| > | PIX 501 v 6.3(3). Inside network: 10.0.0.0/24. Upstream router does | > | PAT and static mapping for several internal networks. | > | | > | As I understand it, the following two PIX commands both allow inside | > | packets to get outside (and replies to get back) without changing | > | source or destination IP address. Right? If true, how are they | > | functionally different? | > | | > | static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0 | > | nat (inside) 0 0 0 | >
| > From Cisco ASA and PIX Firewall Handbook by Dave Hucaby | > Publisher: Cisco Press | > Pub Date: June 07, 2005 | >
| > "Unlike identity NAT, which allows connections to be initiated only in | > the outbound direction, NAT exemption allows connections to be initiated | > in either the inbound or outbound direction. | >
| > NAT exemption is most often used in conjunction with VPN connections. | > Inside addresses might normally be translated for all outbound | > connections through a firewall. If a remote network can be reached | > through a VPN tunnel, the inside hosts might need to reach remote VPN | > hosts without being translated. NAT exemption provides the policy | > mechanism to conditionally prevent the address translation." | | That would be a great answer except that NAT exemption is | "nat 0 access-list" rather than a static statement.
You are right :) I found an explanation here:
"Only one "nat 0 access-list" is permitted per interface, and it applies to traffic going to lower security interfaces. Indefinite numbers of "nat 0" (without access-list) are permitted per interface, and again apply to towards all lower security interfaces. "static" and all other "nat" commands work between pairs of interfaces, so the IP of an inside host as known to dmz1 could be different than the IP of the same host as known to dmz2."
| Nevertheless, I'm curious about your book. Do you have an ebook | so you can copy sections from it? | Bob
Yes it's an ebook.