https://community.cisco.com/t5/network-security/no-nat-and-use-of-static-nat-0-on-pix/m-p/121203#M622644 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>for allowing traffic both ways you need to configure two things:</P><P></P><P>first you needs a translation command of the translation of the internal addresses to the outside addresses (even if you don't want translation of the source addresses). </P><P></P><P>dynamic translation:</P><P>nat (inside) 0 10.40.2.0 255.255.255.0 0 0 </P><P></P><P>This command allows traffic passing through the firewall from inside to outside. Also responses to valid requests are allowed back in.</P><P></P><P>The second thing you have to do:</P><P>if you want to allow sessions initiated from the outside to the inside, you have to configure access-lists. Find the syntax of the access-list command on this page:</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7</A></P><P></P><P>If you still have questions, let me know.</P><P></P><P>Kind Regards,</P><P>Tom</P><P></P><P></P><P></P></BODY></HTML> Sat, 23 Nov 2002 13:04:48 GMT tvanginneken 2002-11-23T13:04:48Z https://community.cisco.com/t5/network-security/no-nat-and-use-of-static-nat-0-on-pix/m-p/121201#M622596 <P>Hi,</P><P></P><P>I have a scenario where I don't want to do any address translation. Is it sufficient to use only a static command e.g.:</P><P></P><P>static (inside,outside) 10.40.2.0 10.40.2.0 netmask 255.255.255.0 0 0</P><P></P><P>for traffic both ways (outside to inside, inside to outside) ? </P><P></P><P>or do I also need a:</P><P></P><P>nat (inside) 0 10.40.2.0 255.255.255.0 0 0</P><P></P><P>to let traffic out (inside to outside)?</P><P></P><P>regards rolf</P><P></P><P></P> Fri, 21 Feb 2020 06:23:41 GMT https://community.cisco.com/t5/network-security/no-nat-and-use-of-static-nat-0-on-pix/m-p/121201#M622596 lunestadr 2020-02-21T06:23:41Z https://community.cisco.com/t5/network-security/no-nat-and-use-of-static-nat-0-on-pix/m-p/121202#M622618 <HTML><HEAD></HEAD><BODY><P>Hi, by default the PIX doesn't perform any kind of NAT or filtering (from the inside to the outside) so i guess you don't have to configure any of those lines.</P><P>Have you tried the communications without those lines?</P><P></P><P>Regards!</P></BODY></HTML> Fri, 22 Nov 2002 16:40:44 GMT https://community.cisco.com/t5/network-security/no-nat-and-use-of-static-nat-0-on-pix/m-p/121202#M622618 pferraz 2002-11-22T16:40:44Z https://community.cisco.com/t5/network-security/no-nat-and-use-of-static-nat-0-on-pix/m-p/121203#M622644 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>for allowing traffic both ways you need to configure two things:</P><P></P><P>first you needs a translation command of the translation of the internal addresses to the outside addresses (even if you don't want translation of the source addresses). </P><P></P><P>dynamic translation:</P><P>nat (inside) 0 10.40.2.0 255.255.255.0 0 0 </P><P></P><P>This command allows traffic passing through the firewall from inside to outside. Also responses to valid requests are allowed back in.</P><P></P><P>The second thing you have to do:</P><P>if you want to allow sessions initiated from the outside to the inside, you have to configure access-lists. Find the syntax of the access-list command on this page:</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7</A></P><P></P><P>If you still have questions, let me know.</P><P></P><P>Kind Regards,</P><P>Tom</P><P></P><P></P><P></P></BODY></HTML> Sat, 23 Nov 2002 13:04:48 GMT https://community.cisco.com/t5/network-security/no-nat-and-use-of-static-nat-0-on-pix/m-p/121203#M622644 tvanginneken 2002-11-23T13:04:48Z https://community.cisco.com/t5/network-security/no-nat-and-use-of-static-nat-0-on-pix/m-p/121204#M622673 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I done some tests myself and here is what I found:</P><P></P><P>it IS sufficient to use only a static command e.g.: </P><P></P><P>static (inside,outside) 10.40.2.0 10.40.2.0 netmask 255.255.255.0 0 0 </P><P></P><P>for traffic both ways (outside to inside, inside to outside).</P><P></P><P>however, the best way to disable nat is the following:</P><P></P><P>access-list no_nat permit ip any any</P><P>nat (inside) 0 access-list no_nat</P><P></P><P>this will allow traffic both ways not to be nat'ed. The </P><P></P><P>nat (inside) 0 10.40.2.0 255.255.255.0 0 0 </P><P></P><P>command will only handle traffic inside to outside</P><P></P><P>regards rolf</P></BODY></HTML> Sun, 24 Nov 2002 08:51:41 GMT https://community.cisco.com/t5/network-security/no-nat-and-use-of-static-nat-0-on-pix/m-p/121204#M622673 lunestadr 2002-11-24T08:51:41Z