Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT0 Command


The below is from Cisco Documentation. Can somebody explain this in easy way?

"Note that the difference between using nat 0 with specifying network/mask as opposed to using an ACL that uses a network/mask that permits initiation of connections from inside only. The use of ACLs permits initiation of connections by inbound or outbound traffic. The PIX interfaces should be in different subnets to avoid reachability issues."

Thanks in advance.


New Member

Re: NAT0 Command

I'll try. Using the nat 0 w/ an address and mask, like:

nat (inside) 0

will allow all inside hosts in the above network to access hosts on any other lower security interface (outside for example). However, hosts on the outside, would not be able to initiate a connection to a host on the inside 10/8 network. To do that, you'd need a "static" statment for the inside host host that the outside would like to access (plus appropriate interface-level permissions). Also, in this case an xlate is built in the PIX's table. This is called Identity NAT.

However, with:

access-list test permit ip any

nat (inside) 0 access-list test

the PIX will allow all inside 10/8 hosts to access lower security interfaces, just like Identity NAT, but will also allow OUTSIDE (all lower security interface) hosts access 10/8 on the inside WITHOUT a "static" command. Of course, based on (and only based on), appropriate interface-level permissions. Also, in this case, there is NO xlate built in the PIX's table. This is called NAT Exemption.



New Member

Re: NAT0 Command

BTW, sorry, I didn't realize a co-worker had logged into this PC before I posted. So Gail didn't post that reply, I did.



New Member

Re: NAT0 Command

Thanks Mike!