[c-nsp] PIX NAT 0

Shakeel Ahmad shakeelahmad at gmail.com
Thu Nov 2 10:31:29 EST 2006 

Thanks, what is the role of DENY in NONAT acls. I read we should not use it
- i actually did tried and it stop communication completely - don't even
send any packt with non-natted translation.

I was trying this in NONAT to

! to permit this host to access the ftp via PAT
DENY HOST xx.inside.xx HOST xx.public-ftp.xx
! to deny all hosts in inside to be PATed over interface
PERMIT NETWORK xx.inside.xx any



On 11/2/06, cigdem gur <cigdem_gur at yahoo.com> wrote:
>
>
> Hi,
>
> nat 0 means "do not NAT".
>
> For example you have inside and DMZ network, and you
> use private IP subnets for this two networks.
>
> when the packets from inside and DMZ network going to
> internet, you use NAT and translate the IP addresses
> of the devices in these subnets to legal IP addresses.
>
> But you may not want to use NAT for the traffic
> between
> inside and DMZ. May be, you want to use original
> private addresses of inside and DMZ.
>
> For example,
>
> inside network ---> 192.168.1.0/24
> DMZ ---> 10.0.0.0/24
> Outside ---> 193.243.211.56/29
>
>
> access-list inside_dmz_nat0_acl permit ip 192.168.1.0
> 255.255.255.0 10.0.0.0 255.255.255.0
>
> nat (inside) 0 access-list inside_dmz_nat0_acl
>
>
> According to the example above, the packets are
> transmitted from inside (192.168.1.0/24) to DMZ
> (10.0.0.0 /24) without NAT.
>
> Also, if you use PDM or ASDM interface of PIX, you
> will see "Tranlation Exemption Rules" under
> "Translation Rules" tab which means "NAT 0", "do not
> NAT".
>
> --- Shakeel Ahmad <shakeelahmad at gmail.com> wrote:
>
> > Can any one explain following command as i have
> > found much documentation for
> > it:
> >
> > nat 0 acl/IP Range
> >
> > My scenario is , i want to limit few subnet (inside)
> > not to use internet -
> > but at the very same time i want them to explicitly
> > use public Internet for
> > 1 or 2 IP's only.
> >
> > if any one can list his example.
> >
> > thanks in advance.
> >
> > SA
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at
> > http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>
>
>
> ____________________________________________________________________________________
> Everyone is raving about the all-new Yahoo! Mail
> (http://advision.webevents.yahoo.com/mailbeta/)
>
>

More information about the cisco-nsp mailing list