Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Silver

Using "nat 0 access-list" and statics

I have a configuration where NAT is disabled between an inside and an outside interface, using the "nat (inside) 0 access-list" command. If I apply an ACL to the outside interface which permits access to resources on the inside interface, then it appears that a no-nat "static" is not required, e.g. static (inside,outside) a.b.c.d a.b.c.d. Normally, a static (alongside an ACL entry) is required for traffic flowing from a lower security interface to a higher security interface. Should a static really be defined in this configuration, if to provide a embryonic connection limit?

3 REPLIES

Re: Using "nat 0 access-list" and statics

Yes, you will still need the static command. Security levels haven't changed. Outside still needs to get to inside. Adaptive Security remains in effect with the nat 0 command. See link: http://www.cisco.com/warp/public/707/28.html#dis

eg

nat (inside) 0 209.165.201.0 255.255.255.224 (or use an acl)

static (inside, outside) 209.165.201.0 209.165.201.0 netmask 255.255.255.224

access-list acl_out permit host 10.0.0.1 209.165.201.0 255.255.255.224 eq ftp

access-group acl_out in interface outside

Steve

Silver

Re: Using "nat 0 access-list" and statics

I agree that, according to the basic operation of a PIX, a static would be required for traffic from a lower security interface (outside) to a higher security interface (inside), irrespective of whether NAT is in operation or not. However, I have this working without statics.

However, I have just looked again at the documentation for the "static" command, and it states: "For an external host to initiate traffic to an inside host, a static translation rule needs to exist for the inside host; this can also be done using a nat 0 access-list address translation rule. Without the persistent translation rule, the translation cannot occur."

This seems to imply that "nat 0 access-list" effectively creates the xlates which statics would otherwise do when NAT is enabled. In this situation does the addition of the static allow a connection limit to be enforced?

Re: Using "nat 0 access-list" and statics

I just found that link that you quoted. All the examples I find are with statics, but they do indeed mention the acl can do used instead. As for limiting the number of connections, static is one way to do it.

The nat command:

nat [(if_name)] id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]

has conn/em limit, try nat 0 with it. I will try it Monday at work to see if it works.

Steve

225
Views
0
Helpful
3
Replies
CreatePlease to create content