Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
0
Helpful
3
Replies

PIX 7.0 nat 0 not working???

AmyColiso
Level 1
Level 1

‎10-27-2005 08:25 AM - edited ‎02-21-2020 12:29 AM

have tried just about everything to get my inside users to get traffic back through this pix, but no go...we have no need for nat, so we did the whole nat (inside) 0 0 0 thing, so traffic gets out. then to get responses back in, applied an access-list permitting certain traffic, nat (inside) 0 access-list out_in.

am I thinking about this wrong? do I need to apply an access-list to the outside interface? do I need a static translation (outside, inside)? any suggestions? I have read everything I can find about PIX 7 without nat

0 Helpful
3 Replies 3

fzamora
Cisco Employee
Cisco Employee

‎10-27-2005 02:32 PM

So you configure the nat (inside) 0 0 0 to allow inside hosts to go out, please remember that nat 0 (identity nat) is not bidirectional. You coul try

inside network: 10.1.0.0 255.255.0.0

access-list nonat permit ip 10.1.0.0 255.255.0.0 any

nat (inside) 0 access-list nonat

The above will exempt inside users from being translated and is bidirectional

The add the ACLs

access-list inbound permit tcp any host 10.1.1.1 eq 80

The above permits tcp traffic from anyone to the host 10.1.1.1 over port 80

The apply the ACL to the outside interface

access-group inbound in interface outside

or use a static instead of exemption nat

static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

Also bidirectional, for more information please check:

static

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/s.htm#wp1141717

nat

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/mr.htm#wp1536762

Franco Zamora

0 Helpful

AmyColiso
Level 1
Level 1
In response to fzamora

‎10-31-2005 10:04 AM

we have tried similar things, and it appears that going out is fine, but pix doesn't let traffic back in to inside hosts. what about a static (outside, inside) translation? is that a valid option?

0 Helpful

dbellaze
Level 4
Level 4
In response to AmyColiso

‎10-31-2005 01:53 PM

Are you trying to prevent NAT for internet traffic? If yes than it will not work unless the LAN has public IP addresses.

When the request's go out they will get dropped quickly by an upstream router (the first one usually) as RFC 1918 addresses are not routable on the internet.

If this is your set up than you have to do NAT there is no other option unless the LAN is using public IP's.

A static from outside to inside would not be an option in my opinion. That requires ACL which means static hole's. You wouldn't want this for regular user traffic.

Daniel

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card