Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

PIX515E passing traffic from outside to inside without Static or NAT

I just loaded 7.2.3 code on my PIX515E and I'm seeing something very weird. My traffic from outside to inside works without any NAT or Static configuration in the PIX. I have an access list applied on the outside interface to permit traffic from outside to inside host but no NAT or STATIC configuration. I haven't dealt with 7.x code much and don't know if I'm missing something here. I ran this by a couple of my peers and they are at a loss too.

PIX inside int: 192.168.1.1/24

PIX outside int: 172.16.1.1/24

Outside host: 172.16.1.3

Inside host: 192.168.1.3

PIX515E# show run access-group

access-group acl_outside in interface outside

PIX515E# show run access-list acl_outside

access-list acl_outside extended permit icmp host R1 host R2

access-list acl_outside extended permit ip any any

PIX515E# show xlate

0 in use, 0 most used

PIX515E# show conn

0 in use, 4 most used

After initiating telnet from outside host to inside:

PIX515E# show conn

1 in use, 4 most used

TCP out R1:49491 in R2:23 idle 0:00:04 bytes 117 flags UIOB

PIX515E# show run name

name 172.16.1.3 R1

name 192.168.1.3 R2

PIX515E# show xlate

0 in use, 0 most used

PIX515E# show nat

TIA

Sundar

1 ACCEPTED SOLUTION

Accepted Solutions

Re: PIX515E passing traffic from outside to inside without Stati

PIX 7.0 introduces the nat-control command. You can use the nat-control command in configuration mode in order to specify if NAT is required for outside communications. With NAT control enabled, configuration of NAT rules is required in order to allow outbound traffic, as is the case with previous versions of PIX software. If NAT control is disabled (no nat-control), inside hosts can communicate with outside networks without the configuration of a NAT rule. However, if you have inside hosts that do not have public addresses, you still need to configure NAT for those hosts.

2 REPLIES

Re: PIX515E passing traffic from outside to inside without Stati

PIX 7.0 introduces the nat-control command. You can use the nat-control command in configuration mode in order to specify if NAT is required for outside communications. With NAT control enabled, configuration of NAT rules is required in order to allow outbound traffic, as is the case with previous versions of PIX software. If NAT control is disabled (no nat-control), inside hosts can communicate with outside networks without the configuration of a NAT rule. However, if you have inside hosts that do not have public addresses, you still need to configure NAT for those hosts.

Re: PIX515E passing traffic from outside to inside without Stati

That was it.

Thanks :)

161
Views
5
Helpful
2
Replies