07-27-2005 04:06 PM - edited 03-09-2019 11:58 AM
im trying to understand how this works
i have a PIX with 2 interfaces
there is an access list applied to both interfaces and the associated access-group
there is also another access list which is set to 'ip any any' and it is attached to a nat 0 statement
all of these access-lists have hit counts
question
how does the 'ip any any' access-list work without an associated access-group
07-27-2005 04:39 PM
the third access list that you mentioned is for your nat traffic, all it is saying is that do not NAT any ip address and let the traffic pass as it is without NAT translation. You will find several other instances where an access-list is there, but not necessarily it is bound to an interface.
e.g. you can have access-list for defining interesting traffic for VPN.
access-list for policy nat etc. etc.
07-27-2005 05:04 PM
so with this type of nat statement do i need then to have any addresses translated via statics?
07-27-2005 05:19 PM
just to expand on that, this is what i have as a config
access-list all-ip-packet permit ip any any
nat (inside) 0 access-list all-ip-packet
then i have a whole bunch of statics saying do not translate any outbound addresses
static (inside,outside) 10.10.10.10 10.10.10.10 net 255.255.255.255
there are no statics for inbound connections
is this config redundant in some way?
does the nat statement allow inbound connections as well as outbound? is there a better way to do this?
07-28-2005 10:16 AM
what is your public address range?
where are you doing address translation to public addresses.
using nat0 and the static as above, you will not be able to reach internet , as these IP addresses are private.
is your communication from this pix towards any private network and not on the internet, if that is the case, you would be fine.
static statements allows you for bidirectional communication, hence traffic can flow/start from either direction.
nat only allows you to start the communication from inside to outside and not from outside to inside.
07-28-2005 03:34 PM
thanks for the reply
i was just using that as an example
i have public addressing on both sides of the firewall and the statics are basically saying dont translate
static (inside,outside) 203.111.45.10 203.111.45.10 net 255.255.255.255
correct me if im wrong, even with a static of this type i should see something propogating the xlate table? i see nothing
so i assume, because nat exemption works as a priority over statics, and the access-list attached to nat 0 says ip any any then this is how it is working?
i have connections originating from outside but no static rules for outside addresses
god i wish i had a firewall to play with!
07-28-2005 03:45 PM
static of above type, you should see it in the translation table, unless you are using nat0 with ACL, which then overtakes the static
yes nat exemption works as a prioity rule over static.
for the connections to originate from outside, nat0 with ACL is taking place to make it through.
i was wrong earlier, nat0 with ACL will also allow bi-directional flow
thanks
Nadeem
07-28-2005 04:05 PM
thanks for your help Nadeem
07-28-2005 10:12 AM
This depends on what you want.
do you have private IP addresses on the inside?
if yes, you need to remove nat0 and add nat(inside) ang global(outside) statments or static statements
Are you doing NAT/PAT on external router?
thanks
Nadeem
07-28-2005 03:35 PM
thanks for the reply
i was just using that as an example
i have public addressing on both sides of the firewall and the statics are basically saying dont translate
static (inside,outside) 203.111.45.10 203.111.45.10 net 255.255.255.255
correct me if im wrong, even with a static of this type i should see something propogating the xlate table? i see nothing
so i assume, because nat exemption works as a priority over statics, and the access-list attached to nat 0 says ip any any then this is how it is working?
god i wish i had a firewall to play with!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide