I have a configuration where NAT is disabled between an inside and an outside interface, using the "nat (inside) 0 access-list" command. If I apply an ACL to the outside interface which permits access to resources on the inside interface, then it appears that a no-nat "static" is not required, e.g. static (inside,outside) a.b.c.d a.b.c.d. Normally, a static (alongside an ACL entry) is required for traffic flowing from a lower security interface to a higher security interface. Should a static really be defined in this configuration, if to provide a embryonic connection limit?
I agree that, according to the basic operation of a PIX, a static would be required for traffic from a lower security interface (outside) to a higher security interface (inside), irrespective of whether NAT is in operation or not. However, I have this working without statics.
However, I have just looked again at the documentation for the "static" command, and it states: "For an external host to initiate traffic to an inside host, a static translation rule needs to exist for the inside host; this can also be done using a nat 0 access-list address translation rule. Without the persistent translation rule, the translation cannot occur."
This seems to imply that "nat 0 access-list" effectively creates the xlates which statics would otherwise do when NAT is enabled. In this situation does the addition of the static allow a connection limit to be enforced?
I just found that link that you quoted. All the examples I find are with statics, but they do indeed mention the acl can do used instead. As for limiting the number of connections, static is one way to do it.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...