| Case Number |
K70435760 |
| Title |
Network Address Translation (NAT) order of operation in the PIX Firewall |
| Resolution |
This is the sequence in which the translation commands are prioritized by the PIX Firewall:
- nat 0 access-list (nat-exempt)
- match against existing xlates
- static statements
- static nat with and without access-list (first match)
- static pat with and without access-list (first match)
- nat
- nat access-list (first match)
Note: The nat 0 access-list command is not part of this command.
- nat (best match)
Note: When choosing a global address from multiple pools with the same NAT ID, this order is attempted:
- If the ID is 0, create an identity xlate.
- Use the global pool for the dynamic NAT.
- Use the global pool for the dynamic PAT.
- Error
NAT 0 STATEMENT:
nat (inside_interface_name) 0
NAT 0 has two affects:
- nat (inside_interface_name) 0 access-list 101
This works exactly the same way as static, except it bypasses NAT. It does not require the connection to be initiated from the higher security interface before the host on the lower security interface can create a connection to the host on the higher security level interface.
- nat (inside_interface_name) 0 0.0.0.0 0.0.0.0
This bypasses NAT, but requires the host on the higher security interface to first initiate a connection to the host on the lower security interface before the host on the lower security interface can initiate
a connection.
Refer to these documents for more information on these commands:
|
| Problem Type |
Compatibility or Support
How to (General Information) |
| Product Family |
Firewall - PIX 500 series |
| PIX Software Version |
PIX version 6.x
PIX version 7.x |
| PIX Model |
535
501
506
506E
515
515E
525 |
| Features & Tasks |
Network Address Translation (NAT) |
| Selected PIX or Router Commands |
static |
| Direct URL |
http://www.ciscotaccc.com/security/showcase?case=K70435760 |
