Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
0
Helpful
1
Replies

Disabling NAT on the PIX

mmelbourne
Level 5
Level 5

‎02-20-2003 09:35 AM - edited ‎02-20-2020 10:34 PM

What is the best way to disable NAT on the PIX (specifically between two interface, not globally)?

There appears to be two alternatives: use a net static of the form "static(high,low) high high" or "nat 0 (high) access-list". I've seen postings which suggest using the the static, and only using "nat 0 access-list" for VPN traffic. Does the use of either affect the way in which fixups are handled? Static also has the benefit of being able to set an embryonic connection limit, but the PIX must also maintain the xlate table (where the local and global IP addresses will be identical).

0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎02-20-2003 08:46 PM

I personally prefer using the static command and referencing the same addresses on both interfaces. The static command will force the PIX to still NAT the traffic and run thru all the NAT routines, it'll just change the address to the same address. Using NAT 0 actually does bypass all the NAT routines in the code. The fixups are still looked at either way, cause they're not just used for NAT, they also open ports for return traffic, etc.

NAT 0 is probably less burden on the PIX if that's what you're getting at, but in my opinion the static works better. NAT 0 also does stop NAT'ing for all interfaces.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card