Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Questions Regarding NAT on PIX/ASA

Hello Everyone,

I've done a bit of reading on the topic of NAT on the PIX/ASA but still have a few questions that I'm looking for clarification on.

Based on the diagram attached, I'm thinking there are 3 ways to get this working with NAT. There is no need on the PIX/ASA in the diagram to allow the users to access the Internet. The Internet here is used only as a method to establish a LAN-to-LAN IPSec tunnel.


Method 1: no nat-control command. This should exempt ALL traffic from NAT, right?

----------------------------

Method 2: Static command

static (Inside,DMZ) 10.132.1.0 10.132.1.0 netmask 255.255.255.0 0 0
static (Inside,DMZ) 10.1.1.0 10.1.1.0 netmask 255.255.240.0 0 0
static (Inside,DMZ) 10.2.2.0 10.2.2.0 netmask 255.255.240.0 0 0
static (Inside,DMZ) 10.3.3.0 10.3.3.0 netmask 255.255.240.0 0 0

static (DMZ,Inside) 10.132.65.0 10.132.65.0 netmask 255.255.255.0 0 0
static (DMZ,Inside) 10.132.65.0 10.132.65.0 netmask 255.255.255.0 0 0

static (Outside,DMZ) 10.16.1.0 10.16.1.0 255.255.255.0

-------------------------

Method 3: NAT/Global command

nat (Inside) 0 10.132.1.0 255.255.255.0
nat (Inside) 0 10.1.1.0 255.255.255.0
nat (Inside) 0 10.2.2.0 255.255.255.0
nat (Inside) 0 10.3.3.0 255.255.255.0

nat (DMZ) 0 10.132.65.0 255.255.255.0

nat (Outside) 0 10.16.1.0 255.255.255.0

or possibly this could work as well?

nat (Inside) 0 0.0.0.0 0.0.0.0

nat (DMZ) 0 0.0.0.0 0.0.0.0

nat (Outside) 0 0.0.0.0 0.0.0.0

- Do I also need "global" statements like these in order for the "nat" commands to work properly or is that just needed if I was sending traffic to the Internet so the clients could browse websites?

global (Outside) 0 interface
global (DMZ) 0 interface
global (Inside) 0 interface

- For traffic going from an interface with higher security level to a lower one, traffic should be allowed I believe.

- If going from a lower security level to a higher one, I know I need an ACL to permit the traffic.

- Do I also need a static NAT translation?

- Would the "nat (DMZ) 0 10.132.65.0 255.255.255.0" command work to exempt NAT on traffic from the lower security level interface to a higher one or would only the static NAT translation be looked at for this?

- If both "static" and "nat" commands, are the "static" commands looked at first before the "nat" commands?

Thanks for the help!

-Pete

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Questions Regarding NAT on PIX/ASA

Hi,

For traffic to flow from lower-security to higher-security interface you need:

STATIC NAT and ACL

If you have NAT-CONTROL disabled, you only need ACL

For traffic to flow from higher-security to lower-security interface you need:

NAT

If you have NAT-CONTROL disabled, you don't need any other commands.

If there's an existing ACL, it should allow the traffic.

NAT order of operation:

1. NAT 0 access-list

2. STATIC NAT/PAT

3. Policy NAT

4. Dynamic NAT/PAT

Federico.

2 REPLIES

Re: Questions Regarding NAT on PIX/ASA

Hi,

For traffic to flow from lower-security to higher-security interface you need:

STATIC NAT and ACL

If you have NAT-CONTROL disabled, you only need ACL

For traffic to flow from higher-security to lower-security interface you need:

NAT

If you have NAT-CONTROL disabled, you don't need any other commands.

If there's an existing ACL, it should allow the traffic.

NAT order of operation:

1. NAT 0 access-list

2. STATIC NAT/PAT

3. Policy NAT

4. Dynamic NAT/PAT

Federico.

New Member

Re: Questions Regarding NAT on PIX/ASA

Thanks for the help Frederico,

This is very helpful.

-Pete

1339
Views
0
Helpful
2
Replies
CreatePlease to create content