Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
3
Helpful
2
Replies

PAT vs static

otnj2ee
Level 1
Level 1

‎11-06-2005 07:15 PM

A network architecture is like this: PIX firewall, inside (private static IP 192.168.1.1), and the LAN of private static IPs 192.168.1.0 255.255.255.0, the outside (only one public IP available, i.e., 172.18.124.216).

For the LAN hosts to access to the outside such as internet, obviously, a PAT is needed. This is Many to One translation.

Now for any outside hosts to access to the inside web server such as 192.168.1.2, a permit and IP translation have to be done. Usually, the translation will say:

static (inside, outside) tcp 172.18.124.216 www 192.168.1.2 www netmask 255.255.255.255 0 0

1) If I understand it correctly, from inside to outside is PAT, many to one, while from outside to inside is One to One static translation. Is this correct? How could both many to one , and one to one co-exist on the same PIX?

2) What does the last two 0's stand for in the Static statement above ( 0 0 )?

Thanks to help.

Scott

Labels:
0 Helpful
2 Replies 2

thisisshanky
Level 11
Level 11

‎11-06-2005 09:04 PM

The last 2 0's expand to 0.0.0.0 0.0.0.0 within which the first 0.0.0.0 stands for any source ip address, and the second 0.0.0.0 stands for any source subnet mask.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

aacole
Level 5
Level 5

‎11-07-2005 04:19 AM

Scott,

The answer to question 1 is that they use different IP addresses.

For instance your PAT configuration on the PIX:

NAT (inside) 1 0 0

Global (outside) 1 interface

ip address outside 172.18.124.1 255.255.255.0

In this example all the outbound connections (those that start on the inside) will use the source address of 172.18.124.1 on the Internet. But each will use a different source port, thats the PAT part.

If you add a static translation, this maps 2 specific IP addresses to each other.

If you apply this static

static (inside, outside) tcp 172.18.124.216 192.168.1.2 netmask 255.255.255.255 0 0

an inside PC with the address 192.168.1.2 will map to 172.18.124.216. If you start a connection from that PC it will use the source address of 172.18.124.216.

This behaviour is modified when you include the www in the static, I think outbound connection from 192.168.1.2 will only use the address defined in the static if the source port is TCP 80, try it and see.

Any other inside address would use the outside address of the PIX as its source.

Andy

Customers Also Viewed These Support Documents