topic PIX NO-NAT-Control in Network Security https://community.cisco.com/t5/network-security/pix-no-nat-control/m-p/980974#M938274 <P> have pix firewall 535 with IOS 7.x version. I have enable it with no-nat-control, to my understanding with this no-nat-control traffic from higher secuirty level to lower secuirty level allowed if there is no access-list. But from low to high still need of static and access-list. But in my case traffic from low to high is permitted without static. My outside network users are able to reach inside network without static. </P><P></P><P>Please tell me why it is so, why low to high permitted without static or is it the normal behaviour. </P><P></P> Mon, 11 Mar 2019 12:40:05 GMT wasiimcisco 2019-03-11T12:40:05Z PIX NO-NAT-Control https://community.cisco.com/t5/network-security/pix-no-nat-control/m-p/980974#M938274 <P> have pix firewall 535 with IOS 7.x version. I have enable it with no-nat-control, to my understanding with this no-nat-control traffic from higher secuirty level to lower secuirty level allowed if there is no access-list. But from low to high still need of static and access-list. But in my case traffic from low to high is permitted without static. My outside network users are able to reach inside network without static. </P><P></P><P>Please tell me why it is so, why low to high permitted without static or is it the normal behaviour. </P><P></P> Mon, 11 Mar 2019 12:40:05 GMT https://community.cisco.com/t5/network-security/pix-no-nat-control/m-p/980974#M938274 wasiimcisco 2019-03-11T12:40:05Z Re: PIX NO-NAT-Control https://community.cisco.com/t5/network-security/pix-no-nat-control/m-p/980975#M938276 <HTML><HEAD></HEAD><BODY><P>with "no nat-control", IP addresses on a higher security level interface do not need any sort of nat translation to go to a lower security level interface. This has nothing to do with ACL's (unless you're talking about policy NAT). </P><P>IP's on a lower security level interface never need a NAT translation entry to go to a higher security level interface.</P><P></P><P>If "nat-conrol" is enabled, IP's on a higher security level interface need some sort of NAT statement when going to a lower security level interface. </P><P></P><P>Things get even fuzzier with regards to same security level interfaces.</P></BODY></HTML> Mon, 05 May 2008 12:13:44 GMT https://community.cisco.com/t5/network-security/pix-no-nat-control/m-p/980975#M938276 srue 2008-05-05T12:13:44Z