Re: Need clarificaiton on NO NAT statmenet

sureshkum · ‎09-27-2008

Hi,

As per my understanding on NONAT satement in Firewall( up to IOS version6.3) is,,,,

If any packet traverse from Higher secuity to lower security--permitted by default r by ACL

If any packet traverse from Lower secuity to Higher security need to be allowed with ACL and NAT(for Higher interface ip)...If we doesnt do NAT need to do NONAT in the higher interface..

IS that above statments are correct?..Plese correct me if i m wrong..

Thanks in advance

andrew.prince · ‎09-28-2008

sureshkumar,

Yes and no.

The reason for a nonat acl is this, you define what src and dst hosts,subnets, protocols and or layer 4 ports that are subject to NAT.

This includes and is not inclusive of interfaces with any kind of secuirty level.

HTH>

sureshkum · ‎10-11-2008

Hi Prince,

Thanks for ur response..So could u please tell me in what kindly of scenario NOnat is mandatory in pix firewall.

Matthew Warrick · ‎09-28-2008

For 6.3 and older in order to reach the high security "local ip", it must be mapped to a "global ip" which is what the low security interface sees.

Unless you implement "nat exemption" you will need to map inside "local ip" to a "global ip" using nat or static commands.

For example:

static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255

This makes 192.168.1.1 "local ip" map to the 192.168.1.1 "global ip"

Without this mapping your inside address would not be reachable.

In 7.X+ the behavior was changed and you can use the command "no nat-control" to allow untranslated IPs to pass through to higher security by default.

sureshkum · ‎10-11-2008

Hi mattiw,

I have never used like this in any of my scenario...I used to do nonat like below

To connect from DMZ(10.1.1.1) to inside(172.2.1.1)

access-list dmz-acl permit tcp host 10.1.1.1 host 172.2.1.1 eq ...

access-group in interface dmz

access-list nonat permit ip host 172.2.1.1 host 10.1.1.1

nat(inside) 0 access-list nonat

plz comment on this

Farrukh Haroon · ‎10-12-2008

There are three ways to bypass NAT on the cisco firewalls.

> (Dynamic) Identity NAT

> NAT Exemption

> Static Identity NAT

The first one is uni-directional from higher sec to lower sec level only. The latter two options are bi-directional. However there are a few differences between them. The most important one is that in NAT Exemption the firewall will not proxy arp for the mapped subnets (which is same as the real subnet of course). This was orignally introduced for VPN traffic, but is frequently used for other purposes as well. Another difference is that it exempts traffic based on 'source' interface only and the destination interface can be one or more (based on the destination portion of the ACL used for exemption).

With Static identity NAT both interfaces are specifically defined, as is visible from the syntax of the static command. The firewall proxies ARP request for the MAPPED IP in the static command.

Regards

Farrukh

Marwan ALshawi · ‎09-28-2008

in addetion ot the great comments here

u need to know there is several type of nating

static nat, dynamic nat

nat exmption and identity nat

wit nat exmption u allow two why traiif with tcorsponding ACL

with identity nat only one way traffic will be allowed even if u have ACL because it work one way translation

good luck

if helpful Rate

abinjola · ‎10-11-2008

hey Suresh..

From Higher Security to Lower and Vice Versa your options are :-

a)NAT 0

b)Self static , static (inside,dmz) x.x.x.x x.x.x.x

x.x.x.x-->IP address of higher security network