Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
11
Helpful
4
Replies

Difference between NAT 0 and Static

Go to solution
tvanginneken
Level 4
Level 4

‎12-01-2002 04:57 AM - edited ‎03-09-2019 01:15 AM

Hi,

I have a question about the difference of the 'nat 0' command and the 'static' command.

Let's say I have an internal host with the address A.B.C.D. This is a public address (not private). I want hosts from the internet to have access to this internal host A.B.C.D. Since the ip address is a public address I don't need any translation (I can do it, but is not necessary).

Now I can use two different commands to provide outbound access:

nat (inside) 0 A.B.C.D 255.255.255.255

or

static (inside,outside) A.B.C.D A.B.C.D netmask 255.255.255.255

Which of the two commands should I use, and why that one?

(I know that to allow inbound access I need a conduit or an access-list, but that's not my question for now)

Kind Regards,

Tom

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to tvanginneken

‎12-01-2002 03:58 PM

NAT 0 takes two forms as follows:

nat (inside) 0 access-list xxx

nat (inside) 0 a.c.b.d 255.255.255.255

The "access-list" form works just like a static, but bypasses the whole NAT function. If you specify something like:

access-list 101 permit ip any host 192.168.1.9

nat (inside) 0 access-list 101

then anyone on the outside will be able to create a connection through to this host on the inside.

The second form of the command, specifying the inside address, bypasses the NAT function, but requires that the inside host establish a connection to the outside BEFORE anyone on the outside will be able to establish a connection to it. It's similar to the "access-list" command, but requires an outbound connection first, then anyone can come in.

In your example, you'd have to establish an outbound connection from 192.168.1.9 first, then you'd be able to come into it. Personally, I prefer doing it this way:

static (inside,outside) 192.168.1.9 192.168.1.9 netmask 255.255.255.255

To me it's just easier to read that way.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
bdube
Level 2
Level 2

‎12-01-2002 08:56 AM

Hi Tom,

Use the NAT command to permit your host to make outbound connection.

Use Static (+ ACL/ACG as you know) to provide inbound access to this host.

In your second paragraph, you indicate "I want hosts from the Internet to have access to this host". Then you need a static statement.

And you also wrote, "Now I can use two different commands to provide outbound access" which means you also need NAT 0 statement.

Comment: I hope your server is in the DMZ, not internal!

Regards

Ben

Go to solution
tvanginneken
Level 4
Level 4
In response to bdube

‎12-01-2002 09:57 AM

Hi,

the reason why I posted the message was because I read today in a Cisco Press book (about pix) that is possible to use a 'nat 0' command and a 'conduit' command to provide traffic from inbound to outbound and from outbound to inbound. I tried it but couldn't make it work.

The example they give:

conduit permit tcp host 192.168.1.9 eq www any

nat (DMZ) 0 192.168.1.9 255.255.255.255

Isn't it true that you always need a static (NOT a nat) and a conduit (or access-list) to let traffic through the firewall in both ways?

Kind Regards,

Tom

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to tvanginneken

‎12-01-2002 03:58 PM

NAT 0 takes two forms as follows:

nat (inside) 0 access-list xxx

nat (inside) 0 a.c.b.d 255.255.255.255

The "access-list" form works just like a static, but bypasses the whole NAT function. If you specify something like:

access-list 101 permit ip any host 192.168.1.9

nat (inside) 0 access-list 101

then anyone on the outside will be able to create a connection through to this host on the inside.

The second form of the command, specifying the inside address, bypasses the NAT function, but requires that the inside host establish a connection to the outside BEFORE anyone on the outside will be able to establish a connection to it. It's similar to the "access-list" command, but requires an outbound connection first, then anyone can come in.

In your example, you'd have to establish an outbound connection from 192.168.1.9 first, then you'd be able to come into it. Personally, I prefer doing it this way:

static (inside,outside) 192.168.1.9 192.168.1.9 netmask 255.255.255.255

To me it's just easier to read that way.

0 Helpful

Go to solution
bosoro
Cisco Employee
Cisco Employee

‎12-02-2002 11:32 AM

Tom,

I would like to highly discourage the use of NAT 0.

As I'm sure you are aware, NAT 0 tells the PIX to bypass the NAT engine, which already has been mentioned. This does not make the PIX play well. One of the features built into the PIX is that it likes to perform NAT on everything going from a higher security interface to a lower security interface.

As you have seen in other posts, the most efficient and secure way is to static a network to itself.

When you static a network to itself, it still allows the PIX to perform NAT, it strips the old source IP address and replaces it with the same IP. Although this seems like extra work, the PIX performs as desired. Whereas NAT 0 has very unusual side effects (performance issues, security holes, etc).

NAT 0 should only be used when you want traffic to by pass the NAT engine destined for VPN.

-Bryan

Customers Also Viewed These Support Documents