07-11-2005 11:33 PM - edited 03-09-2019 11:48 AM
Hi All
My PIX book states that for traffic to pass from a lower security level to a higher security level (e.g. Out i/f -> In i/f) then two requirements must be met:
i) A static translation must exist for the destination.
ii) An appropriate ACL/Conduit must be in place.
Point ii) is fine, but what about if I have no requirement for NAT?
Do I have to NAT?
Do I have set up a 'no nat' config?
Can I just ignore NAT altogether?
Thanks in Advance.
Solved! Go to Solution.
07-12-2005 06:06 AM
If you run PIX 7.0, then the "no nat-control" disable the need for NAT (which should now be the default).
If you run an earlier version, then you'll have to setup the NAT/static statements:
There are two options, one using nat 0/static the other just with nat 0 and the nonat parameter..
Check this link for more info:
How to configure the PIX Firewall to pass traffic without NAT
07-12-2005 01:01 AM
u should have a nat for lower to higher level access.
if it's higher to lower means it's not compusory to have to nat.
07-12-2005 04:30 AM
You do not necessarily need to nat, but you would have to do a no nat config. The following would work:
For this example, assume the host accessible in the DMZ is 172.16.2.1, you want http to go to that server, and that address is routable on the Internet )yes, I know it isn't in real life. This is just an example)
access-list nonat permit ip any host 172.16.2.1
nat (demz) 0 access-list nonat
access-list inbound permit tcp any host 172.16.2.1 eq http
access-group inbound in interface outside
07-12-2005 06:05 AM
1. When you want to enable a access from lower sec to higher sec (outside,inside) then the access for the outside user will be specific to a inside host.
It always will be a static NAT for an external user to access your internal resource for which the static statemente is required.
NAT 1 or NAT 0 is used only for the inside users to access the external world.
Either ways there has to be a static or a NAT statement from inside to outside or inside to DMZ and even DMZ to outside.
This translation is a must and is applied from higher sec i/f to lower sec i/f.
Let me know if you still have any questions.
thanks,
Naveen V
07-12-2005 06:06 AM
If you run PIX 7.0, then the "no nat-control" disable the need for NAT (which should now be the default).
If you run an earlier version, then you'll have to setup the NAT/static statements:
There are two options, one using nat 0/static the other just with nat 0 and the nonat parameter..
Check this link for more info:
How to configure the PIX Firewall to pass traffic without NAT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: