05-23-2003 09:34 PM - edited 02-20-2020 10:45 PM
Hi,
My scenario is
Inside (LAN) (172.16.x.x) ------DMZ (172.29.1.x)
I want to provide access from Internal LAN to DMZ. Besides configuring ACLs, i can do it using the below two methods. What are the advantage\dis-advantage of each method
static (inside, dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
OR
access-list nonat permit ip 172.16.0.0 255.255.0.0 172.29.1.0 255.255.255.0
nat (inside) 0 access-list nonat
What is the difference between these two ?
Solved! Go to Solution.
05-24-2003 09:33 AM
Hi,
Function of both of the static and nat (inside) 0 ACL is the same, i.e., traffic from inside to dmz and the other way around would be allowed. The real difference is, when you configure nat (inside) 0 ACL, you are really turning off the nat engine altogther for this traffic. Using static you are not turning off the nat engine on the pix, doing translation kind of fooling PIX, as real sense its it translation. Note: nat (inside) 0 0 0 is different than nat (inside) 0 ACL. With ACL option, you can communicate both dircetion, with only nat (inside) 0 0 its only from inside to dmz, not from dmz to inside. In a moderate network environment, you will not see much difference in terms of performance,. Its just depends on requirement, you would prefer one over the other.
I hope its clear ! Thanks,
Mynul
05-24-2003 06:14 AM
Static makes a permanent translation slot, so DMZ machines will never have any trouble making connections to the inside.
nat 0 makes dynamic slots, so DMZ machines can only talk to the inside machines once the inside machine makes an outbound conn to create the dyn. slot
05-24-2003 09:33 AM
Hi,
Function of both of the static and nat (inside) 0 ACL is the same, i.e., traffic from inside to dmz and the other way around would be allowed. The real difference is, when you configure nat (inside) 0 ACL, you are really turning off the nat engine altogther for this traffic. Using static you are not turning off the nat engine on the pix, doing translation kind of fooling PIX, as real sense its it translation. Note: nat (inside) 0 0 0 is different than nat (inside) 0 ACL. With ACL option, you can communicate both dircetion, with only nat (inside) 0 0 its only from inside to dmz, not from dmz to inside. In a moderate network environment, you will not see much difference in terms of performance,. Its just depends on requirement, you would prefer one over the other.
I hope its clear ! Thanks,
Mynul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide