10-27-2005 08:25 AM - edited 02-21-2020 12:29 AM
have tried just about everything to get my inside users to get traffic back through this pix, but no go...we have no need for nat, so we did the whole nat (inside) 0 0 0 thing, so traffic gets out. then to get responses back in, applied an access-list permitting certain traffic, nat (inside) 0 access-list out_in.
am I thinking about this wrong? do I need to apply an access-list to the outside interface? do I need a static translation (outside, inside)? any suggestions? I have read everything I can find about PIX 7 without nat
10-27-2005 02:32 PM
So you configure the nat (inside) 0 0 0 to allow inside hosts to go out, please remember that nat 0 (identity nat) is not bidirectional. You coul try
inside network: 10.1.0.0 255.255.0.0
access-list nonat permit ip 10.1.0.0 255.255.0.0 any
nat (inside) 0 access-list nonat
The above will exempt inside users from being translated and is bidirectional
The add the ACLs
access-list inbound permit tcp any host 10.1.1.1 eq 80
The above permits tcp traffic from anyone to the host 10.1.1.1 over port 80
The apply the ACL to the outside interface
access-group inbound in interface outside
or use a static instead of exemption nat
static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
Also bidirectional, for more information please check:
static
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/s.htm#wp1141717
nat
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/mr.htm#wp1536762
Franco Zamora
10-31-2005 10:04 AM
we have tried similar things, and it appears that going out is fine, but pix doesn't let traffic back in to inside hosts. what about a static (outside, inside) translation? is that a valid option?
10-31-2005 01:53 PM
Are you trying to prevent NAT for internet traffic? If yes than it will not work unless the LAN has public IP addresses.
When the request's go out they will get dropped quickly by an upstream router (the first one usually) as RFC 1918 addresses are not routable on the internet.
If this is your set up than you have to do NAT there is no other option unless the LAN is using public IP's.
A static from outside to inside would not be an option in my opinion. That requires ACL which means static hole's. You wouldn't want this for regular user traffic.
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide