Cisco Support Community
Community Member

Nat 0 setup help


I am setting up a Pix to replace our current firewall. We have two Class C networks that are used for servers and for DSL customers. These will be internal to the Pix. I see I can use NAT 0 to not translate those networks. To allow acces into the servers, do I only need to set up ACL's for the various services? I am a little confused as to the particulars of getting access into these networks.



Community Member

Re: Nat 0 setup help

Hi Brian,

PIX interfaces have security levels. these levels are determined by numbers in range 0-100. 100 is the most secure interface , it is inside. and 0 is least secure, that is outside. and DMZ interfaces are somewhere between 0 and 100. and there are two types of access in pix:

1) from higher security level to lower security level (inside to outside, dmz to outside)

by default pix permits these connections, you only have to configure a translation method. this can be static by command 'static' or dynamic with commands 'nat' and 'global'. or if you want to choose not to translate you can use nat 0.

2) from lower security level to higher security level (outside to inside, dmz to inside)

by default pix denies these types of connections. so you have to permit them. You can do this by access-list or conduit. and also you need translation too..

there is a very useful document below. hope this helps..


Community Member

Re: Nat 0 setup help

Nat 0 isn't going to allow connections to be initiated from the outside. You need a static translation for the destination (as well as a permit statement in the acl applied to the outside interface, specifying the destination public ip and port). Assuming that you want to keep public addresses on all the hosts on the inside of the pix (which wastes alot of public addresses, but saves you the work of re-addressing hundreds of hosts) you can do a "net static" for the inside subnets, "translating" them from the inside to the outside, BUT keeping the same ip addresses. Suppose one of your class c networks was

static (inside,outside) netmask

Then, the acl on the outside interface will determine what ips and ports outside users can get to.

Remember that you need different subnets on each pix interface. What model pix do you have (how many intefaces?)

Nat 0 (referencing an access-list) is usually used in VPN configs, to define the traffic going through the tunnel.

CreatePlease to create content