Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

no nat and use of static/nat 0 on PIX

Hi,

I have a scenario where I don't want to do any address translation. Is it sufficient to use only a static command e.g.:

static (inside,outside) 10.40.2.0 10.40.2.0 netmask 255.255.255.0 0 0

for traffic both ways (outside to inside, inside to outside) ?

or do I also need a:

nat (inside) 0 10.40.2.0 255.255.255.0 0 0

to let traffic out (inside to outside)?

regards rolf

  • Other Security Subjects
3 REPLIES
New Member

Re: no nat and use of static/nat 0 on PIX

Hi, by default the PIX doesn't perform any kind of NAT or filtering (from the inside to the outside) so i guess you don't have to configure any of those lines.

Have you tried the communications without those lines?

Regards!

Re: no nat and use of static/nat 0 on PIX

Hi,

for allowing traffic both ways you need to configure two things:

first you needs a translation command of the translation of the internal addresses to the outside addresses (even if you don't want translation of the source addresses).

dynamic translation:

nat (inside) 0 10.40.2.0 255.255.255.0 0 0

This command allows traffic passing through the firewall from inside to outside. Also responses to valid requests are allowed back in.

The second thing you have to do:

if you want to allow sessions initiated from the outside to the inside, you have to configure access-lists. Find the syntax of the access-list command on this page:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7

If you still have questions, let me know.

Kind Regards,

Tom

New Member

Re: no nat and use of static/nat 0 on PIX

Hi,

I done some tests myself and here is what I found:

it IS sufficient to use only a static command e.g.:

static (inside,outside) 10.40.2.0 10.40.2.0 netmask 255.255.255.0 0 0

for traffic both ways (outside to inside, inside to outside).

however, the best way to disable nat is the following:

access-list no_nat permit ip any any

nat (inside) 0 access-list no_nat

this will allow traffic both ways not to be nat'ed. The

nat (inside) 0 10.40.2.0 255.255.255.0 0 0

command will only handle traffic inside to outside

regards rolf

93
Views
0
Helpful
3
Replies
This widget could not be displayed.