Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static and nat 0

Why is it that even though I have Nat 0 implemented on a high security interface and a low interface (ex. inside and dmz), I still need to have static statments to allow traffic to flow from dmz to inside?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Static and nat 0

Hi

when nat (inside) 0 or nat (dmz) 0 , then the sts are for users going from higher to lower security zones i.e connection has to be first initiated from higher to lower.

If you need to initiate the conection from lower (dmz) to higher(inside) , then you either need a static or modify your nat 0 sts using an access-list.

Like nat (inside) 0 access-list test

access-list test permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

When you use the nat 0 with acces-list then users from lower security zone , in the above case 192.168.1.0 can initiate a connection to the 10.1.1.0 subnet which is the inside(higher security zone).

Also, a little more explanantion at the url below for nat 0:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1032129

Hope the above helps.

Thanks

Nisha

3 REPLIES
New Member

Re: Static and nat 0

NAT 0 served only for outbound traffic (High to low sec i/f). If you want your host(s) within the DMZ to start session to inside host(s), then you need to use static/access-list/access-group commands to do so.

Why is it like that? Because it's a firewall who must manage multiple needs, example want to permit inside users to access DMZ's servers but not those servers access inside networks, for seucrity reason.

Regards

Ben

Cisco Employee

Re: Static and nat 0

Hi

when nat (inside) 0 or nat (dmz) 0 , then the sts are for users going from higher to lower security zones i.e connection has to be first initiated from higher to lower.

If you need to initiate the conection from lower (dmz) to higher(inside) , then you either need a static or modify your nat 0 sts using an access-list.

Like nat (inside) 0 access-list test

access-list test permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

When you use the nat 0 with acces-list then users from lower security zone , in the above case 192.168.1.0 can initiate a connection to the 10.1.1.0 subnet which is the inside(higher security zone).

Also, a little more explanantion at the url below for nat 0:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1032129

Hope the above helps.

Thanks

Nisha

Silver

Re: Static and nat 0

Hi,

As mentioned by the earlier post, "nat 0 acl" option will turn off NAT engine on the pix for the traffic deffined in acl, whether connection is initiated from inside to dmz or dmz to inside. In that case, you will not need static. But, "with nat 0 network", you only turn off net engine on pix for the network from inside to dmz. In that case, you need a static for dmz to inside traffic.

I hope its clear.

Regards,

Mynul

109
Views
5
Helpful
3
Replies