I put the nat(outside) 0 0 0 command into a 506e running 6.1.(4) and added an access-list to restrict inbound traffic and it appears to be working. I thought the only way into a Pix from the outside was to use a static and an access list ? Can someone confirm that this works or am i loosing it ?
My understanding of the nat 0 command is that it defines a nat bypass rule. IOW, the traffic will still require ACLs, but will not use the NAT architecture of the PIX.
I have seen this in cases where traffic from one security zone does not require address translation when traversing the pix into another security zone. An example would be traffic traversing the pix between two internal networks, or between an internal network and a service network (aka DMZ).
I agree that Nat 0 can be used in "internal " networks where you do not want address translation. But I thought that the "outside" to inside connections needed a static command and whatever ACL you want to restrict the incomming traffic. Has anyone else used the nat (outside) 0 command successfully?
Interesting. Do you have any static or nat 0 statements for the hosts your accessing from the outside? I don't think the nat (outside) 0 statement is actually doing anything. The ACL is really providing the access.
I've created access for hosts before by using nat (dmz) 0 command and an ACL on the outside. The problem is that this only works when the host has initiated a session going out so that the Pix sees it in the translation table. When the xlate times out, outside sources cannot longer access the host/service regardless of the ACL. That's what the [static] command is really for: to permanently make that translation in the table for access.
Any hosts can be accessed by an ACL as long as it has an active translation. Even if is done dynamically as in nat (inside) 1/global 1. I've created temporary access for inside hosts already NATted (not PATted) using an ACL on the outside.
I don't want to use nat anywhere, therefore i have a nat (inside) 0 0 0 entry, and the outside hosts are using 8080 via the acl on the outside to access the inside host. There were some pings from the inside host to the the outside hosts , so i presume this is why the hosts on the outside were getting access to the inside machine. I take it that i will have to enter a static on the outside after all. i presume the following would do ??
static (inside ,outside) inside-host-ip inside-host-ip netmask 255.255.255.255
You can do this if you want all inside hosts to access the outside "without" NAT.
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
This actually goes through the NAT algorithm/process but the address is NATted back to itself. This statement allows all hosts on the 192.168.1.0/24 network to access the outside with the same IP.
If you did this:
static (inside,outside) 192.168.255.0 192.168.1.0 netmask 255.255.255.0
All hosts on 192.168.1.0/24 would be NATted to 192.168.255.0/24 network retaining the same last octet. So 192.168.1.7 becomes 192.168.255.7, etc.
If you're only want a few hosts to have access, then use static statements calling specific IP address with a netmask of 255.255.255.255.
If you want to by pass nat engine (that is not to use nat/static at all) then you can add these two lines on the pix.
access-list no-nat permit ip any any
nat (inside) o access-list no-nat
Now the question is how is it different than nat (inside) 0. Well with nat (inside) 0, outbound traffic would be fine, but for inbound connection, there needs to be a translation, i.e, you have to have ping or something going on from inside to outside. So, you will see when you execute "clear xlate" or reboot the pix, outside can no longer communicate.
But, if you choose the access-list option of no-nat, then traffic can be initiated on both directions, that is, PIX will entirely by pass the nat engine,, you will not require any static.
I hope this helps !
what i am really trying to do is to allow two hosts (a.a.a.a) and (B.B.B.B) on the outside to access a host (c.c.c.c) on the inside interface using an access list on the outside to restrict which ports have access to ( c.c.c.c). I am using nat (inside) 0 0 0 on the inside interface because i do not want translation ,but i have no access-list on the inside , and therefore by default , all traffic is allowed out.
By query really is , what command do i use to set up a static ,which i understand i need to allow access from the outside hosts a.a.a.a and b.b.b.b to the server c.c.c.c on the inside?. is the following correct
static (inside,outside) c.c.c.c c.c.c.c. 255.255.255.255
access-list acl_out permit tcp host a.a.a.a host c.c.c.c eq 8080
Sorry for the late response... Yes, in that case your config looks good and that should be best method to apply (static one to one translation) as you just want to
access a single host that is c.c.c.c. Thanks,
You've pretty much got it.
static (inside,outside) c.c.c.c c.c.c.c netmask 255.255.255.255
access-list acl_out permitp tcp host a.a.a.a host c.c.c.c eq 8080
access-list acl_out permitp tcp host b.b.b.b host c.c.c.c eq 8080
You may need to clear the translations if the host was already being NATted.
clear xlate local c.c.c.c
Also note that this host will not be NATted at all when going outside now. This means it won't be able to get out to the Internet unless the inside addresses are public. Instead you could NAT the host to a public IP. This won't be a security problem as the ACL is still going to restrict who and how hosts can connect to the inside host.
The nat 0 command has almost the same effect as the static command when it is used as follows:
static (inside,outside) 192.168.1.0 192.168.1.0
In the previous example 192.168.1.0 in the internal network. The 192.168.1.0 network is translated to itself, in other words, the addresses are not translated. This is called 'net static'.
So you are not loosing it since the nat 0 command is similar to the net static command :-)