Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX NAT/Global Statements help

I am reviewing a PIX configuration and there are some interesting nat/global statements that I wanted to clarify.

NAT ID Set 1

global (inside) 1 insideip netmask

nat (dmz) 1 dmznet1 0 0

nat (dmz) 1 dmznet2 0 0

nat (dmz) 1 dmznet3 0 0

nat (dmz) 1 dmznet4 0 0

This I believe should work, but isen't it usually nat from higher sec level and global at the lower sec level. here it is reversed. But it will work as expected assuming acls in place correct?

The other set is NAT ID Set 4

global (DMZ) 4 DMZIP netmask

nat (DMZ) 4 inside_net1 0 0

nat (DMZ) 4 inside_net2 0 0

nat (DMZ) 4 inside_net3 0 0

nat (DMZ) 4 inside_net4 0 0

In this case the interface on both nat and global is DMZ. And the subnets listed on the NAT statements are located off the inside interface. Will this nat set do anything?

Finally I have a number of alias commands like alias(inside) xx.xx.xx.xx yy.yy.yy.yy followed by matching static commands: static(inside,dmz) yy.yy.yy.yy xx.xx.xx.xx. (The yy.yy.yy.yy are the real addresses of hosts on the DMZ) are the static statements required? What is their purpose.


Re: PIX NAT/Global Statements help

Please see the following links to increase you understanding of these commands:

1) This is called Dynamic Outside NAT and this works, but remember when nat-control is enabled, a static statement is still required.

2) The only scenario you will be needing this is when you are using hair-pinning (same-security-traffic permit intra-interface) and nat-control is enabled.

3) The alias and static commands are mutually exclusive, and only one of them is needed. Static are definitely more preferred. Please check the third link posted above.



CreatePlease to create content