Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
3
Replies

Using "nat 0 access-list" and statics

mmelbourne
Level 5
Level 5

‎09-22-2002 11:02 AM - edited ‎02-20-2020 09:19 PM

I have a configuration where NAT is disabled between an inside and an outside interface, using the "nat (inside) 0 access-list" command. If I apply an ACL to the outside interface which permits access to resources on the inside interface, then it appears that a no-nat "static" is not required, e.g. static (inside,outside) a.b.c.d a.b.c.d. Normally, a static (alongside an ACL entry) is required for traffic flowing from a lower security interface to a higher security interface. Should a static really be defined in this configuration, if to provide a embryonic connection limit?

Labels:
0 Helpful
3 Replies 3

steve.barlow
Level 7
Level 7

‎09-22-2002 11:40 AM

Yes, you will still need the static command. Security levels haven't changed. Outside still needs to get to inside. Adaptive Security remains in effect with the nat 0 command. See link: http://www.cisco.com/warp/public/707/28.html#dis

eg

nat (inside) 0 209.165.201.0 255.255.255.224 (or use an acl)

static (inside, outside) 209.165.201.0 209.165.201.0 netmask 255.255.255.224

access-list acl_out permit host 10.0.0.1 209.165.201.0 255.255.255.224 eq ftp

access-group acl_out in interface outside

Steve

0 Helpful

mmelbourne
Level 5
Level 5
In response to steve.barlow

‎09-22-2002 01:15 PM

I agree that, according to the basic operation of a PIX, a static would be required for traffic from a lower security interface (outside) to a higher security interface (inside), irrespective of whether NAT is in operation or not. However, I have this working without statics.

However, I have just looked again at the documentation for the "static" command, and it states: "For an external host to initiate traffic to an inside host, a static translation rule needs to exist for the inside host; this can also be done using a nat 0 access-list address translation rule. Without the persistent translation rule, the translation cannot occur."

This seems to imply that "nat 0 access-list" effectively creates the xlates which statics would otherwise do when NAT is enabled. In this situation does the addition of the static allow a connection limit to be enforced?

0 Helpful

steve.barlow
Level 7
Level 7
In response to mmelbourne

‎09-22-2002 02:14 PM

I just found that link that you quoted. All the examples I find are with statics, but they do indeed mention the acl can do used instead. As for limiting the number of connections, static is one way to do it.

The nat command:

nat [(if_name)] id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]

has conn/em limit, try nat 0 with it. I will try it Monday at work to see if it works.

Steve

0 Helpful
Customers Also Viewed These Support Documents