02-03-2004 10:32 AM - edited 03-09-2019 06:18 AM
Lets say I've got a PIX with four interfaces, Inside, Outside, DMZ1 and DMZ2. All IPs on all interfaces are routable, there is *NO* NAT or translation anywhere, in any direction. For this example, I use Subnet1 and Subnet2 to represent my address space. Is this what I need:
__________________________________________________
static (inside,outside) subnet1 subnet1 netmask 255.255.255.0 0 0
static (inside,outside) subnet2 subnet2 netmask 255.255.255.0 0 0
static (inside,DMZ1) subnet1 subnet1 netmask 255.255.255.0 0 0
static (inside,DMZ1) subnet2 subnet2 netmask 255.255.255.0 0 0
static (inside,DMZ2) subnet1 subnet1 netmask 255.255.255.0 0 0
static (inside,DMZ2) subnet2 subnet2 netmask 255.255.255.0 0 0
___________________________________________
Documentation on this is unclear; is it a good rule of thumb to say the syntax is:
static (Higher Security, Lower Security) .....
alex
02-03-2004 11:10 AM
A much easier way to do this is with an ACL + NAT 0 statements (also referred to as NAT bypass):
access-list nonat permit ip subnet1 255.255.255.0 any
access-list nonat permit ip subnet2 255.255.255.0 any
nat (dmz1) 0 access-list nonat
nat (dmz2) 0 access-list nonat
nat (inside) 0 access-list nonat
You do not need to bind this to the outside interface, but if someone from the internet had to get to your mail server on DMZ1, then you would need to write an ACL permitting that traffic. Same if you are going from DMZ1 to DMZ2 (assuming DMZ2 is a higher interface).
Also note, with the 'nat' statement the interface refers to traffic inbound to it.
Your 'static (higher, lower)
When you have the choice between the two, you should always use an ACL + NAT 0 vs statics. Statics leave a perm. entry in the xlate table which can eat up resources if you have enough of them.
02-03-2004 12:26 PM
Thanks for that response. I can pose a question a different way now.. If I'm doing no NAT at all, I don't need any 'static' commands do I? I just need 'nat' commands, correct? (Cisco does not win the Intuitive Award here...)
-Alex
02-03-2004 12:35 PM
correct.. if you are using nat, even nat 0, then you won't need static to go from inside to outside...
Investigate if you really need to use nat 0 access-list, as this bypasses the xlate table... mat (inside) 0
02-04-2004 06:49 AM
If this is the configuration ,the source address should be public address(not 10.*.*.*)?Since we are using nat 0.
access-list test permit ip 10.0.0.0 255.0.0.0 any
nat (inside) 0 access-list test
the PIX will allow all inside 10/8 hosts to access lower security interfaces, just like Identity NAT, but will also allow OUTSIDE (all lower security interface) hosts access 10/8 on the inside WITHOUT a "static" command. Of course, based on (and only based on), appropriate interface-level permissions.
Brajesh.
02-04-2004 07:16 AM
Given that I'm using routable IPs & no NAT at all, I would just need these entries?
access-list inside_outbound_nat0_acl permit ip x.x.100.0 255.255.255.0 any
access-list 32-dmz_outbound_nat0_acl permit ip x.x.32.0 255.255.255.0 any
access-list 42-dmz_outbound_nat0_acl permit ip x.x.42.0 255.255.255.0 any
____________________________________________
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (32-DMZ) 0 access-list 32-dmz_outbound_nat0_acl
nat (42-DMZ) 0 access-list 42-dmz_outbound_nat0_acl
____________________________________________
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide