PIX 501 v 6.3(3). Inside network: 10.0.0.0/24. Upstream router does PAT and static mapping for several internal networks.
As I understand it, the following two PIX commands both allow inside packets to get outside (and replies to get back) without changing source or destination IP address. Right? If true, how are they functionally different?
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0 nat (inside) 0 0 0
| PIX 501 v 6.3(3). Inside network: 10.0.0.0/24. Upstream router does | PAT and static mapping for several internal networks. | | As I understand it, the following two PIX commands both allow inside | packets to get outside (and replies to get back) without changing | source or destination IP address. Right? If true, how are they | functionally different? | | static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0 | nat (inside) 0 0 0
From Cisco ASA and PIX Firewall Handbook by Dave Hucaby Publisher: Cisco Press Pub Date: June 07, 2005
"Unlike identity NAT, which allows connections to be initiated only in the outbound direction, NAT exemption allows connections to be initiated in either the inbound or outbound direction.
NAT exemption is most often used in conjunction with VPN connections. Inside addresses might normally be translated for all outbound connections through a firewall. If a remote network can be reached through a VPN tunnel, the inside hosts might need to reach remote VPN hosts without being translated. NAT exemption provides the policy mechanism to conditionally prevent the address translation."
That would be a great answer except that NAT exemption is "nat 0 access-list" rather than a static statement.
Nevertheless, I'm curious about your book. Do you have an ebook so you can copy sections from it? Bob
| > | PIX 501 v 6.3(3). Inside network: 10.0.0.0/24. Upstream router does | > | PAT and static mapping for several internal networks. | > | | > | As I understand it, the following two PIX commands both allow inside | > | packets to get outside (and replies to get back) without changing | > | source or destination IP address. Right? If true, how are they | > | functionally different? | > | | > | static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0 | > | nat (inside) 0 0 0 | >
| > From Cisco ASA and PIX Firewall Handbook by Dave Hucaby | > Publisher: Cisco Press | > Pub Date: June 07, 2005 | >
| > "Unlike identity NAT, which allows connections to be initiated only in | > the outbound direction, NAT exemption allows connections to be initiated | > in either the inbound or outbound direction. | >
| > NAT exemption is most often used in conjunction with VPN connections. | > Inside addresses might normally be translated for all outbound | > connections through a firewall. If a remote network can be reached | > through a VPN tunnel, the inside hosts might need to reach remote VPN | > hosts without being translated. NAT exemption provides the policy | > mechanism to conditionally prevent the address translation." | | That would be a great answer except that NAT exemption is | "nat 0 access-list" rather than a static statement.
You are right :) I found an explanation here:
| Nevertheless, I'm curious about your book. Do you have an ebook | so you can copy sections from it? | Bob
Yes it's an ebook.
Apart this, if I can recall correctly nat 0 doesn't do proxy arp, so is best suited on vpn usage. On the other hand the static command does proxy arp for the virtual addresses and can be used for publishing real servers over virtual ips. Bye, Tosh.
Tosh, As I understand it, proxy arp provides the proxy's own mac address to a remote device on behalf of a local host. But even without proxy arp, won't the packet be routed to the PIX anyway as this network's gateway?
It depends, if your traffic is flowing from the inside to a dmz probably you are right, chances are high that the hosts have the pix are their default gateway, but if your traffic is going to the outside interface you are then talking to the carrier router, which in turn has it's upstream router as his default gateway, not your pix. Apart this, once I had issues with nat0 and handheld devices, maybe their "light" ip implementation needed proxy arp, static was the solution for the issue. Bye, Tosh
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.