Re: PIX -- Static NAT versus NAT+ACL?

gavinfoster · ‎03-31-2011

Hello,

I am using a PIX515 to forward a block of public IP addresses to my end users inside. I use an inbound acl on the outside interface to control which services inside are accessible from the outside.

As far as I can see there are two ways to override NAT for the public block:

Static (inside,outside) 12.34.56.00 12.34.56.00 netmask 255.255.255.0

or

access-list nonat extended permit ip 12.34.56.00 255.255.255.0 any

nat (inside) 0 access-list nonat


Are there any clear advantages or disadvantages to using either of these methods? Which is preferred?

Many thanks
Gavin

Jennifer Halim · ‎03-31-2011

You are correct, either method is fine.

NAT 0 with ACL is typically used for VPN traffic, and static 1:1 is typically used for normal traffic inbound from the Internet.

However, either method is fine.

gavinfoster · ‎03-31-2011

Thanks for your reply.

A supplementary question, is it possible to have multiple nat exemtions with separate acls?

For example

access-list nonat1 extended permit ip 12.34.56.00 255.255.255.0 any
nat (inside) 0 access-list nonat1 1000 500

access-list nonat2 extended permit ip 21.43.65.00 255.255.255.0 any

nat (inside) 0 access-list nonat2

I would like to place a different connection limit and embryonic limit on different subnets....

Thanks

Gavin

Jennifer Halim · ‎04-01-2011

Unfortunately you can't.

You can only configure 1 NAT exemption statement with ACL, not multiple as what has been posted.

However you can configure the same using the "set connection" command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395546

You can configure different class-map to match different ACL, and apply different "set connection" accordingly.

Hope that helps.

Jennifer Halim · ‎04-01-2011

Or, alternatively, just use the static NAT statements.