cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
586
Views
8
Helpful
4
Replies

Lower to Higher - must I NAT?

mister-daniel
Level 1
Level 1

Hi All

My PIX book states that for traffic to pass from a lower security level to a higher security level (e.g. Out i/f -> In i/f) then two requirements must be met:

i) A static translation must exist for the destination.

ii) An appropriate ACL/Conduit must be in place.

Point ii) is fine, but what about if I have no requirement for NAT?

Do I have to NAT?

Do I have set up a 'no nat' config?

Can I just ignore NAT altogether?

Thanks in Advance.

1 Accepted Solution

Accepted Solutions

johansens
Level 4
Level 4

If you run PIX 7.0, then the "no nat-control" disable the need for NAT (which should now be the default).

If you run an earlier version, then you'll have to setup the NAT/static statements:

There are two options, one using nat 0/static the other just with nat 0 and the nonat parameter..

Check this link for more info:

How to configure the PIX Firewall to pass traffic without NAT

http://www.ciscotaccc.com/security/showcase?case=K72878196

View solution in original post

4 Replies 4

aksher
Level 1
Level 1

u should have a nat for lower to higher level access.

if it's higher to lower means it's not compusory to have to nat.

tbissett
Level 1
Level 1

You do not necessarily need to nat, but you would have to do a no nat config. The following would work:

For this example, assume the host accessible in the DMZ is 172.16.2.1, you want http to go to that server, and that address is routable on the Internet )yes, I know it isn't in real life. This is just an example)

access-list nonat permit ip any host 172.16.2.1

nat (demz) 0 access-list nonat

access-list inbound permit tcp any host 172.16.2.1 eq http

access-group inbound in interface outside

1. When you want to enable a access from lower sec to higher sec (outside,inside) then the access for the outside user will be specific to a inside host.

It always will be a static NAT for an external user to access your internal resource for which the static statemente is required.

NAT 1 or NAT 0 is used only for the inside users to access the external world.

Either ways there has to be a static or a NAT statement from inside to outside or inside to DMZ and even DMZ to outside.

This translation is a must and is applied from higher sec i/f to lower sec i/f.

Let me know if you still have any questions.

thanks,

Naveen V

johansens
Level 4
Level 4

If you run PIX 7.0, then the "no nat-control" disable the need for NAT (which should now be the default).

If you run an earlier version, then you'll have to setup the NAT/static statements:

There are two options, one using nat 0/static the other just with nat 0 and the nonat parameter..

Check this link for more info:

How to configure the PIX Firewall to pass traffic without NAT

http://www.ciscotaccc.com/security/showcase?case=K72878196