From: David Mitchell (david.mitchell@centientnetworks.com)
Date: Mon Nov 13 2006 - 19:25:39 ART
This is one of those crazy PIX things that took me forever to
understand.
A plain old NAT 0, such as "nat (inside) 0 0 0" will allow all traffic
to go out untranslated. However, new connections will not bet allowed
from the outside in.
If you take that same NAT 0 and use an ACL with it, all of a sudden it
becomes by directional. Example: "nat (inside) 0 access-list nonat".
It's been a while since I've played with it, so I may not be 100%
correct, but that is how I understood it to work.
Thanks,
David Mitchell
CCIE #17178, CCSP, MCSE
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Lab Rat #109385382
Sent: Sunday, November 12, 2006 3:37 AM
To: cisco@groupstudy.com; ccie >> Cisco certification;
security@groupstudy.com
Subject: Another PIX Question
I have a question regarding PIX NAT (assume appropriate static routes
are in
place).
If I choose a NAT 0 statement over a Static NAT statement (inside to
outside), won't that mean outside hosts will never be able to ping the
NAT 0
network unless there is already a translation in the NAT table?
Versus, Static NAT statically defines the inside network to the outside,
right? Which makes it possible to ping those hosts without the inside
having to come out first?
I've been pinging the internal hosts from the outside and this seems to
be
the behavior because I get timeouts, but I just want to make sure that
I'm
not configuring something wacky.?
Thanks,
Ed
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART