Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can Anyone Help Explain the Syntax Given? 1

Status
Not open for further replies.
mRgEE

mRgEE

IS-IT--Management
Oct 13, 2003
61
GB
My config allows all ip traffic to pass in both directions between the outside and inside interfaces of my pix 501 even though they are on different subnets as shown below: -
ip address outside 10.0.0.253 255.0.0.0
ip address inside 192.168.0.253 255.255.255.0

I have the following ACLs setup: -
access-list allow_ip permit ip any any
access-list nonat permit ip any any

I am trying to learn pix and specifically trying to understand exactly what the following statements do: -
global (outside) 1 interface
nat (inside) 0 access-list nonat
access-group allow_ip in interface outside
access-group allow_ip in interface inside
routing interface inside

Can anyone explain in details what exactly each of these statements accomplish?
 
Sort by date Sort by votes
global (outside) 1 interface
*This tells the pix that any traffic with grouping "1" traversing the pix headed for the outside gets natted (patted really) to the IP of the interface. (ie it replaces the source IP address and port with it's IP address and a random port.)

nat (inside) 0 access-list nonat
*This tells the pix to not nat traffic that matches this access list - useful for an exemption for VPN or traffic going to the DMZ. Yours says to not nat any traffic - since you are using private IP addresses, your traffic essentially dies when it hits an internet router.

access-group allow_ip in interface outside
*This filters traffic entering the outside interface from the outside(internet) to see if it is allowed, it is then passed of to the nat/static process. Yours says to allow everything.

access-group allow_ip in interface inside
*This is the same as above but for traffic entering the inside interface from the inside computers.

routing interface inside
*This is for setting up the OSPF routing process and puts you in the OSPF sub command mode for that interface.


Hope this helps.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
So would these result in the same configuration?:

access-list nonat permit ip any any
nat (inside) 0 access-list nonat

- and -

nat (inside) 0 0.0.0.0 0.0.0.0
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
681
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
641
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
134
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
161
PauS0n
PauS0n
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
518
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top