Solved: Re: PIX NO NAT

lquin1978 · ‎11-28-2006

If you write an ACL to be used with a NO NAT statement, does it need to be applied to an interface. I.e I need to NAT certain traffic, but not NAT certain traffic that has a particular destination

m.sir · ‎11-28-2006

No you dont need apply NONAT ACL to inteface is only used to bind NONAT ACL and NAT 0 statement

For example if you want NAT all traffic from inside EXCEPT from 10.10.15.0 to 192.168.1.0

access-list no-nat permit ip 10.10.15.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

nat (inside) 1 10.10.15.0 255.255.255.0

global (outside) 1 public_IP netmask 255.255.255.255

NAT 0 means traffic is NOT NATed

NAT 1 pairs global 1

M.

View solution in original post

m.sir · ‎11-28-2006

No you dont need apply NONAT ACL to inteface is only used to bind NONAT ACL and NAT 0 statement

For example if you want NAT all traffic from inside EXCEPT from 10.10.15.0 to 192.168.1.0

access-list no-nat permit ip 10.10.15.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

nat (inside) 1 10.10.15.0 255.255.255.0

global (outside) 1 public_IP netmask 255.255.255.255

NAT 0 means traffic is NOT NATed

NAT 1 pairs global 1

M.

lquin1978 · ‎11-28-2006

so.. I can write an ACL called 101 with various inside addresses permited to go outside, bind this to the internal interface. Then write a second ACL called 102 with something like

access-list 102 permit ip 10.1.0.0 255.255.0.0 192.168.12.0 255.255.255.0

then

nat (inside) 0 access-list 102.

102 doesnot need to be bound to an interface and it can contain addresses that appear in ACL 101 ?