https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434835#M534682 <HTML><HEAD></HEAD><BODY><P>nat (outside) 0 is not needed.</P><P>with the other two nat () 0 statements, you are good to go</P><P></P><P>thanks</P><P>Nadeem</P></BODY></HTML> Sat, 30 Jul 2005 21:05:41 GMT nkhawaja 2005-07-30T21:05:41Z https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434834#M534681 <P>Hi,</P><P>I have PIX -ver. OS is 6.3(3)- with 3 interfaces: outside, inside and dmz.</P><P>PIX will be used in intranet without address translation. IP Address must be visible from any interface to any interface, no address translation is required.</P><P>For examlpe: Users will by on interface Ouside with IP range 10.0.0.0/8, servers will be on interace Inside (192.168.1.0/24) and other devices will be on interface dmz (172.16.0.0/16).</P><P> </P><P>So I created access-list: </P><P>access-list all-ip-packet permit ip any any </P><P>and use command nat 0:</P><P>nat (inside) 0 access-list all-ip-packet </P><P>nat (dmz) 0 access-list all-ip-packet </P><P></P><P>Question is:</P><P>Is it necessary to add row</P><P>nat (outside) 0 access-list all-ip-packet </P><P> or is possible to communicate from outside to inside (users to server)without this row?</P><P></P><P>Thanx</P><P>Peter</P> Fri, 21 Feb 2020 08:18:23 GMT https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434834#M534681 pslavkovsky 2020-02-21T08:18:23Z https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434835#M534682 <HTML><HEAD></HEAD><BODY><P>nat (outside) 0 is not needed.</P><P>with the other two nat () 0 statements, you are good to go</P><P></P><P>thanks</P><P>Nadeem</P></BODY></HTML> Sat, 30 Jul 2005 21:05:41 GMT https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434835#M534682 nkhawaja 2005-07-30T21:05:41Z https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434836#M534684 <HTML><HEAD></HEAD><BODY><P>Ok,</P><P>I tried it, it works but I do not understand why.</P><P></P><P>When packet goes from inside, PIX has this statement:</P><P>nat (inside) 0 access-list all-ip-packet </P><P></P><P>When packet goes from dmz, PIX has this statement:</P><P>nat (dmz) 0 access-list all-ip-packet </P><P></P><P>When packet goes from outside, PIX has no statement.</P><P>But It works. Can you explain it, please.</P><P></P><P>Thanks</P><P>Peter</P></BODY></HTML> Sun, 31 Jul 2005 04:33:17 GMT https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434836#M534684 pslavkovsky 2005-07-31T04:33:17Z https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434837#M534687 <HTML><HEAD></HEAD><BODY><P>Is there anybody who understanded address translation using "nat () 0 access-list" or everybody is on holiday ???</P><P></P><P>Peter</P></BODY></HTML> Mon, 01 Aug 2005 10:03:41 GMT https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434837#M534687 pslavkovsky 2005-08-01T10:03:41Z https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434838#M534692 <HTML><HEAD></HEAD><BODY><P>see this</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/19.html" target="_blank">http://www.cisco.com/warp/public/110/19.html</A></P><P></P><P></P></BODY></HTML> Mon, 01 Aug 2005 15:17:54 GMT https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434838#M534692 nkhawaja 2005-08-01T15:17:54Z https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434839#M534696 <HTML><HEAD></HEAD><BODY><P>Thanks,</P><P>but this document does not respond my question.</P><P></P><P>Peter</P></BODY></HTML> Tue, 02 Aug 2005 05:13:42 GMT https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434839#M534696 pslavkovsky 2005-08-02T05:13:42Z https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434840#M534700 <HTML><HEAD></HEAD><BODY><P>Not sure what you are questioning, the communication or the translation. Communication between the different interfaces has more to do with the security levels than the NAT statements.</P></BODY></HTML> Tue, 02 Aug 2005 17:50:34 GMT https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434840#M534700 jeff.carr 2005-08-02T17:50:34Z https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434841#M534701 <HTML><HEAD></HEAD><BODY><P>One condition for working ASA is a address translation, and it must be set for case when address translation is not needed too. So It was created NAT exemption, I think.</P><P></P><P>For exapmle,</P><P>When I put access-list on outside interface "permit ip any any", I must set a address translation "nat 0 access list" if I want to communicate from outiside to inside however real address translation not doing.</P><P></P><P></P><P>My question is:</P><P>when I have </P><P>nat 0 (inside) access-list all_ip</P><P>nat 0 (dmz) access-list all_ip</P><P>access-list all_ip permit ip any any</P><P></P><P></P><P>and communication start on outside interface. Which row do not translate addreses of inbound packets?</P><P></P><P>I would wait a row </P><P>nat 0 (outside) access-list all_ip</P><P>but it is not needed. It works without this row.</P><P></P><P>Peter</P></BODY></HTML> Tue, 02 Aug 2005 18:12:33 GMT https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434841#M534701 pslavkovsky 2005-08-02T18:12:33Z https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434842#M534709 <HTML><HEAD></HEAD><BODY><P>i told you that if you just want to communicate from </P><P>inside to dmz or from dmz to inside, all you need is</P><P></P><P>nat (inside) 0 acl</P><P>or</P><P>static (inside,dmz) ip ip</P><P>or if you want only the communication to start from </P><P>inside and not from dmz you need</P><P>nat(inside) and global (dmz)</P><P></P><P>Remember there is not NAT (dmz) needed in either case. This is just the way it works.</P><P></P><P>now if you want to communicate from inside to outside and also from outside to inside</P><P>you need</P><P>nat (inside) 0 acl</P><P>or</P><P>static (inside,outside) ip ip</P><P></P><P>if u want communication from inside to outside only all you need is</P><P></P><P>nat(inside) and global (outside)</P><P></P><P>for dmz to outside communication </P><P>you need nat (dmz) 0 acl</P><P>static (dmz,outside)</P><P>or nat (dmz) and global outside</P><P></P><P>The RULE IS, you dont need translation from LOWER Security to HIGHER Security.</P><P></P><P>The exception to above rule is</P><P></P><P>-1 if you are using no nat-control feature in PIX 7.0</P><P></P><P>2- You still want to translate the outside IP adresses</P></BODY></HTML> Tue, 02 Aug 2005 20:35:00 GMT https://community.cisco.com/t5/network-security/pix-without-address-translation/m-p/434842#M534709 nkhawaja 2005-08-02T20:35:00Z