12-01-2002 04:57 AM - edited 03-09-2019 01:15 AM
Hi,
I have a question about the difference of the 'nat 0' command and the 'static' command.
Let's say I have an internal host with the address A.B.C.D. This is a public address (not private). I want hosts from the internet to have access to this internal host A.B.C.D. Since the ip address is a public address I don't need any translation (I can do it, but is not necessary).
Now I can use two different commands to provide outbound access:
nat (inside) 0 A.B.C.D 255.255.255.255
or
static (inside,outside) A.B.C.D A.B.C.D netmask 255.255.255.255
Which of the two commands should I use, and why that one?
(I know that to allow inbound access I need a conduit or an access-list, but that's not my question for now)
Kind Regards,
Tom
Solved! Go to Solution.
12-01-2002 03:58 PM
NAT 0 takes two forms as follows:
nat (inside) 0 access-list xxx
nat (inside) 0 a.c.b.d 255.255.255.255
The "access-list" form works just like a static, but bypasses the whole NAT function. If you specify something like:
access-list 101 permit ip any host 192.168.1.9
nat (inside) 0 access-list 101
then anyone on the outside will be able to create a connection through to this host on the inside.
The second form of the command, specifying the inside address, bypasses the NAT function, but requires that the inside host establish a connection to the outside BEFORE anyone on the outside will be able to establish a connection to it. It's similar to the "access-list" command, but requires an outbound connection first, then anyone can come in.
In your example, you'd have to establish an outbound connection from 192.168.1.9 first, then you'd be able to come into it. Personally, I prefer doing it this way:
static (inside,outside) 192.168.1.9 192.168.1.9 netmask 255.255.255.255
To me it's just easier to read that way.
12-01-2002 08:56 AM
Hi Tom,
Use the NAT command to permit your host to make outbound connection.
Use Static (+ ACL/ACG as you know) to provide inbound access to this host.
In your second paragraph, you indicate "I want hosts from the Internet to have access to this host". Then you need a static statement.
And you also wrote, "Now I can use two different commands to provide outbound access" which means you also need NAT 0 statement.
Comment: I hope your server is in the DMZ, not internal!
Regards
Ben
12-01-2002 09:57 AM
Hi,
the reason why I posted the message was because I read today in a Cisco Press book (about pix) that is possible to use a 'nat 0' command and a 'conduit' command to provide traffic from inbound to outbound and from outbound to inbound. I tried it but couldn't make it work.
The example they give:
conduit permit tcp host 192.168.1.9 eq www any
nat (DMZ) 0 192.168.1.9 255.255.255.255
Isn't it true that you always need a static (NOT a nat) and a conduit (or access-list) to let traffic through the firewall in both ways?
Kind Regards,
Tom
12-01-2002 03:58 PM
NAT 0 takes two forms as follows:
nat (inside) 0 access-list xxx
nat (inside) 0 a.c.b.d 255.255.255.255
The "access-list" form works just like a static, but bypasses the whole NAT function. If you specify something like:
access-list 101 permit ip any host 192.168.1.9
nat (inside) 0 access-list 101
then anyone on the outside will be able to create a connection through to this host on the inside.
The second form of the command, specifying the inside address, bypasses the NAT function, but requires that the inside host establish a connection to the outside BEFORE anyone on the outside will be able to establish a connection to it. It's similar to the "access-list" command, but requires an outbound connection first, then anyone can come in.
In your example, you'd have to establish an outbound connection from 192.168.1.9 first, then you'd be able to come into it. Personally, I prefer doing it this way:
static (inside,outside) 192.168.1.9 192.168.1.9 netmask 255.255.255.255
To me it's just easier to read that way.
12-02-2002 11:32 AM
Tom,
I would like to highly discourage the use of NAT 0.
As I'm sure you are aware, NAT 0 tells the PIX to bypass the NAT engine, which already has been mentioned. This does not make the PIX play well. One of the features built into the PIX is that it likes to perform NAT on everything going from a higher security interface to a lower security interface.
As you have seen in other posts, the most efficient and secure way is to static a network to itself.
When you static a network to itself, it still allows the PIX to perform NAT, it strips the old source IP address and replaces it with the same IP. Although this seems like extra work, the PIX performs as desired. Whereas NAT 0 has very unusual side effects (performance issues, security holes, etc).
NAT 0 should only be used when you want traffic to by pass the NAT engine destined for VPN.
-Bryan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide