09-22-2002 11:02 AM - edited 02-20-2020 09:19 PM
I have a configuration where NAT is disabled between an inside and an outside interface, using the "nat (inside) 0 access-list" command. If I apply an ACL to the outside interface which permits access to resources on the inside interface, then it appears that a no-nat "static" is not required, e.g. static (inside,outside) a.b.c.d a.b.c.d. Normally, a static (alongside an ACL entry) is required for traffic flowing from a lower security interface to a higher security interface. Should a static really be defined in this configuration, if to provide a embryonic connection limit?
09-22-2002 11:40 AM
Yes, you will still need the static command. Security levels haven't changed. Outside still needs to get to inside. Adaptive Security remains in effect with the nat 0 command. See link: http://www.cisco.com/warp/public/707/28.html#dis
eg
nat (inside) 0 209.165.201.0 255.255.255.224 (or use an acl)
static (inside, outside) 209.165.201.0 209.165.201.0 netmask 255.255.255.224
access-list acl_out permit host 10.0.0.1 209.165.201.0 255.255.255.224 eq ftp
access-group acl_out in interface outside
Steve
09-22-2002 01:15 PM
I agree that, according to the basic operation of a PIX, a static would be required for traffic from a lower security interface (outside) to a higher security interface (inside), irrespective of whether NAT is in operation or not. However, I have this working without statics.
However, I have just looked again at the documentation for the "static" command, and it states: "For an external host to initiate traffic to an inside host, a static translation rule needs to exist for the inside host; this can also be done using a nat 0 access-list address translation rule. Without the persistent translation rule, the translation cannot occur."
This seems to imply that "nat 0 access-list" effectively creates the xlates which statics would otherwise do when NAT is enabled. In this situation does the addition of the static allow a connection limit to be enforced?
09-22-2002 02:14 PM
I just found that link that you quoted. All the examples I find are with statics, but they do indeed mention the acl can do used instead. As for limiting the number of connections, static is one way to do it.
The nat command:
nat [(if_name)] id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]
has conn/em limit, try nat 0 with it. I will try it Monday at work to see if it works.
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide