08-23-2004 10:42 AM - edited 03-09-2019 08:34 AM
Since I'm using Nat 0, I do not need any static statements on my inside interface, just a "nat (inside) 0 0.0.0.0 0.0.0.0 0 0" command, no? If this is right, I can go ahead and delete some statics on the inside interface (someone else had configured before me). All the networks on the inside can be set to dynamic instead of static?
I'm under the impression that any network on a lower interface would require a static if it were going to access a higher interface.
I also notice I have nat 0 statements for every interface except the outside, which seems right to me.
08-23-2004 10:50 AM
If you want to do NO NAT then NAT 0 is correct. If you need to do dynamic NAT then you need a NAT 1.
You are correct the Statics are "usually" for lower to higher access (along with an ACL)
When you use NAT (inside) 1 0.0.0.0 you must also give it a global to tell it what to dynamically translate to for example.
global (outside) 1 interface
these two commands together tells the PIX to use the outside interface IP for all inside users.
08-23-2004 12:37 PM
No, I want to do nat 0, but i'm asking do I need statics on the inside interface?
I don't think I do since it's the highest interface and there is a nat 0 command associated with it.
08-23-2004 12:48 PM
No you do not need statics.
08-23-2004 08:57 PM
What if I have an access rule to something on the inside interface...I need a static then too, no?
ex. (internal network = 12.18.1.x)
----------------------------------
nat (inside) 0 0.0.0.0 0.0.0.0
conduit permit tcp 12.18.1.10 https any
would i then need a static since the connection is initiating from a lower interface (outside)?
08-24-2004 03:26 AM
You are correct. To allow inbound access from the external interface you require a static.
08-24-2004 03:25 PM
hi guys,
actually as far as i know the ONLY case where you dont need to use statics is if you are using nat 0 access-list (exemption nat).
all other case you must use statics.
d.
08-24-2004 05:28 PM
I believe that if you have an access list that allows traffic to your inside interface that is using nat 0, then you need a static. I will test this later.
08-24-2004 06:31 PM
not if your using exemption nat - ie nat (interface) 0 access-list blah
08-23-2004 09:34 PM
nat 0 access-list doesn't require use of statics...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide