Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
225
Views
0
Helpful
1
Replies

Necessity of NAT on a PIX

davemit
Level 1
Level 1

‎04-04-2005 07:27 AM - edited ‎02-21-2020 12:03 AM

Hello all, I have a question about NAT on a FWSM. I don't believe it would be any different on a normal PIX appliance though.

The question is, do I need to implement some sort of NAT (whether static, or dynamic) to allow traffic between interfaces?

For instance, I have a firewall with several different interfaces. They all have different network addresses, using internal (RFC 1918?) addresses. I have no need to translate their source or destination IP's. I simply want to restrict specific hosts and ports using ACL's.

In this scenario, if I want to have traffic initiate from my less secure interface to my more secure, do I NEED to have a static translation set up? Or can I just make sure the ACL allows it in?

Hopefully that question makes sense.

As a follow up question, I am having a hard time understanding the use of static translations with the SAME IP's. For example:

Static (inside, outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

Basically there is no translation being done at all. So is this statement even needed? I see it in many configs.

Thanks for the help!

- Dave

0 Helpful
1 Reply 1

michelcaissie
Level 1
Level 1

‎04-05-2005 08:17 AM

You have 2 ways to accomplish this

1- The recommended method

Static (inside, outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

10.0.0.0 255.255.255.0 being your inside subnet. This way it gets visible from the outside . You can then filter through an access-group.

2- The less recommended method

access-list nonat permit ip [inside subnet] [outside subnet]

nat (inside) 0 access-list nonat

This way you bypass all nating and simply forward the traffic outside.And traffic from outside to inside will also work . Again , you can filter through an access-group.

I am not sure why the first method seems to be recommended more than the other . Maybe the stateful inspection of incoming packets is different and better on a static entry.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card