static vs nat 0

static vs nat 0
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
static vs nat 0 Bob Simon 04-16-2008
Posted by Bob Simon on April 16, 2008, 8:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options
PIX 501 v 6.3(3). Inside network: 10.0.0.0/24. Upstream router does
PAT and static mapping for several internal networks.

As I understand it, the following two PIX commands both allow inside
packets to get outside (and replies to get back) without changing
source or destination IP address. Right? If true, how are they
functionally different?

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0
nat (inside) 0 0 0


home networking made easy, greater protection, less stress, introducing nm 5.0, 728x90
Posted by Morph on April 16, 2008, 9:18 am
If you were  Registered and logged in, you could reply and use other advanced thread options
wrote:

| PIX 501 v 6.3(3). Inside network: 10.0.0.0/24. Upstream router does
| PAT and static mapping for several internal networks.
|
| As I understand it, the following two PIX commands both allow inside
| packets to get outside (and replies to get back) without changing
| source or destination IP address. Right? If true, how are they
| functionally different?
|
| static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0
| nat (inside) 0 0 0

From Cisco ASA and PIX Firewall Handbook by Dave Hucaby
Publisher: Cisco Press
Pub Date: June 07, 2005


"Unlike identity NAT, which allows connections to be initiated only in
the outbound direction, NAT exemption allows connections to be initiated
in either the inbound or outbound direction.

NAT exemption is most often used in conjunction with VPN connections.
Inside addresses might normally be translated for all outbound
connections through a firewall. If a remote network can be reached
through a VPN tunnel, the inside hosts might need to reach remote VPN
hosts without being translated. NAT exemption provides the policy
mechanism to conditionally prevent the address translation."

Posted by bobneworleans@yahoo.com on April 16, 2008, 12:17 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> wrote:
>
> | PIX 501 v 6.3(3). Inside network: 10.0.0.0/24. Upstream router does
> | PAT and static mapping for several internal networks.
> |
> | As I understand it, the following two PIX commands both allow inside
> | packets to get outside (and replies to get back) without changing
> | source or destination IP address. Right? If true, how are they
> | functionally different?
> |
> | static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0
> | nat (inside) 0 0 0
>
> From Cisco ASA and PIX Firewall Handbook by Dave Hucaby
> Publisher: Cisco Press
> Pub Date: June 07, 2005
>
> "Unlike identity NAT, which allows connections to be initiated only in
> the outbound direction, NAT exemption allows connections to be initiated
> in either the inbound or outbound direction.
>
> NAT exemption is most often used in conjunction with VPN connections.
> Inside addresses might normally be translated for all outbound
> connections through a firewall. If a remote network can be reached
> through a VPN tunnel, the inside hosts might need to reach remote VPN
> hosts without being translated. NAT exemption provides the policy
> mechanism to conditionally prevent the address translation."

That would be a great answer except that NAT exemption is
"nat 0 access-list" rather than a static statement.

Nevertheless, I'm curious about your book. Do you have an ebook
so you can copy sections from it?
Bob

Posted by Morph on April 16, 2008, 1:31 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
In the message
bobneworleans@yahoo.com wrote:

| > | PIX 501 v 6.3(3). Inside network: 10.0.0.0/24. Upstream router does
| > | PAT and static mapping for several internal networks.
| > |
| > | As I understand it, the following two PIX commands both allow inside
| > | packets to get outside (and replies to get back) without changing
| > | source or destination IP address. Right? If true, how are they
| > | functionally different?
| > |
| > | static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0
| > | nat (inside) 0 0 0
| >
| > From Cisco ASA and PIX Firewall Handbook by Dave Hucaby
| > Publisher: Cisco Press
| > Pub Date: June 07, 2005
| >
| > "Unlike identity NAT, which allows connections to be initiated only in
| > the outbound direction, NAT exemption allows connections to be initiated
| > in either the inbound or outbound direction.
| >
| > NAT exemption is most often used in conjunction with VPN connections.
| > Inside addresses might normally be translated for all outbound
| > connections through a firewall. If a remote network can be reached
| > through a VPN tunnel, the inside hosts might need to reach remote VPN
| > hosts without being translated. NAT exemption provides the policy
| > mechanism to conditionally prevent the address translation."
|
| That would be a great answer except that NAT exemption is
| "nat 0 access-list" rather than a static statement.

You are right :)
I found an explanation here:
http://www.velocityreviews.com/forums/t56763-pix-515-vlan-nat0-issues.html

"Only one "nat 0 access-list" is permitted per interface, and it
applies to traffic going to lower security interfaces. Indefinite
numbers of "nat 0" (without access-list) are permitted per interface,
and again apply to towards all lower security interfaces.
"static" and all other "nat" commands work between pairs of interfaces,
so the IP of an inside host as known to dmz1 could be different than
the IP of the same host as known to dmz2."

| Nevertheless, I'm curious about your book. Do you have an ebook
| so you can copy sections from it?
| Bob

Yes it's an ebook.

Posted by Tosh on April 16, 2008, 10:23 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> "Only one "nat 0 access-list" is permitted per interface, and it
> applies to traffic going to lower security interfaces. Indefinite
> numbers of "nat 0" (without access-list) are permitted per interface,
> and again apply to towards all lower security interfaces.
> "static" and all other "nat" commands work between pairs of interfaces,
> so the IP of an inside host as known to dmz1 could be different than
> the IP of the same host as known to dmz2."
>

Apart this, if I can recall correctly nat 0 doesn't do proxy arp, so is best
suited on vpn usage.
On the other hand the static command does proxy arp for the virtual
addresses and can be used for publishing real servers over virtual ips.
Bye,
Tosh.



Similar ThreadsPosted
2 static NATs work. 3rd static NAT doesn't. September 22, 2007, 2:24 am
use both static and nat August 26, 2004, 12:52 am
PIX static to itself? December 20, 2004, 12:42 am
PIX - Static NAT March 11, 2005, 8:57 pm
static web key August 7, 2005, 3:03 pm
Static Routing August 26, 2004, 12:44 am
Static and IGRP August 26, 2004, 1:03 pm
Static Lab Suggestions February 24, 2005, 8:57 am
how to set a Static route in an 837 March 7, 2005, 8:38 pm
pix to pix dhcp to static vpn July 22, 2005, 9:10 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map