https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128804#M615146 <HTML><HEAD></HEAD><BODY><P>you need a static and an ACL for outside users to initiate a connection inside:</P><P>static(inside,outside) <HIGH> <HIGH></HIGH></HIGH></P><P>access-list 101 permit ip any <HIGH></HIGH></P><P></P><P>access-group 101 in interface outside</P><P></P></BODY></HTML> Fri, 19 Sep 2003 10:41:44 GMT atdhingr 2003-09-19T10:41:44Z https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128800#M615139 <P>I have tried, "NAT (inside) 0 x.x.x.x 255.255.255.0"</P><P>it's working, but some how outside host cannot access anything behind the pix unless the inside machine start a session to outside first. </P><P>Any idea why this happen? is this normal?</P><P>any idea would be appreciate.</P> Fri, 21 Feb 2020 06:59:07 GMT https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128800#M615139 tkpsimon 2020-02-21T06:59:07Z https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128801#M615141 <HTML><HEAD></HEAD><BODY><P>That is normal - you need to write an access list to open ports, and apply it to the outside interface</P></BODY></HTML> Wed, 10 Sep 2003 15:36:15 GMT https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128801#M615141 mostiguy 2003-09-10T15:36:15Z https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128802#M615142 <HTML><HEAD></HEAD><BODY><P>Thanks for your reply, </P><P>actually i already have ACL apply on the outside interface, let set permit icmp any any. But problem still happen to be that way, always require inside host to initial traffic, then outside can access. </P><P></P><P>I understand this is not a big of issue, but for web server, it's kind of annoying. We always need to send out icmp to outside. </P></BODY></HTML> Wed, 10 Sep 2003 15:42:14 GMT https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128802#M615142 tkpsimon 2003-09-10T15:42:14Z https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128803#M615143 <HTML><HEAD></HEAD><BODY><P>You need to a nat 0 rule with an access-list for this to work.</P><P></P><P>For example:</P><P></P><P>nat 0 (inside) access-list no-nat</P><P></P><P>access-list no-nat permit ip 10.10.0.0 255.255.0.0</P><P></P><P></P><P></P></BODY></HTML> Thu, 18 Sep 2003 14:39:22 GMT https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128803#M615143 r.sneekes 2003-09-18T14:39:22Z https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128804#M615146 <HTML><HEAD></HEAD><BODY><P>you need a static and an ACL for outside users to initiate a connection inside:</P><P>static(inside,outside) <HIGH> <HIGH></HIGH></HIGH></P><P>access-list 101 permit ip any <HIGH></HIGH></P><P></P><P>access-group 101 in interface outside</P><P></P></BODY></HTML> Fri, 19 Sep 2003 10:41:44 GMT https://community.cisco.com/t5/network-security/best-way-to-config-a-pix-without-nat/m-p/128804#M615146 atdhingr 2003-09-19T10:41:44Z