I am using a PIX515 to forward a block of public IP addresses to my end users inside. I use an inbound acl on the outside interface to control which services inside are accessible from the outside.
As far as I can see there are two ways to override NAT for the public block:
Static (inside,outside) 12.34.56.00 12.34.56.00 netmask 255.255.255.0
access-list nonat extended permit ip 12.34.56.00 255.255.255.0 any
nat (inside) 0 access-list nonatAre there any clear advantages or disadvantages to using either of these methods? Which is preferred?Many thanksGavin
You are correct, either method is fine.
NAT 0 with ACL is typically used for VPN traffic, and static 1:1 is typically used for normal traffic inbound from the Internet.
However, either method is fine.
Thanks for your reply.
A supplementary question, is it possible to have multiple nat exemtions with separate acls?
access-list nonat1 extended permit ip 12.34.56.00 255.255.255.0 anynat (inside) 0 access-list nonat1 1000 500
access-list nonat2 extended permit ip 21.43.65.00 255.255.255.0 any
nat (inside) 0 access-list nonat2
I would like to place a different connection limit and embryonic limit on different subnets....
Unfortunately you can't.
You can only configure 1 NAT exemption statement with ACL, not multiple as what has been posted.
However you can configure the same using the "set connection" command:
You can configure different class-map to match different ACL, and apply different "set connection" accordingly.
Hope that helps.
Or, alternatively, just use the static NAT statements.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: