Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
0
Helpful
4
Replies

PIX -- Static NAT versus NAT+ACL?

gavinfoster
Beginner
Beginner

‎03-31-2011 04:08 AM - edited ‎03-11-2019 01:15 PM

Hello,

I am using a PIX515 to forward a block of public IP addresses to my end users inside. I use an inbound acl on the outside interface to control which services inside are accessible from the outside.

As far as I can see there are two ways to override NAT for the public block:

Static (inside,outside) 12.34.56.00 12.34.56.00 netmask 255.255.255.0

or

access-list nonat extended permit ip 12.34.56.00 255.255.255.0 any
nat (inside) 0 access-list nonat


Are there any clear advantages or disadvantages to using either of these methods? Which is preferred?

Many thanks
Gavin
Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-31-2011 04:18 AM

You are correct, either method is fine.

NAT 0 with ACL is typically used for VPN traffic, and static 1:1 is typically used for normal traffic inbound from the Internet.

However, either method is fine.

0 Helpful

gavinfoster
Beginner
Beginner
In response to Jennifer Halim

‎03-31-2011 04:37 AM

Thanks for your reply.

A supplementary question, is it possible to have multiple nat exemtions with separate acls?

For example

access-list nonat1 extended permit ip 12.34.56.00 255.255.255.0 any
nat (inside) 0 access-list nonat1 1000 500

access-list nonat2 extended permit ip 21.43.65.00 255.255.255.0 any

nat (inside) 0 access-list nonat2

I would like to place a different connection limit and embryonic limit on different subnets....


Thanks

Gavin

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to gavinfoster

‎04-01-2011 02:28 PM

Unfortunately you can't.

You can only configure 1 NAT exemption statement with ACL, not multiple as what has been posted.

However you can configure the same using the "set connection" command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395546

You can configure different class-map to match different ACL, and apply different "set connection" accordingly.

Hope that helps.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎04-01-2011 02:29 PM

Or, alternatively, just use the static NAT statements.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents