PIX without address translation

pslavkovsky · ‎07-30-2005

Hi,

I have PIX -ver. OS is 6.3(3)- with 3 interfaces: outside, inside and dmz.

PIX will be used in intranet without address translation. IP Address must be visible from any interface to any interface, no address translation is required.

For examlpe: Users will by on interface Ouside with IP range 10.0.0.0/8, servers will be on interace Inside (192.168.1.0/24) and other devices will be on interface dmz (172.16.0.0/16).

So I created access-list:

access-list all-ip-packet permit ip any any

and use command nat 0:

nat (inside) 0 access-list all-ip-packet

nat (dmz) 0 access-list all-ip-packet

Question is:

Is it necessary to add row

nat (outside) 0 access-list all-ip-packet

or is possible to communicate from outside to inside (users to server)without this row?

Thanx

Peter

nkhawaja · ‎07-30-2005

nat (outside) 0 is not needed.

with the other two nat () 0 statements, you are good to go

thanks

Nadeem

pslavkovsky · ‎07-30-2005

Ok,

I tried it, it works but I do not understand why.

When packet goes from inside, PIX has this statement:

nat (inside) 0 access-list all-ip-packet

When packet goes from dmz, PIX has this statement:

nat (dmz) 0 access-list all-ip-packet

When packet goes from outside, PIX has no statement.

But It works. Can you explain it, please.

Thanks

Peter

pslavkovsky · ‎08-01-2005

Is there anybody who understanded address translation using "nat () 0 access-list" or everybody is on holiday ???

Peter

nkhawaja · ‎08-01-2005

see this

http://www.cisco.com/warp/public/110/19.html

pslavkovsky · ‎08-01-2005

Thanks,

but this document does not respond my question.

Peter

jeff.carr · ‎08-02-2005

Not sure what you are questioning, the communication or the translation. Communication between the different interfaces has more to do with the security levels than the NAT statements.

pslavkovsky · ‎08-02-2005

One condition for working ASA is a address translation, and it must be set for case when address translation is not needed too. So It was created NAT exemption, I think.

For exapmle,

When I put access-list on outside interface "permit ip any any", I must set a address translation "nat 0 access list" if I want to communicate from outiside to inside however real address translation not doing.

My question is:

when I have

nat 0 (inside) access-list all_ip

nat 0 (dmz) access-list all_ip

access-list all_ip permit ip any any

and communication start on outside interface. Which row do not translate addreses of inbound packets?

I would wait a row

nat 0 (outside) access-list all_ip

but it is not needed. It works without this row.

Peter

nkhawaja · ‎08-02-2005

i told you that if you just want to communicate from

inside to dmz or from dmz to inside, all you need is

nat (inside) 0 acl

or

static (inside,dmz) ip ip

or if you want only the communication to start from

inside and not from dmz you need

nat(inside) and global (dmz)

Remember there is not NAT (dmz) needed in either case. This is just the way it works.

now if you want to communicate from inside to outside and also from outside to inside

you need

nat (inside) 0 acl

or

static (inside,outside) ip ip

if u want communication from inside to outside only all you need is

nat(inside) and global (outside)

for dmz to outside communication

you need nat (dmz) 0 acl

static (dmz,outside)

or nat (dmz) and global outside

The RULE IS, you dont need translation from LOWER Security to HIGHER Security.

The exception to above rule is

-1 if you are using no nat-control feature in PIX 7.0

2- You still want to translate the outside IP adresses