Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAT vs static

A network architecture is like this: PIX firewall, inside (private static IP 192.168.1.1), and the LAN of private static IPs 192.168.1.0 255.255.255.0, the outside (only one public IP available, i.e., 172.18.124.216).

For the LAN hosts to access to the outside such as internet, obviously, a PAT is needed. This is Many to One translation.

Now for any outside hosts to access to the inside web server such as 192.168.1.2, a permit and IP translation have to be done. Usually, the translation will say:

static (inside, outside) tcp 172.18.124.216 www 192.168.1.2 www netmask 255.255.255.255 0 0

1) If I understand it correctly, from inside to outside is PAT, many to one, while from outside to inside is One to One static translation. Is this correct? How could both many to one , and one to one co-exist on the same PIX?

2) What does the last two 0's stand for in the Static statement above ( 0 0 )?

Thanks to help.

Scott

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: PAT vs static

yes, you've got the idea already.

inside --> outside, pat

outside --> inside, 1-to-1 (port forwarding)

pix can handle these two translation at the same time because they work in a particular direction. when pix receives a packet destined for the internet from the inside, it will map to the pat statement as the flow is insid --> outside; alternatively, when pix receives a packet from the outside, it will map to the static port forwarding statement. again, it works because of the direction.

regarding the second concern, those two 0s refer to max_conns and emb_limit respectively.

according to pix command line reference,

max_conns means the maximum number of simultaneous tcp and udp connections for the entire subnet; whereas emb_limit means the maximum number of embryonic connections per host.

in other words, these parameters can be used as a countermeasure for dos attack.

1 REPLY
Gold

Re: PAT vs static

yes, you've got the idea already.

inside --> outside, pat

outside --> inside, 1-to-1 (port forwarding)

pix can handle these two translation at the same time because they work in a particular direction. when pix receives a packet destined for the internet from the inside, it will map to the pat statement as the flow is insid --> outside; alternatively, when pix receives a packet from the outside, it will map to the static port forwarding statement. again, it works because of the direction.

regarding the second concern, those two 0s refer to max_conns and emb_limit respectively.

according to pix command line reference,

max_conns means the maximum number of simultaneous tcp and udp connections for the entire subnet; whereas emb_limit means the maximum number of embryonic connections per host.

in other words, these parameters can be used as a countermeasure for dos attack.

103
Views
0
Helpful
1
Replies
CreatePlease to create content