Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAT vs static

A network architecture is like this: PIX firewall, inside (private static IP 192.168.1.1), and the LAN of private static IPs 192.168.1.0 255.255.255.0, the outside (only one public IP available, i.e., 172.18.124.216).

For the LAN hosts to access to the outside such as internet, obviously, a PAT is needed. This is Many to One translation.

Now for any outside hosts to access to the inside web server such as 192.168.1.2, a permit and IP translation have to be done. Usually, the translation will say:

static (inside, outside) tcp 172.18.124.216 www 192.168.1.2 www netmask 255.255.255.255 0 0

1) If I understand it correctly, from inside to outside is PAT, many to one, while from outside to inside is One to One static translation. Is this correct? How could both many to one , and one to one co-exist on the same PIX?

2) What does the last two 0's stand for in the Static statement above ( 0 0 )?

Thanks to help.

Scott

2 REPLIES

Re: PAT vs static

The last 2 0's expand to 0.0.0.0 0.0.0.0 within which the first 0.0.0.0 stands for any source ip address, and the second 0.0.0.0 stands for any source subnet mask.

Silver

Re: PAT vs static

Scott,

The answer to question 1 is that they use different IP addresses.

For instance your PAT configuration on the PIX:

NAT (inside) 1 0 0

Global (outside) 1 interface

ip address outside 172.18.124.1 255.255.255.0

In this example all the outbound connections (those that start on the inside) will use the source address of 172.18.124.1 on the Internet. But each will use a different source port, thats the PAT part.

If you add a static translation, this maps 2 specific IP addresses to each other.

If you apply this static

static (inside, outside) tcp 172.18.124.216 192.168.1.2 netmask 255.255.255.255 0 0

an inside PC with the address 192.168.1.2 will map to 172.18.124.216. If you start a connection from that PC it will use the source address of 172.18.124.216.

This behaviour is modified when you include the www in the static, I think outbound connection from 192.168.1.2 will only use the address defined in the static if the source port is TCP 80, try it and see.

Any other inside address would use the outside address of the PIX as its source.

Andy

113
Views
3
Helpful
2
Replies
CreatePlease login to create content