Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


Disabling NAT on the PIX

What is the best way to disable NAT on the PIX (specifically between two interface, not globally)?

There appears to be two alternatives: use a net static of the form "static(high,low) high high" or "nat 0 (high) access-list". I've seen postings which suggest using the the static, and only using "nat 0 access-list" for VPN traffic. Does the use of either affect the way in which fixups are handled? Static also has the benefit of being able to set an embryonic connection limit, but the PIX must also maintain the xlate table (where the local and global IP addresses will be identical).

Cisco Employee

Re: Disabling NAT on the PIX

I personally prefer using the static command and referencing the same addresses on both interfaces. The static command will force the PIX to still NAT the traffic and run thru all the NAT routines, it'll just change the address to the same address. Using NAT 0 actually does bypass all the NAT routines in the code. The fixups are still looked at either way, cause they're not just used for NAT, they also open ports for return traffic, etc.

NAT 0 is probably less burden on the PIX if that's what you're getting at, but in my opinion the static works better. NAT 0 also does stop NAT'ing for all interfaces.

CreatePlease login to create content