The below is from Cisco Documentation. Can somebody explain this in easy way?
"Note that the difference between using nat 0 with specifying network/mask as opposed to using an ACL that uses a network/mask that permits initiation of connections from inside only. The use of ACLs permits initiation of connections by inbound or outbound traffic. The PIX interfaces should be in different subnets to avoid reachability issues."
I'll try. Using the nat 0 w/ an address and mask, like:
nat (inside) 0 10.0.0.0 255.0.0.0
will allow all inside hosts in the above network to access hosts on any other lower security interface (outside for example). However, hosts on the outside, would not be able to initiate a connection to a host on the inside 10/8 network. To do that, you'd need a "static" statment for the inside host host that the outside would like to access (plus appropriate interface-level permissions). Also, in this case an xlate is built in the PIX's table. This is called Identity NAT.
access-list test permit ip 10.0.0.0 255.0.0.0 any
nat (inside) 0 access-list test
the PIX will allow all inside 10/8 hosts to access lower security interfaces, just like Identity NAT, but will also allow OUTSIDE (all lower security interface) hosts access 10/8 on the inside WITHOUT a "static" command. Of course, based on (and only based on), appropriate interface-level permissions. Also, in this case, there is NO xlate built in the PIX's table. This is called NAT Exemption.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...