Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX nat 0 versus static nat mapping.


I was wonderning what would be the best practice for making visible a particular internal IP address on the DMZ segment?

I have tried both ways, using nat 0 for that particular IP address and using static nat, both ways are working fine. But which one is THE prefered and WHY?

Appreciate a lot any recommendations.

Thank you



Re: PIX nat 0 versus static nat mapping.

by static nat, do you meaning using a static statement? A static statement guarantees that any host outside will be able to use that static mapping. nat 0 makes a dynamic translation slot - so if there is no outbound traffic to create one, no inbound requests to that host can be made

New Member

Re: PIX nat 0 versus static nat mapping.


It depends first on the answer to the following question:

Do you wish to use private (hidden) ip addresses or public registered addresses on the DMZ network?

If you're going to use private ip addresses, then "nat 0" will not work of course.

I use static for single IP, and nat 0 for subnets.

It is difficult for me to explain why, but I will try to:

* This is what I've learned from the pix manuals (use static for inbound translation).

* It seems to me easier to manage (access-list can make it a bit more complex).

* I think that static involves less processing at the pix. static is simply a permanent entry in the translation table. nat 0 access-list will need to be processed on each packet, and for traffic originating from other hosts in the dmz (since nat 0 is bound to an interface).

* Static involves proxy-arp. This could be an advantage if the registered ip is in the same subnet as the pix outside network because the perimeter router does not need a static route to find the address (in that case).

However, if you are using registered addresses at the dmz, then using "nat 0" for the whole dmz network is a good idea:

nat (dmz) 0 0 0

To conclude, I will repeat my rule of thumb:

If you wish to publish a single host, use static.

To publish the whole dmz, use "nat 0" for the whole subnet.


New Member

Re: PIX nat 0 versus static nat mapping.

I asked this question of TAC once, and they guy there told me static is prefered due to lower overhead, since the connections are permanently nailed up and the NAT enginge doesn't have to evaluate all traffic.

Of course that was back in the 6.0 days, so you mileage may vary!

CreatePlease login to create content