by static nat, do you meaning using a static statement? A static statement guarantees that any host outside will be able to use that static mapping. nat 0 makes a dynamic translation slot - so if there is no outbound traffic to create one, no inbound requests to that host can be made
It depends first on the answer to the following question:
Do you wish to use private (hidden) ip addresses or public registered addresses on the DMZ network?
If you're going to use private ip addresses, then "nat 0" will not work of course.
I use static for single IP, and nat 0 for subnets.
It is difficult for me to explain why, but I will try to:
* This is what I've learned from the pix manuals (use static for inbound translation).
* It seems to me easier to manage (access-list can make it a bit more complex).
* I think that static involves less processing at the pix. static is simply a permanent entry in the translation table. nat 0 access-list will need to be processed on each packet, and for traffic originating from other hosts in the dmz (since nat 0 is bound to an interface).
* Static involves proxy-arp. This could be an advantage if the registered ip is in the same subnet as the pix outside network because the perimeter router does not need a static route to find the address (in that case).
However, if you are using registered addresses at the dmz, then using "nat 0" for the whole dmz network is a good idea:
nat (dmz) 0 0 0
To conclude, I will repeat my rule of thumb:
If you wish to publish a single host, use static.
To publish the whole dmz, use "nat 0" for the whole subnet.
I asked this question of TAC once, and they guy there told me static is prefered due to lower overhead, since the connections are permanently nailed up and the NAT enginge doesn't have to evaluate all traffic.
Of course that was back in the 6.0 days, so you mileage may vary!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :