01-11-2003 04:14 AM - edited 02-20-2020 10:29 PM
Hi !
I am totally confused with this NAT0 stuff !
Could anyone tell me which command i should prefer:
NAT 0 ( with access-lists)
or
static (inside,dmz) IP(inside) IP(inside)
to disable NAT from inside to dmz - respectively from the dmz to inside.
thx
hans
01-11-2003 04:26 AM
Hi,
only use the NAT0 command in VPN configs to specify which traffic should be send into the encrypted tunnel.
When you don't want your traffic to be translated when it goes from one interface of the pix to another interface, always use the static command and specify the inside network twice (this is called 'net static'):
static (inside,dmz) inside_network inside_network
When you use the NAT0 statement, then the NAT engine of the pix is bypassed and this may result in some strange situations. The pix 'likes' to translate the packets that go through the pix. So you should use the static command.
Is this clear? If you have anymore questions, don't hesitate to post them!
Kind Regards,
Tom
01-11-2003 04:39 AM
Hi !
Thanks for your immediate response !
Does this mean that every network behind the DMZ-Interface has access to the inside network. ?
Or every network behind the INSIDE interface has access to the DMZ ?
Does this command also specify which direction is permitted ( DMZ -> INSIDE oder INSIDE -> DMZ) or is traffic automatically possible (assuming that an access-list permits that traffic)
Thanks
Hans
01-11-2003 05:17 AM
Hi,
the 'static' command itself does not allow access to the inside network. If you want to allow traffic initiated from the dmz to the inside network, you will have to provide an access-list and apply this access-list to the dmz interface.
So for inbound access you need some kind of static translation for the 'secure' addresses and an access-list bound to the 'less secure' interface allow the traffic to the secure (inside) network.
For access from a secure interface (eg inside) to a less secure (eg dmz)interface, only NAT/PAT or static translation is required and no access-list is needed. If you want to limit the number of inside devices that have access to the less-secure networks (eg dmz, outside), you will have to bind an access-list to the secure (inside) interface and specify which devices may go out.
Please take some time to read this URL:
http://www.cisco.com/warp/public/707/28.html
(ignore the explames with the outdated 'conduit' commands. Read the 'access-list' examples instead)
Kind Regards,
Tom
01-11-2003 05:28 AM
Thanks !
but if you specify the following command
static (inside,dmz) (inside network) (inside network)
traffic is not translated from DMZ to INSIDE
but
does this command make sure that traffic from
INSIDE to DMZ is not translated either?
or do I have to specify another command ?
THANKS
Hans
01-11-2003 06:48 AM
Hi,
by default traffic passing from the less secure interface (eg dmz) to a more secure interface (eg inside) is not translated. So traffic initiated from the dmz to the inside network is NOT translated. There is no extra config needed for this
With the following 'static' command in place:
static (inside,dmz) inside_network inside_network
you are sure that the packets from the inside network to the dmz are NOT translated eighter.
Kind Regards,
Tom
01-21-2003 12:27 PM
We are currently having the debate on whether to use NAT0 or a net static to bypass NAT between the inside and a dmz interface. Why would it be preferable to use NAT0 instead of a static in this instance?
One potential advantage of using a net static is that is allows an embryonic connection limit to be set (to protect against TCP SYN attacks); something which is not possible when "NAT 0 access-list" is used. Statics aren't required to permit traffic to flow from a lower security interface to a high security interface when "NAT 0 access-list" is used.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: