Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Static vs. NONAT

What is the functional difference between the two for the following scenrio

static (inside,dmz) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

vs


nat (inside) 0 1.1.1.1 255.255.255.255

Those accomplish the same thing. Is there something I'm missing?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Static vs. NONAT

static (inside,dmz) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

This is only between inside and dmz

This is bi-directional meaning, in addition to the hosts on the inside, hosts in the DMZ can initiate traffic also provided ACLs allow.

This is called identity static

vs


nat (inside) 0 1.1.1.1 255.255.255.255

This can only be sourced from the inside interface going anywhere. This is called nat exemption.

-KS

2 REPLIES

Re: Static vs. NONAT

Technically speaking the NAT statement actually does NAT. Granted it NATs to its own address, but it does NAT. With NAT0 is does not NAT at all.

Hope that helps.

Please let Cisco know that these forums are valuable to you!
https://supportforums.cisco.com/docs/DOC-6212

Cisco Employee

Re: Static vs. NONAT

static (inside,dmz) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

This is only between inside and dmz

This is bi-directional meaning, in addition to the hosts on the inside, hosts in the DMZ can initiate traffic also provided ACLs allow.

This is called identity static

vs


nat (inside) 0 1.1.1.1 255.255.255.255

This can only be sourced from the inside interface going anywhere. This is called nat exemption.

-KS

305
Views
0
Helpful
2
Replies
CreatePlease to create content