Another feature that can be used to control outbound connections is the
ability to control which internal IP addresses are visible on the outside. The
nat 0 command lets administrators disable address
translation so that inside IP addresses are visible on the outside without
address translation
. This feature
can be used when there are InterNIC-registered IP addresses on the inside
network that need to be accessible on the outside network. Use of the
nat 0 command depends on your security policy.
If the
policy allows internal clients to have their IP addresses exposed to the
Internet, then the nat 0 command is used to provide that
service.
In Figure
, the
address 192.168.0.9 is not translated. When the command nat (DMZ) 0
192.168.0.9 255.255.255.255 is entered, the PIX Security Appliance
displays the following message:
nat 0 192.168.0.9 will be
non-translated
It is important to note that NAT 0 enables
the Internet server address to be visible on the outside interface. The
administrator also needs to add a static in combination
with an access-list to allow users on the outside to
connect with the Internet server.