03-31-2011 04:08 AM - edited 03-11-2019 01:15 PM
Hello,
I am using a PIX515 to forward a block of public IP addresses to my end users inside. I use an inbound acl on the outside interface to control which services inside are accessible from the outside.
As far as I can see there are two ways to override NAT for the public block:
Static (inside,outside) 12.34.56.00 12.34.56.00 netmask 255.255.255.0
or
access-list nonat extended permit ip 12.34.56.00 255.255.255.0 any
nat (inside) 0 access-list nonat
Are there any clear advantages or disadvantages to using either of these methods? Which is preferred?
Many thanks
Gavin
03-31-2011 04:18 AM
You are correct, either method is fine.
NAT 0 with ACL is typically used for VPN traffic, and static 1:1 is typically used for normal traffic inbound from the Internet.
However, either method is fine.
03-31-2011 04:37 AM
Thanks for your reply.
A supplementary question, is it possible to have multiple nat exemtions with separate acls?
For example
access-list nonat1 extended permit ip 12.34.56.00 255.255.255.0 any
nat (inside) 0 access-list nonat1 1000 500
access-list nonat2 extended permit ip 21.43.65.00 255.255.255.0 any
nat (inside) 0 access-list nonat2
I would like to place a different connection limit and embryonic limit on different subnets....
Thanks
Gavin
04-01-2011 02:28 PM
Unfortunately you can't.
You can only configure 1 NAT exemption statement with ACL, not multiple as what has been posted.
However you can configure the same using the "set connection" command:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395546
You can configure different class-map to match different ACL, and apply different "set connection" accordingly.
Hope that helps.
04-01-2011 02:29 PM
Or, alternatively, just use the static NAT statements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide