cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
561
Views
0
Helpful
4
Replies

Best way to config a PIX without NAT

tkpsimon
Level 1
Level 1

I have tried, "NAT (inside) 0 x.x.x.x 255.255.255.0"

it's working, but some how outside host cannot access anything behind the pix unless the inside machine start a session to outside first.

Any idea why this happen? is this normal?

any idea would be appreciate.

4 Replies 4

mostiguy
Level 6
Level 6

That is normal - you need to write an access list to open ports, and apply it to the outside interface

Thanks for your reply,

actually i already have ACL apply on the outside interface, let set permit icmp any any. But problem still happen to be that way, always require inside host to initial traffic, then outside can access.

I understand this is not a big of issue, but for web server, it's kind of annoying. We always need to send out icmp to outside.

You need to a nat 0 rule with an access-list for this to work.

For example:

nat 0 (inside) access-list no-nat

access-list no-nat permit ip 10.10.0.0 255.255.0.0

atdhingr
Level 1
Level 1

you need a static and an ACL for outside users to initiate a connection inside:

static(inside,outside)

access-list 101 permit ip any

access-group 101 in interface outside

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: