Re: Any difference between InterfacePAT & staticNAT to allow low

djkim · ‎04-25-2003

Hi,

When you are doing "Interface PAT" at low interface that gives you access to lower security interface, as default inside interface is able to access any resources on a lower security unless access-list is defined. that is OK. But when you require to access resources from low to high, you would use static/access-list/access-group to allow traffic from low to high.

Does it make any difference doing between interface PAT at low interface and static NAT at a low interface when static/access-list/access-group is used to allow low to high traffic? I think it shouldn't make any difference, but I have been having annoying problem with static/access-list/access-group. I tried all I can with these command, there must have some relationship with Static Nat and Interface PAT if I am not wrong. I thought this is straight-forward, but it wasn't for me. I hope this is not a bug.

Example)

For PAT

nat (inside) 1 0 0

global (dmz1) 1 interface

For Static NAT

nat (inside) 1 0 0

global (dmz1) 1 10.1.1.10010.1.1.20

Thanks in advance

DJ

bdube · ‎04-25-2003

It's a little bit confused, you are discussing static/access-list/acces-group which is for incoming traffic (low to high) and you gave example with NAT/Global which is for outgoing traffic (high to low). I think there's something wrong, but i can't tell you more without more information.

Regards,

Ben

djkim · ‎04-25-2003

Sorry to confuse you, My question was to indentify that Interface PAT or static NAT applied to a low security will make any difference doing static/access-list/access-group to allows low to high traffic. Can you identify any thing wrong with below example?

For PAT

nat (inside) 1 0 0

global (dmz1) 1 interface

static (inside,dmz1) 2.2.2.0 2.2.2.0 255.255.255.0 (2.2.2.0 - inside IP)

access-list dmz1_access_in permit tcp host 1.1.1.1 host 2.2.2.2 (2.2.2.2 - win2k server that 1.1.1.1 wants to access.)

access-group dmz1_access_in in interface dmz1

For Static NAT

global (dmz1) 1 1.1.10-1.1.1.20

static (inside,dmz1) 2.2.2.0 2.2.2.0 255.255.255.0 (2.2.2.0 - inside IP)

access-list dmz1_access_in permit tcp host 1.1.1.1 host 2.2.2.2 (2.2.2.2 - win2k server that 1.1.1.1 wants to access.)

access-group dmz1_access_in in interface dmz1

Thanks in advance, DJ

bdube · ‎04-25-2003

Try: static (inside,dmz1) 2.2.2.0 2.2.2.0 netmask 255.255.255.0

Hint: You don't have to configure NAT or PAT to leave DMZ1 access servers inside. It's 2 differents things. If inside servers have to initiate connection with 1.1.1.1 then you need to config NAT or PAT or simply NAT 0 (no nat at all).

Regards

Ben

djkim · ‎04-26-2003

Thanks for your hint, Is this means NAT or PAT is not needed for dmz1 to access servers inside? only static/access-list and group is good enough?

But then When inbound traffic comes back to dmz1 from inside, how inside traffic can get to dmz1 without doing PAT and NAT. Regards,DJ

bdube · ‎04-26-2003

Right, NAT & PAT aren't needed for connection from low security interface to high security interface. In that case, you only need the trio static/ACL/Access-group.

When PIX create a connection or leave traffic from one interface to another, he takes care about traffic in both direction for that connection. This is a part of a stateful firewall, he takes care of connection not packet. It's different than a router.

Good luck

Ben

Any difference between InterfacePAT & staticNAT to allow low to high traffi