Re: access lists not attached to an interface

d_harris101 · ‎07-27-2005

im trying to understand how this works

i have a PIX with 2 interfaces

there is an access list applied to both interfaces and the associated access-group

there is also another access list which is set to 'ip any any' and it is attached to a nat 0 statement

all of these access-lists have hit counts

question

how does the 'ip any any' access-list work without an associated access-group

nkhawaja · ‎07-27-2005

the third access list that you mentioned is for your nat traffic, all it is saying is that do not NAT any ip address and let the traffic pass as it is without NAT translation. You will find several other instances where an access-list is there, but not necessarily it is bound to an interface.

e.g. you can have access-list for defining interesting traffic for VPN.

access-list for policy nat etc. etc.

d_harris101 · ‎07-27-2005

so with this type of nat statement do i need then to have any addresses translated via statics?

d_harris101 · ‎07-27-2005

just to expand on that, this is what i have as a config

access-list all-ip-packet permit ip any any

nat (inside) 0 access-list all-ip-packet

then i have a whole bunch of statics saying do not translate any outbound addresses

static (inside,outside) 10.10.10.10 10.10.10.10 net 255.255.255.255

there are no statics for inbound connections

is this config redundant in some way?

does the nat statement allow inbound connections as well as outbound? is there a better way to do this?

nkhawaja · ‎07-28-2005

what is your public address range?

where are you doing address translation to public addresses.

using nat0 and the static as above, you will not be able to reach internet , as these IP addresses are private.

is your communication from this pix towards any private network and not on the internet, if that is the case, you would be fine.

static statements allows you for bidirectional communication, hence traffic can flow/start from either direction.

nat only allows you to start the communication from inside to outside and not from outside to inside.

d_harris101 · ‎07-28-2005

thanks for the reply

i was just using that as an example

i have public addressing on both sides of the firewall and the statics are basically saying dont translate

static (inside,outside) 203.111.45.10 203.111.45.10 net 255.255.255.255

correct me if im wrong, even with a static of this type i should see something propogating the xlate table? i see nothing

so i assume, because nat exemption works as a priority over statics, and the access-list attached to nat 0 says ip any any then this is how it is working?

i have connections originating from outside but no static rules for outside addresses

god i wish i had a firewall to play with!

nkhawaja · ‎07-28-2005

static of above type, you should see it in the translation table, unless you are using nat0 with ACL, which then overtakes the static

yes nat exemption works as a prioity rule over static.

for the connections to originate from outside, nat0 with ACL is taking place to make it through.

i was wrong earlier, nat0 with ACL will also allow bi-directional flow

thanks

Nadeem

d_harris101 · ‎07-28-2005

thanks for your help Nadeem

nkhawaja · ‎07-28-2005

This depends on what you want.

do you have private IP addresses on the inside?

if yes, you need to remove nat0 and add nat(inside) ang global(outside) statments or static statements

Are you doing NAT/PAT on external router?