Re: Identity NAT - nat 0 with PIX firewall

augnevenok · ‎07-02-2006

Hi,

As far as I uderstand nat 0 doesn't translate anything, the same IP appears on both sides of the firewall. This could be the case if we are having registered IP addresses on the inside and outside.

If the packets just flow from one interface to another what the difference it makes from the simple routing then? Wouldn't the packets flow without any nat 0 statements?

Thanks.

Kind regards,

Alex

atif.awan · ‎07-03-2006

The difference is that your internal hosts are still protected by the firewall's adaptive security algorithm. Traffic from outside to inside is allowed only if there is a matching xlate entry.

As far as I know packets will not flow without you using some form of NAT or static statements.

augnevenok · ‎07-03-2006

Here is a few lines from my PIX config:

-------------------------------------

;PIX Version 6.3(5)

ip address outside 202.90.110.1 255.255.255.0

ip address inside 10.0.1.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 202.90.110.2 1

access-group acl_out in interface outside

access-list acl_out permit ip any interface outside

A host (202.90.110.2) from the outside network is able to access an FTP server on the inside network. There is not NAT at all and packets flow. Is this correct?

Then I removed route statement and still able to access inside FTP from outside host.

Please someone cooment or explain.

Another question. Do I need to save configuration and then maybe restart the PIX for config to become effective? In the above example I just removed nat and static statements not saving config.