Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
8
Helpful
4
Replies

Lower to Higher - must I NAT?

Go to solution
mister-daniel
Level 1
Level 1

‎07-11-2005 11:33 PM - edited ‎03-09-2019 11:48 AM

Hi All

My PIX book states that for traffic to pass from a lower security level to a higher security level (e.g. Out i/f -> In i/f) then two requirements must be met:

i) A static translation must exist for the destination.

ii) An appropriate ACL/Conduit must be in place.

Point ii) is fine, but what about if I have no requirement for NAT?

Do I have to NAT?

Do I have set up a 'no nat' config?

Can I just ignore NAT altogether?

Thanks in Advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johansens
Level 4
Level 4

‎07-12-2005 06:06 AM

If you run PIX 7.0, then the "no nat-control" disable the need for NAT (which should now be the default).

If you run an earlier version, then you'll have to setup the NAT/static statements:

There are two options, one using nat 0/static the other just with nat 0 and the nonat parameter..

Check this link for more info:

How to configure the PIX Firewall to pass traffic without NAT

http://www.ciscotaccc.com/security/showcase?case=K72878196

View solution in original post

4 Replies 4

Go to solution
aksher
Level 1
Level 1

‎07-12-2005 01:01 AM

u should have a nat for lower to higher level access.

if it's higher to lower means it's not compusory to have to nat.

0 Helpful

Go to solution
tbissett
Level 1
Level 1

‎07-12-2005 04:30 AM

You do not necessarily need to nat, but you would have to do a no nat config. The following would work:

For this example, assume the host accessible in the DMZ is 172.16.2.1, you want http to go to that server, and that address is routable on the Internet )yes, I know it isn't in real life. This is just an example)

access-list nonat permit ip any host 172.16.2.1

nat (demz) 0 access-list nonat

access-list inbound permit tcp any host 172.16.2.1 eq http

access-group inbound in interface outside

Go to solution
naveen.venkatesh
Level 1
Level 1

‎07-12-2005 06:05 AM

1. When you want to enable a access from lower sec to higher sec (outside,inside) then the access for the outside user will be specific to a inside host.

It always will be a static NAT for an external user to access your internal resource for which the static statemente is required.

NAT 1 or NAT 0 is used only for the inside users to access the external world.

Either ways there has to be a static or a NAT statement from inside to outside or inside to DMZ and even DMZ to outside.

This translation is a must and is applied from higher sec i/f to lower sec i/f.

Let me know if you still have any questions.

thanks,

Naveen V

0 Helpful

Go to solution
johansens
Level 4
Level 4

‎07-12-2005 06:06 AM

If you run PIX 7.0, then the "no nat-control" disable the need for NAT (which should now be the default).

If you run an earlier version, then you'll have to setup the NAT/static statements:

There are two options, one using nat 0/static the other just with nat 0 and the nonat parameter..

Check this link for more info:

How to configure the PIX Firewall to pass traffic without NAT

http://www.ciscotaccc.com/security/showcase?case=K72878196

Customers Also Viewed These Support Documents