Basic NO NAT setups and concepts on a PIX.

Posted on 2006-06-20
Last Modified: 2013-11-16
I'm going to use an example from a book that I'm having trouble understanding because if someone can explain this example to me, I think I'll have a grasp on what I need to know.

This is a PIX with three interfaces. is attached to the outside interface. is attached to the DMZ interface.
192.168.2-4.0/24 are all behind the inside interface.

The snippet of the configuration provided is this:

pixfirewall(config)# global (outside) 1 netmask
pixfirewall(config)# nat (inside) 1 0 0
pixfirewall(config)# nat (dmz) 1 0 0
pixfirewall(config)# static (dmz, outside)
pixfirewall(config)# static (dmz, outside)
pixfirewall(config)# static (inside, dmz) netmask
pixfirewall(config)# access-list NO_NAT permit ip
pixfirewall(config)# access-list NO_NAT permit ip
pixfirewall(config)# access-list NO_NAT permit ip
pixfirewall(config)# nat (inside) 0 access-list NO_NAT

Now, I understand all of this config and most other configs, but for some reason I've just never gotten how no nat works exactly.  I'd like to understand it well.

The book says "If a device from the inside interface tries to access a device on the dmz interface, it will not have its address translated -- this is based on the very last static command in the configuration." Fine and dandy.  So, the static entry in question keeps things going from the inside -> dmz from being translated.  What does the NO_NAT ACL do?  

Originally, I thought it was some kind of similar thing, but in reverse.  (i.e., telling things going out from the DMZ to not try and NAT to the addresses in question (the 192.168.2-4.0/24 networks), but that makes no sense because it's applied to the inside interface.  Is that ACL applied with the "nat (inside)" statement just a redundancy of the static statement?

Also, what are the security implications of disabling NAT?  Do the security level implications still apply (i.e., things from on the security100 inside can still reach things on the security50 DMZ interface but not vice-versa (assuming that there is no other ACL involvement), or does disabling NAT remove that difference in security level?

Someone please help me.  I feel like I'm frustrated enough and asking such a hugely broad question that I'm going to go ahead and assign a high point value to hopefully make it worth someone's while.

Thanks very much.
Question by:titan6400
  • 2
LVL 11

Expert Comment

ID: 16948302
Basically in a nut shell .

When nat is applied when a packet travels from one interface out another it will appear that the source address is coming from the address which it is exiting on


If a packet travels from inside to out it will appear to be coming from

Now if yuo apply a no nat statment anything that is hit by this no nat acl will not be natted and its src address will be where the packet initiates from originally. This is mostly utilized in VPN tunnels to push a packet as interesting traffic across the tunnel.

Now the static translations..

based on the above static if a packet coming from a src of attempts to hit a host in the DMZ the address is actually "translated" but in reality keeps the same address since the static translation is the same . But if a host say from was to hit the DMZ it would appear to have come from since it doesn't match the translation.

Did this make sense?

Author Comment

ID: 16948586
I get that the NO_NAT access-list or generally using a "nat (interface) 0 <address>" command means that the "from" header in an applicable packet won't get rewritten as having come from an address in the global pool -- it just stays the same.

What is the use of the "pixfirewall(config)# static (inside, dmz) netmask" in the example above?
LVL 11

Accepted Solution

prueconsulting earned 500 total points
ID: 16951029
In that example its used to basically create a translation that keeps the from field the same because as packets traverse the interfaces they will undergo a translation.

So for example

lets use this

Exchange Server on LAN with an address of connecting to a DMZ mail server with an address of

DMZ interface is

When the exchange server connects to the DMZ host the DMZ host will see the packet as coming from 5.245 due to the static translation.

But if a workstation say on anothe subnet was to connect to the DMZ host the mail server would see its ip as the DMZ interface ip address.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question