cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
657
Views
0
Helpful
4
Replies

PIX -- Static NAT versus NAT+ACL?

gavinfoster
Level 1
Level 1

Hello,

I am using a PIX515 to forward a block of public IP addresses to my end users inside. I use an inbound acl on the outside interface to control which services inside are accessible from the outside.

As far as I can see there are two ways to override NAT for the public block:

Static (inside,outside) 12.34.56.00 12.34.56.00 netmask 255.255.255.0

or

access-list nonat extended permit ip 12.34.56.00 255.255.255.0 any
nat (inside) 0 access-list nonat


Are there any clear advantages or disadvantages to using either of these methods? Which is preferred?

Many thanks
Gavin
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

You are correct, either method is fine.

NAT 0 with ACL is typically used for VPN traffic, and static 1:1 is typically used for normal traffic inbound from the Internet.

However, either method is fine.

Thanks for your reply.

A supplementary question, is it possible to have multiple nat exemtions with separate acls?

For example

access-list nonat1 extended permit ip 12.34.56.00 255.255.255.0 any
nat (inside) 0 access-list nonat1 1000 500

access-list nonat2 extended permit ip 21.43.65.00 255.255.255.0 any

nat (inside) 0 access-list nonat2

I would like to place a different connection limit and embryonic limit on different subnets....


Thanks

Gavin

Unfortunately you can't.

You can only configure 1 NAT exemption statement with ACL, not multiple as what has been posted.

However you can configure the same using the "set connection" command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395546

You can configure different class-map to match different ACL, and apply different "set connection" accordingly.

Hope that helps.

Or, alternatively, just use the static NAT statements.

Review Cisco Networking for a $25 gift card