Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

PIX NO-NAT-Control

have pix firewall 535 with IOS 7.x version. I have enable it with no-nat-control, to my understanding with this no-nat-control traffic from higher secuirty level to lower secuirty level allowed if there is no access-list. But from low to high still need of static and access-list. But in my case traffic from low to high is permitted without static. My outside network users are able to reach inside network without static.

Please tell me why it is so, why low to high permitted without static or is it the normal behaviour.


Re: PIX NO-NAT-Control

with "no nat-control", IP addresses on a higher security level interface do not need any sort of nat translation to go to a lower security level interface. This has nothing to do with ACL's (unless you're talking about policy NAT).

IP's on a lower security level interface never need a NAT translation entry to go to a higher security level interface.

If "nat-conrol" is enabled, IP's on a higher security level interface need some sort of NAT statement when going to a lower security level interface.

Things get even fuzzier with regards to same security level interfaces.

CreatePlease to create content