cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
657
Views
5
Helpful
6
Replies

PIX NAT0

schimekh
Level 1
Level 1

Hi !

I am totally confused with this NAT0 stuff !

Could anyone tell me which command i should prefer:

NAT 0 ( with access-lists)

or

static (inside,dmz) IP(inside) IP(inside)

to disable NAT from inside to dmz - respectively from the dmz to inside.

thx

hans

6 Replies 6

tvanginneken
Level 4
Level 4

Hi,

only use the NAT0 command in VPN configs to specify which traffic should be send into the encrypted tunnel.

When you don't want your traffic to be translated when it goes from one interface of the pix to another interface, always use the static command and specify the inside network twice (this is called 'net static'):

static (inside,dmz) inside_network inside_network

When you use the NAT0 statement, then the NAT engine of the pix is bypassed and this may result in some strange situations. The pix 'likes' to translate the packets that go through the pix. So you should use the static command.

Is this clear? If you have anymore questions, don't hesitate to post them!

Kind Regards,

Tom

Hi !

Thanks for your immediate response !

Does this mean that every network behind the DMZ-Interface has access to the inside network. ?

Or every network behind the INSIDE interface has access to the DMZ ?

Does this command also specify which direction is permitted ( DMZ -> INSIDE oder INSIDE -> DMZ) or is traffic automatically possible (assuming that an access-list permits that traffic)

Thanks

Hans

Hi,

the 'static' command itself does not allow access to the inside network. If you want to allow traffic initiated from the dmz to the inside network, you will have to provide an access-list and apply this access-list to the dmz interface.

So for inbound access you need some kind of static translation for the 'secure' addresses and an access-list bound to the 'less secure' interface allow the traffic to the secure (inside) network.

For access from a secure interface (eg inside) to a less secure (eg dmz)interface, only NAT/PAT or static translation is required and no access-list is needed. If you want to limit the number of inside devices that have access to the less-secure networks (eg dmz, outside), you will have to bind an access-list to the secure (inside) interface and specify which devices may go out.

Please take some time to read this URL:

http://www.cisco.com/warp/public/707/28.html

(ignore the explames with the outdated 'conduit' commands. Read the 'access-list' examples instead)

Kind Regards,

Tom

Thanks !

but if you specify the following command

static (inside,dmz) (inside network) (inside network)

traffic is not translated from DMZ to INSIDE

but

does this command make sure that traffic from

INSIDE to DMZ is not translated either?

or do I have to specify another command ?

THANKS

Hans

Hi,

by default traffic passing from the less secure interface (eg dmz) to a more secure interface (eg inside) is not translated. So traffic initiated from the dmz to the inside network is NOT translated. There is no extra config needed for this

With the following 'static' command in place:

static (inside,dmz) inside_network inside_network

you are sure that the packets from the inside network to the dmz are NOT translated eighter.

Kind Regards,

Tom

We are currently having the debate on whether to use NAT0 or a net static to bypass NAT between the inside and a dmz interface. Why would it be preferable to use NAT0 instead of a static in this instance?

One potential advantage of using a net static is that is allows an embryonic connection limit to be set (to protect against TCP SYN attacks); something which is not possible when "NAT 0 access-list" is used. Statics aren't required to permit traffic to flow from a lower security interface to a high security interface when "NAT 0 access-list" is used.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: