Cisco Support Community
Community Member

Difference between "nat" and "static" PIX commands

I read that each of these two commands has a specific purpose i.e. one should be used for one traffic direction (highsecurity-to-lowsecurity), and the other for the opposite direction.

Can someone clarify this for me? Is this true? What command should be used for what, and why is it so?



Re: Difference between "nat" and "static" PIX commands

NAT: If you have internal users that want to go to the internet from your inside ( high security zone) via outside ( low security zone), you will have to configure NAT. This is basically when internal hosts will go out with a single source IP. Only the ports will be changed. For reverse traffic, you do not have to create any rules as PIX being a stateful firewall will allow the responses back.

nat (inside) 1

global (outside ) 1

STATIC: In case , you have a server in the inside that needs to be accessed from the internet, you will configure a static nat. This is one to one mapping. Also for the responses back to the outside, you do not need to allow the responses back.

static (inside,outside) netmask

--Pls rate if useful--

Community Member

Re: Difference between "nat" and "static" PIX commands

I've done some more reading and I think I got it finally. When using 'nat' one can never achieve a reliable translation, regarding the pool address the local host will use (or port, if using PAT.) That's where 'static' comes to play. You can use it when some local host needs to reach some other network with translated address, but with the specific one.

Basically, when you need reliable 1-1 translation, easy to troubleshoot, you should use 'static'.

Thanks for the reply

CreatePlease to create content