Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
2
Replies

PIX NAT and STATIC commands

Go to solution
mnlatif
Level 3
Level 3

‎05-23-2003 09:34 PM - edited ‎02-20-2020 10:45 PM

Hi,

My scenario is

Inside (LAN) (172.16.x.x) ------DMZ (172.29.1.x)

I want to provide access from Internal LAN to DMZ. Besides configuring ACLs, i can do it using the below two methods. What are the advantage\dis-advantage of each method

static (inside, dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

OR

access-list nonat permit ip 172.16.0.0 255.255.0.0 172.29.1.0 255.255.255.0

nat (inside) 0 access-list nonat

What is the difference between these two ?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mhoda
Level 5
Level 5

‎05-24-2003 09:33 AM

Hi,

Function of both of the static and nat (inside) 0 ACL is the same, i.e., traffic from inside to dmz and the other way around would be allowed. The real difference is, when you configure nat (inside) 0 ACL, you are really turning off the nat engine altogther for this traffic. Using static you are not turning off the nat engine on the pix, doing translation kind of fooling PIX, as real sense its it translation. Note: nat (inside) 0 0 0 is different than nat (inside) 0 ACL. With ACL option, you can communicate both dircetion, with only nat (inside) 0 0 its only from inside to dmz, not from dmz to inside. In a moderate network environment, you will not see much difference in terms of performance,. Its just depends on requirement, you would prefer one over the other.

I hope its clear ! Thanks,

Mynul

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mostiguy
Level 6
Level 6

‎05-24-2003 06:14 AM

Static makes a permanent translation slot, so DMZ machines will never have any trouble making connections to the inside.

nat 0 makes dynamic slots, so DMZ machines can only talk to the inside machines once the inside machine makes an outbound conn to create the dyn. slot

0 Helpful

Go to solution
mhoda
Level 5
Level 5

‎05-24-2003 09:33 AM

Hi,

Function of both of the static and nat (inside) 0 ACL is the same, i.e., traffic from inside to dmz and the other way around would be allowed. The real difference is, when you configure nat (inside) 0 ACL, you are really turning off the nat engine altogther for this traffic. Using static you are not turning off the nat engine on the pix, doing translation kind of fooling PIX, as real sense its it translation. Note: nat (inside) 0 0 0 is different than nat (inside) 0 ACL. With ACL option, you can communicate both dircetion, with only nat (inside) 0 0 its only from inside to dmz, not from dmz to inside. In a moderate network environment, you will not see much difference in terms of performance,. Its just depends on requirement, you would prefer one over the other.

I hope its clear ! Thanks,

Mynul

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card