Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
0
Helpful
1
Replies

NAT/NONAT confusion

anowell
Level 1
Level 1

‎09-07-2005 06:49 PM - edited ‎03-09-2019 12:22 PM

My PC is hanging off of PIX-A and has an IP address of 10.10.11.2 and I'm pinging 10.10.10.2 (PC off of PIX-B).

Here is my confusion.....

When I use the below command in PIX-A my pings does NOT work.

access-list nonat permit host 10.10.11.2

nat (inside) 0 access-list nonat

But when I use the below commands my pings gets through.

access-list nonat permit host 10.10.10.2

nat (inside) 0 access-list nonat

Please explain to me the correct way I should be thinking about the NONAT command. I thought the nonat command worked like this....if locally I have a PC (10.10.11.2) on the inside interface and I did not want the PIX to nat that address my access-list would specify the IP address that is not to be nat'ed "access-list nonat permit host 10.10.11.2". Let me say it another way, I thought the access list should specify what local addresses I did not want nat’ed NOT the destination address I’m trying to get to.

Any input would be a big help.

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

gopal_voip
Level 1
Level 1

‎09-08-2005 01:06 AM

hi

by the NONAT command u r only telling the pix NOT to NAT, it wont do , nd the packet leaves as it is, and if the destination pc has pix as teh default gateway it will reply back .

thus ping is working NAT is not.

If u dont put a NAT command at all. traffic shall not pass thru pix.

but if u do a NAT0 command, then traffic passes with sepcific instrauction to NO NAT

rgds

Shukky

India

0 Helpful
Customers Also Viewed These Support Documents