Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
520
Views
0
Helpful
9
Replies

nat 0 and statics

kowalm
Level 1
Level 1

‎08-23-2004 10:42 AM - edited ‎03-09-2019 08:34 AM

Since I'm using Nat 0, I do not need any static statements on my inside interface, just a "nat (inside) 0 0.0.0.0 0.0.0.0 0 0" command, no? If this is right, I can go ahead and delete some statics on the inside interface (someone else had configured before me). All the networks on the inside can be set to dynamic instead of static?

I'm under the impression that any network on a lower interface would require a static if it were going to access a higher interface.

I also notice I have nat 0 statements for every interface except the outside, which seems right to me.

Labels:
0 Helpful
9 Replies 9

HEATH FREEL
Level 1
Level 1

‎08-23-2004 10:50 AM

If you want to do NO NAT then NAT 0 is correct. If you need to do dynamic NAT then you need a NAT 1.

You are correct the Statics are "usually" for lower to higher access (along with an ACL)

When you use NAT (inside) 1 0.0.0.0 you must also give it a global to tell it what to dynamically translate to for example.

global (outside) 1 interface

these two commands together tells the PIX to use the outside interface IP for all inside users.

0 Helpful

kowalm
Level 1
Level 1
In response to HEATH FREEL

‎08-23-2004 12:37 PM

No, I want to do nat 0, but i'm asking do I need statics on the inside interface?

I don't think I do since it's the highest interface and there is a nat 0 command associated with it.

0 Helpful

HEATH FREEL
Level 1
Level 1
In response to kowalm

‎08-23-2004 12:48 PM

No you do not need statics.

0 Helpful

kowalm
Level 1
Level 1
In response to HEATH FREEL

‎08-23-2004 08:57 PM

What if I have an access rule to something on the inside interface...I need a static then too, no?

ex. (internal network = 12.18.1.x)

----------------------------------

nat (inside) 0 0.0.0.0 0.0.0.0

conduit permit tcp 12.18.1.10 https any

would i then need a static since the connection is initiating from a lower interface (outside)?

0 Helpful

HEATH FREEL
Level 1
Level 1
In response to kowalm

‎08-24-2004 03:26 AM

You are correct. To allow inbound access from the external interface you require a static.

0 Helpful

davecs
Level 1
Level 1
In response to HEATH FREEL

‎08-24-2004 03:25 PM

hi guys,

actually as far as i know the ONLY case where you dont need to use statics is if you are using nat 0 access-list (exemption nat).

all other case you must use statics.

d.

0 Helpful

kowalm
Level 1
Level 1
In response to davecs

‎08-24-2004 05:28 PM

I believe that if you have an access list that allows traffic to your inside interface that is using nat 0, then you need a static. I will test this later.

0 Helpful

davecs
Level 1
Level 1
In response to kowalm

‎08-24-2004 06:31 PM

not if your using exemption nat - ie nat (interface) 0 access-list blah

0 Helpful

davecs
Level 1
Level 1

‎08-23-2004 09:34 PM

nat 0 access-list doesn't require use of statics...

0 Helpful
Customers Also Viewed These Support Documents