Is NAT 0 compulsory??

vikrantarora · ‎04-11-2003

I don not want any address translations and all the hosts on my network are using real world IP's

Do I need to have a nat (inside) 0 0 0 command on my pix 6.2?

mhussein · ‎04-11-2003

No, you don't have to use "nat 0". You can use "static" command to allow outbound connections as long as your ip addresses are real public ones.

Note that if you don't enable nat, the syntax of "static" command would be as follows:

static (high,low) high high

hope this helps ...

Mustafa

vikrantarora · ‎04-11-2003

Mustafa,

Thanks!

Do I need a static for all the computers that are accessing the internet. I have about 150 hosts?

yizhar · ‎04-12-2003

HI.

In your case, I would use nat (inside) 0 0 0 .

It just seems to me more logical then static in such a scenario.

Static will work also, but I think that static will cause more overhead at the pix and will add un-needed proxy-arp on the outside interface.

Yizhar

vikrantarora · ‎04-14-2003

Yizhar,

I am a little confused by your reply.

Isn't it that static is only for inbound connections i.e for machines that need to be accessed from outside.

So, what does static have to do with the absence of nat 0 which , I think, is only to allow or diallow address translations.

Let's say If I have 2 machines behind the pix a webserver (W) and a host (H)

H and W both have unrestricted outbound access . They have real IP , so I use nat 0. Now, W needs to be accessed from outside , so I throw in a static for W. According to you anser, I wud need a static for H as well. If so, why?.

tvanginneken · ‎04-12-2003

Hi,

instead of using a 'static' command for every host, you can use 'net static'

( = statically translate an entire network to itself).

Let's assume that your network is 1.2.3.0. Then you should use this command

static (inside,outside) 1.2.3.0 1.2.3.0 netmask 255.255.255.0

Kind Regards,

Tom