Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
277
Views
5
Helpful
3
Replies

Static and nat 0

Go to solution
kowalm
Level 1
Level 1

‎06-19-2003 06:09 AM - edited ‎03-09-2019 03:44 AM

Why is it that even though I have Nat 0 implemented on a high security interface and a low interface (ex. inside and dmz), I still need to have static statments to allow traffic to flow from dmz to inside?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nchandy
Cisco Employee
Cisco Employee

‎06-19-2003 08:56 AM

Hi

when nat (inside) 0 or nat (dmz) 0 , then the sts are for users going from higher to lower security zones i.e connection has to be first initiated from higher to lower.

If you need to initiate the conection from lower (dmz) to higher(inside) , then you either need a static or modify your nat 0 sts using an access-list.

Like nat (inside) 0 access-list test

access-list test permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

When you use the nat 0 with acces-list then users from lower security zone , in the above case 192.168.1.0 can initiate a connection to the 10.1.1.0 subnet which is the inside(higher security zone).

Also, a little more explanantion at the url below for nat 0:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1032129

Hope the above helps.

Thanks

Nisha

View solution in original post

0 Helpful
3 Replies 3

Go to solution
bdube
Level 2
Level 2

‎06-19-2003 08:22 AM

NAT 0 served only for outbound traffic (High to low sec i/f). If you want your host(s) within the DMZ to start session to inside host(s), then you need to use static/access-list/access-group commands to do so.

Why is it like that? Because it's a firewall who must manage multiple needs, example want to permit inside users to access DMZ's servers but not those servers access inside networks, for seucrity reason.

Regards

Ben

0 Helpful

Go to solution
nchandy
Cisco Employee
Cisco Employee

‎06-19-2003 08:56 AM

Hi

when nat (inside) 0 or nat (dmz) 0 , then the sts are for users going from higher to lower security zones i.e connection has to be first initiated from higher to lower.

If you need to initiate the conection from lower (dmz) to higher(inside) , then you either need a static or modify your nat 0 sts using an access-list.

Like nat (inside) 0 access-list test

access-list test permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

When you use the nat 0 with acces-list then users from lower security zone , in the above case 192.168.1.0 can initiate a connection to the 10.1.1.0 subnet which is the inside(higher security zone).

Also, a little more explanantion at the url below for nat 0:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1032129

Hope the above helps.

Thanks

Nisha

0 Helpful

Go to solution
mhoda
Level 5
Level 5

‎06-19-2003 09:18 AM

Hi,

As mentioned by the earlier post, "nat 0 acl" option will turn off NAT engine on the pix for the traffic deffined in acl, whether connection is initiated from inside to dmz or dmz to inside. In that case, you will not need static. But, "with nat 0 network", you only turn off net engine on pix for the network from inside to dmz. In that case, you need a static for dmz to inside traffic.

I hope its clear.

Regards,

Mynul

Customers Also Viewed These Support Documents