Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
0
Helpful
3
Replies

no nat and use of static/nat 0 on PIX

lunestadr
Level 1
Level 1

‎11-22-2002 08:21 AM - edited ‎02-20-2020 10:23 PM

Hi,

I have a scenario where I don't want to do any address translation. Is it sufficient to use only a static command e.g.:

static (inside,outside) 10.40.2.0 10.40.2.0 netmask 255.255.255.0 0 0

for traffic both ways (outside to inside, inside to outside) ?

or do I also need a:

nat (inside) 0 10.40.2.0 255.255.255.0 0 0

to let traffic out (inside to outside)?

regards rolf

0 Helpful
3 Replies 3

pferraz
Level 1
Level 1

‎11-22-2002 08:40 AM

Hi, by default the PIX doesn't perform any kind of NAT or filtering (from the inside to the outside) so i guess you don't have to configure any of those lines.

Have you tried the communications without those lines?

Regards!

0 Helpful

tvanginneken
Level 4
Level 4

‎11-23-2002 05:04 AM

Hi,

for allowing traffic both ways you need to configure two things:

first you needs a translation command of the translation of the internal addresses to the outside addresses (even if you don't want translation of the source addresses).

dynamic translation:

nat (inside) 0 10.40.2.0 255.255.255.0 0 0

This command allows traffic passing through the firewall from inside to outside. Also responses to valid requests are allowed back in.

The second thing you have to do:

if you want to allow sessions initiated from the outside to the inside, you have to configure access-lists. Find the syntax of the access-list command on this page:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7

If you still have questions, let me know.

Kind Regards,

Tom

0 Helpful

lunestadr
Level 1
Level 1

‎11-24-2002 12:51 AM

Hi,

I done some tests myself and here is what I found:

it IS sufficient to use only a static command e.g.:

static (inside,outside) 10.40.2.0 10.40.2.0 netmask 255.255.255.0 0 0

for traffic both ways (outside to inside, inside to outside).

however, the best way to disable nat is the following:

access-list no_nat permit ip any any

nat (inside) 0 access-list no_nat

this will allow traffic both ways not to be nat'ed. The

nat (inside) 0 10.40.2.0 255.255.255.0 0 0

command will only handle traffic inside to outside

regards rolf

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card