10 10.10.10.10 netmask 255.255.255.255 0 0

Does anyone know a way of reducing the number of static's ?

Can I use groups or something similar ?

cheers

14 REPLIES
Green

Re: one to one Static Translations

You can do the whole network instead of individual hosts, does this solve your problem?...

static (inside, bla) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0

New Member

Re: one to one Static Translations

Hi

Thanks for your reply. That would be nice if each site had a contigous list of addresses But, knowing my luck they will not, in fact I know they will be odds and sods... I'm expecting 6 - 7 devices from each of the different areas of which there are 42, so 42 x7 = 294 static entries :o(

Green

Re: one to one Static Translations

You could write the static for the whole network and then create an acl and use names/groups there. That would cut down on the statics but you would obviously be writing acl's as well.

New Member

Re: one to one Static Translations

Hmmmm

if I nat the whole network as you say. I Could create nested object groups, a group per area and then bind this to the top level object group. In theory I would then only need one ACL .....

did that make sense ?

Green

Re: one to one Static Translations

Ya, i think so.

New Member

Re: one to one Static Translations

Hi!

Instead of the statics you are using, if you want that the inside networks not to be natted, use NAT0

Example: nat (inside) 0

Regards,

JP

Green

Re: one to one Static Translations

^^ There you have it...good one jean!

New Member

Re: one to one Static Translations

I think your right , Jean's knocked the nail right on the head ...

I will give it a go when I return to work on Tuesday... and let you know ...

New Member

Re: one to one Static Translations

Hi jean

Am I correct in saying that, if I use the NAT 0 command below, the Statics that are already configured on the inbound interface will not be effected as any Statics configured will always be used over any Global/Nat Statements ..

Is that right ?

nat (inside) 0

Cheers

Mike

Green

Re: one to one Static Translations

Mike, this is what you're looking for, scroll down to "Order of NAT Commands Used to Match Local Addresses"

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694

New Member

Re: one to one Static Translations

Thanks for that, that is certainly most useful...

But I have another question on the same subject.

On my Pix there is the following Nat Statment: -

nat (inside) 1 access-list bla1 0 0

if I had another statement ie :-

nat (inside) 0 access-list test

firstly, is this allowed ie two Nat statments on the same interface. or will one overide the other..

thanks

Mike

Green

Re: one to one Static Translations

Absolutely it is allowed. Will one override the other, yes, go back and look at the nat order of operations I posted above. Nat 0 is first in the list while policy nat is 4th.

New Member

Re: one to one Static Translations

so, so long as the access-lists applied to these 2 nat statments do not have duplicate addresses or ranges, then in theory the Nat 0 statment should not clash with the Nat 1 Statement because the contents of the acl's are different ?

hope that made sense ..

Green

Re: one to one Static Translations

Yes, and yes it does. :)

access-list nonat permit ip 192.168.1.0 255.255.255.0 any

access-list nat permit ip 10.0.0.0 255.255.255.0 any

nat (inside) 1 access-list nat

nat (inside) 0 access-list nonat

181
Views
0
Helpful
14
Replies
CreatePlease to create content