Firstly, Nat 0 and static can be used to achieve the same result of bypassing NAT, at least logically :)
However both are fundamentally different.
Here's an example:
nat (inside) 0 192.168.1.1 255.255.255.255
and
static (inside,dmz) 192.168.1.1 192.168.1.1 netmask 255.255.255.255
Both statements preserves the IP address 192.168.1.1 for traffic going from inside to dmz.
Statement 1 however is outbound only. Only traffic initiated from the inside gets natted (or bypasses natting). A ping from the DMZ network will not be able to reach the inside host 192.168.1.1 even with ACLs.
Statement 2 however creates a permanent (static) NAT entry in the table. This allows networks in the DMZ zone to access the IP in the inside zone. A ping initiated from the DMZ to 192.168.1.1 is possible if ACL permits.
Hence static is commonly used when traffic needs to flow from a lower security zone to higher security zone. I.e Outside -> DMZ -> Inside.
Where as NAT is used from Higher to lower if you do not want the lower zone traffic to reach back. I.e Inside -> DMZ -> Outside
Note: Don't confuse this with FW stateful inspection. As the FW allows return packets from the destination when initiated by the source.
Thursday, October 15, 2009
Subscribe to:
Posts (Atom)
