Re: NAT0 Command

m-villas · ‎01-20-2004

Hello,

The below is from Cisco Documentation. Can somebody explain this in easy way?

"Note that the difference between using nat 0 with specifying network/mask as opposed to using an ACL that uses a network/mask that permits initiation of connections from inside only. The use of ACLs permits initiation of connections by inbound or outbound traffic. The PIX interfaces should be in different subnets to avoid reachability issues."

Thanks in advance.

Martin

gailgouck · ‎01-20-2004

I'll try. Using the nat 0 w/ an address and mask, like:

nat (inside) 0 10.0.0.0 255.0.0.0

will allow all inside hosts in the above network to access hosts on any other lower security interface (outside for example). However, hosts on the outside, would not be able to initiate a connection to a host on the inside 10/8 network. To do that, you'd need a "static" statment for the inside host host that the outside would like to access (plus appropriate interface-level permissions). Also, in this case an xlate is built in the PIX's table. This is called Identity NAT.

However, with:

access-list test permit ip 10.0.0.0 255.0.0.0 any

nat (inside) 0 access-list test

the PIX will allow all inside 10/8 hosts to access lower security interfaces, just like Identity NAT, but will also allow OUTSIDE (all lower security interface) hosts access 10/8 on the inside WITHOUT a "static" command. Of course, based on (and only based on), appropriate interface-level permissions. Also, in this case, there is NO xlate built in the PIX's table. This is called NAT Exemption.

HTH,

Mike

mikegallagher · ‎01-20-2004

BTW, sorry, I didn't realize a co-worker had logged into this PC before I posted. So Gail didn't post that reply, I did.

Sorry!

Mike

m-villas · ‎01-20-2004

Thanks Mike!