04-25-2003 03:41 PM - edited 03-09-2019 03:02 AM
Hi,
When you are doing "Interface PAT" at low interface that gives you access to lower security interface, as default inside interface is able to access any resources on a lower security unless access-list is defined. that is OK. But when you require to access resources from low to high, you would use static/access-list/access-group to allow traffic from low to high.
Does it make any difference doing between interface PAT at low interface and static NAT at a low interface when static/access-list/access-group is used to allow low to high traffic? I think it shouldn't make any difference, but I have been having annoying problem with static/access-list/access-group. I tried all I can with these command, there must have some relationship with Static Nat and Interface PAT if I am not wrong. I thought this is straight-forward, but it wasn't for me. I hope this is not a bug.
Example)
For PAT
nat (inside) 1 0 0
global (dmz1) 1 interface
For Static NAT
nat (inside) 1 0 0
global (dmz1) 1 10.1.1.10010.1.1.20
Thanks in advance
DJ
04-25-2003 04:27 PM
It's a little bit confused, you are discussing static/access-list/acces-group which is for incoming traffic (low to high) and you gave example with NAT/Global which is for outgoing traffic (high to low). I think there's something wrong, but i can't tell you more without more information.
Regards,
Ben
04-25-2003 05:10 PM
Sorry to confuse you, My question was to indentify that Interface PAT or static NAT applied to a low security will make any difference doing static/access-list/access-group to allows low to high traffic. Can you identify any thing wrong with below example?
For PAT
nat (inside) 1 0 0
global (dmz1) 1 interface
static (inside,dmz1) 2.2.2.0 2.2.2.0 255.255.255.0 (2.2.2.0 - inside IP)
access-list dmz1_access_in permit tcp host 1.1.1.1 host 2.2.2.2 (2.2.2.2 - win2k server that 1.1.1.1 wants to access.)
access-group dmz1_access_in in interface dmz1
For Static NAT
global (dmz1) 1 1.1.10-1.1.1.20
static (inside,dmz1) 2.2.2.0 2.2.2.0 255.255.255.0 (2.2.2.0 - inside IP)
access-list dmz1_access_in permit tcp host 1.1.1.1 host 2.2.2.2 (2.2.2.2 - win2k server that 1.1.1.1 wants to access.)
access-group dmz1_access_in in interface dmz1
Thanks in advance, DJ
04-25-2003 06:44 PM
Try: static (inside,dmz1) 2.2.2.0 2.2.2.0 netmask 255.255.255.0
Hint: You don't have to configure NAT or PAT to leave DMZ1 access servers inside. It's 2 differents things. If inside servers have to initiate connection with 1.1.1.1 then you need to config NAT or PAT or simply NAT 0 (no nat at all).
Regards
Ben
04-26-2003 06:54 PM
Thanks for your hint, Is this means NAT or PAT is not needed for dmz1 to access servers inside? only static/access-list and group is good enough?
But then When inbound traffic comes back to dmz1 from inside, how inside traffic can get to dmz1 without doing PAT and NAT. Regards,DJ
04-26-2003 08:15 PM
Right, NAT & PAT aren't needed for connection from low security interface to high security interface. In that case, you only need the trio static/ACL/Access-group.
When PIX create a connection or leave traffic from one interface to another, he takes care about traffic in both direction for that connection. This is a part of a stateful firewall, he takes care of connection not packet. It's different than a router.
Good luck
Ben
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide