Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX NAT and STATIC commands

Hi,

My scenario is

Inside (LAN) (172.16.x.x) ------DMZ (172.29.1.x)

I want to provide access from Internal LAN to DMZ. Besides configuring ACLs, i can do it using the below two methods. What are the advantage\dis-advantage of each method

static (inside, dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

OR

access-list nonat permit ip 172.16.0.0 255.255.0.0 172.29.1.0 255.255.255.0

nat (inside) 0 access-list nonat

What is the difference between these two ?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: PIX NAT and STATIC commands

Hi,

Function of both of the static and nat (inside) 0 ACL is the same, i.e., traffic from inside to dmz and the other way around would be allowed. The real difference is, when you configure nat (inside) 0 ACL, you are really turning off the nat engine altogther for this traffic. Using static you are not turning off the nat engine on the pix, doing translation kind of fooling PIX, as real sense its it translation. Note: nat (inside) 0 0 0 is different than nat (inside) 0 ACL. With ACL option, you can communicate both dircetion, with only nat (inside) 0 0 its only from inside to dmz, not from dmz to inside. In a moderate network environment, you will not see much difference in terms of performance,. Its just depends on requirement, you would prefer one over the other.

I hope its clear ! Thanks,

Mynul

2 REPLIES
Silver

Re: PIX NAT and STATIC commands

Static makes a permanent translation slot, so DMZ machines will never have any trouble making connections to the inside.

nat 0 makes dynamic slots, so DMZ machines can only talk to the inside machines once the inside machine makes an outbound conn to create the dyn. slot

Silver

Re: PIX NAT and STATIC commands

Hi,

Function of both of the static and nat (inside) 0 ACL is the same, i.e., traffic from inside to dmz and the other way around would be allowed. The real difference is, when you configure nat (inside) 0 ACL, you are really turning off the nat engine altogther for this traffic. Using static you are not turning off the nat engine on the pix, doing translation kind of fooling PIX, as real sense its it translation. Note: nat (inside) 0 0 0 is different than nat (inside) 0 ACL. With ACL option, you can communicate both dircetion, with only nat (inside) 0 0 its only from inside to dmz, not from dmz to inside. In a moderate network environment, you will not see much difference in terms of performance,. Its just depends on requirement, you would prefer one over the other.

I hope its clear ! Thanks,

Mynul

125
Views
0
Helpful
2
Replies
CreatePlease to create content