Lets say I've got a PIX with four interfaces, Inside, Outside, DMZ1 and DMZ2. All IPs on all interfaces are routable, there is *NO* NAT or translation anywhere, in any direction. For this example, I use Subnet1 and Subnet2 to represent my address space. Is this what I need:
A much easier way to do this is with an ACL + NAT 0 statements (also referred to as NAT bypass):
access-list nonat permit ip subnet1 255.255.255.0 any
access-list nonat permit ip subnet2 255.255.255.0 any
nat (dmz1) 0 access-list nonat
nat (dmz2) 0 access-list nonat
nat (inside) 0 access-list nonat
You do not need to bind this to the outside interface, but if someone from the internet had to get to your mail server on DMZ1, then you would need to write an ACL permitting that traffic. Same if you are going from DMZ1 to DMZ2 (assuming DMZ2 is a higher interface).
Also note, with the 'nat' statement the interface refers to traffic inbound to it.
Your 'static (higher, lower) ' is correct though.
When you have the choice between the two, you should always use an ACL + NAT 0 vs statics. Statics leave a perm. entry in the xlate table which can eat up resources if you have enough of them.
Thanks for that response. I can pose a question a different way now.. If I'm doing no NAT at all, I don't need any 'static' commands do I? I just need 'nat' commands, correct? (Cisco does not win the Intuitive Award here...)
If this is the configuration ,the source address should be public address(not 10.*.*.*)?Since we are using nat 0.
access-list test permit ip 10.0.0.0 255.0.0.0 any
nat (inside) 0 access-list test
the PIX will allow all inside 10/8 hosts to access lower security interfaces, just like Identity NAT, but will also allow OUTSIDE (all lower security interface) hosts access 10/8 on the inside WITHOUT a "static" command. Of course, based on (and only based on), appropriate interface-level permissions.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :