cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
532
Views
0
Helpful
4
Replies

PIX -- Static NAT versus NAT+ACL?

gavinfoster
Beginner
Beginner

Hello,

I am using a PIX515 to forward a block of public IP addresses to my end users inside. I use an inbound acl on the outside interface to control which services inside are accessible from the outside.

As far as I can see there are two ways to override NAT for the public block:

Static (inside,outside) 12.34.56.00 12.34.56.00 netmask 255.255.255.0

or

access-list nonat extended permit ip 12.34.56.00 255.255.255.0 any
nat (inside) 0 access-list nonat


Are there any clear advantages or disadvantages to using either of these methods? Which is preferred?

Many thanks
Gavin
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

You are correct, either method is fine.

NAT 0 with ACL is typically used for VPN traffic, and static 1:1 is typically used for normal traffic inbound from the Internet.

However, either method is fine.

Thanks for your reply.

A supplementary question, is it possible to have multiple nat exemtions with separate acls?

For example

access-list nonat1 extended permit ip 12.34.56.00 255.255.255.0 any
nat (inside) 0 access-list nonat1 1000 500

access-list nonat2 extended permit ip 21.43.65.00 255.255.255.0 any

nat (inside) 0 access-list nonat2

I would like to place a different connection limit and embryonic limit on different subnets....


Thanks

Gavin

Unfortunately you can't.

You can only configure 1 NAT exemption statement with ACL, not multiple as what has been posted.

However you can configure the same using the "set connection" command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395546

You can configure different class-map to match different ACL, and apply different "set connection" accordingly.

Hope that helps.

Or, alternatively, just use the static NAT statements.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers