Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX NO NAT

If you write an ACL to be used with a NO NAT statement, does it need to be applied to an interface. I.e I need to NAT certain traffic, but not NAT certain traffic that has a particular destination

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: PIX NO NAT

No you dont need apply NONAT ACL to inteface is only used to bind NONAT ACL and NAT 0 statement

For example if you want NAT all traffic from inside EXCEPT from 10.10.15.0 to 192.168.1.0

access-list no-nat permit ip 10.10.15.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

nat (inside) 1 10.10.15.0 255.255.255.0

global (outside) 1 public_IP netmask 255.255.255.255

NAT 0 means traffic is NOT NATed

NAT 1 pairs global 1

M.

2 REPLIES
Gold

Re: PIX NO NAT

No you dont need apply NONAT ACL to inteface is only used to bind NONAT ACL and NAT 0 statement

For example if you want NAT all traffic from inside EXCEPT from 10.10.15.0 to 192.168.1.0

access-list no-nat permit ip 10.10.15.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

nat (inside) 1 10.10.15.0 255.255.255.0

global (outside) 1 public_IP netmask 255.255.255.255

NAT 0 means traffic is NOT NATed

NAT 1 pairs global 1

M.

New Member

Re: PIX NO NAT

so.. I can write an ACL called 101 with various inside addresses permited to go outside, bind this to the internal interface. Then write a second ACL called 102 with something like

access-list 102 permit ip 10.1.0.0 255.255.0.0 192.168.12.0 255.255.255.0

then

nat (inside) 0 access-list 102.

102 doesnot need to be bound to an interface and it can contain addresses that appear in ACL 101 ?

352
Views
0
Helpful
2
Replies
CreatePlease login to create content